If you were to give someone the task of protecting a room that holds anywhere from $10,000 to $100,000 in cash, the yearly spend to protect that room (in basic risk management theory) should not exceed the Annualized Loss Expectancy (ALE). ALE is a simple representation that contains an extremely complex portion of applied mathematics called probability.

ALE=Impactof the event in Dollars*Probabilityof that event occurring on an annualized basis^{1}

Why is this complex? How hard is it to multiply a couple of numbers together?

Imagine if someone tried to explain the complex dynamics of Football to you by saying, “Well, the person that scores the most wins the game.” That’s, of course, technically correct, but it doesn’t tell you *how* you score the most points. That requires a fundamental understanding of how players and teams score points, what rules exist in the game, and what penalties might occur should someone break one of those rules.

In the example above, half of the formula is easy. If someone were to steal all the money in the room, you would simply lose the money in the room^{2}. The second part is pretty hard to determine though. What is the probability that you would lose all the money in the room?

The output of the calculation can still be valid, but the assumptions that go into the probability need to be examined carefully. Those without a degree in mathematics (or a working knowledge of advanced mathematics) should steer clear.

Now imagine that you take the same task, but ask them to protect an information based asset. Now, *both* sides of the formula are in jeopardy. When dealing with cash, or a physical asset, it’s pretty easy to determine what the impact of losing that asset is. Risk managers have become quite savvy in how they approach business impact analysis scenarios when you can see and touch the asset in question. But what happens when you can’t?

Most of the impact from the loss of an informational asset cannot be determined until well after the event occurs. Litigation and liability is one reason, but the other is simply asking the question, what is the value of that asset? The value of the formula for Coke is easier to determine than the value of a database of customers, and some associated data^{3}.

Assumptions that typically go into the impact would include some kind of legal or liability risk, consultant and investigator costs in a breach, downtime to the business, IT resource cost, and some version of a financial liability. Pieces of this are pretty easy to calculate based on a well defined information asset in a confined area of your organization. Others are pretty challenging simply due to a lack of good data^{4}.

How do you battle this? It’s not easy. You must show your work, show your assumptions, back them up, and be prepared for people to tell you how wrong you are. For less critical assets, you may ignore the entire process and just use a best guess, re-evaluating on some periodic basis. For the more critical assets, don’t be ashamed to ask for help from an outside firm.

*This post originally appeared on*

*BrandenWilliams.com*.- Meaning if the event probability is once every three years, you would use (1/3) here. [↩]
- Of course, ancillary problems might pop up if it was part of a violent crime, or people were injured, but let’s just look at it this way. [↩]
- But even still, the former is still challenging to get right. [↩]
- Ponemon does not count as good data. You are a fool if you use this input for anything more than entertainment purposes. [↩]