# Calculating financial loss from IT security risk

## Calculating IT Security Risk.

A large part of IT Security is risk mitigation. That is assessing the risks to your business and either implementing a control to reduce the risk impact or accepting the financial loss of the risk to the business. Sometimes the financial impact of the risk and the likelihood of the risk even occurring will be lower than the cost of putting in a control.

There are a few calculations we can make to determine the cost of risk.

Firstly a few terms for the calculations.

AV = Asset Value

EF = Exposure Factor which is measured as a percentage of loss to a specific asset. The exposure factor is subjective to the person assessing the risk to that asset.

SLE = Single Loss Expectancy (the cost of a single occurrence of loss)

The Calculation for Single loss expectancy is AV * EF = SLE

Some examples:

1st example

The Asset is your company HQ and the Asset Value is $100,000 so the AV in this situation is

$100,000

The risk is a flood, and the risk exposure is likely to be about 40% of the building will be affected. So the Exposure Factor is 0.40.

The Single loss expectancy is calculated as

AV ($100,000) * EF (0.40) = SLE ($40,000)

The single loss expectancy from the potential flood risk is $40,000

2^{nd} example

The asset is your backup server containing all your company data on your network in the data center the Asset Value is $150,000

The risk is backups failing to back up a week of company data, and the risk exposure is approximately 15% so the exposure factor is 0.15

The single loss expectancy is calculated as

AV ($150,000) * EF (0.15) = SLE ($22,500)

These are the calculations to calculate one incident of loss. However there are more calculations if you want to figure out how much the annualized loss expectancy would be. This is calculated as SLE * ARO where ARO is annualized rate of occurrence or how many times do you expect the risk to affect your asset.

So ARO can be expressed in two parts firstly as an amount of times per year, or secondly how many times in 5 years or 10 years or X amount of years decided by the risk assessor. For example. The flood risk could occur in spring and winter so that is 2 times a year or an ARO of 2. The risk that we miss backing up data might only occur once every 5 years so that would be an ARO of 0.2.

So to determine ALE (Annualized loss expectancy) we multiple SLE by ARO.

For example with the flood risk:

SLE is $40,000 and ARO is 2 so the ALE is $80,000

For the data backup risk:

SLE is $22,500 and the ARO is 0.2 so the ALE is $4500

So now that you know the Annualized Loss Expectancy you can decide if a control is worth implementing for your business.

A control for the backup risk might be changing the backup schedule from backing up data incrementally each day to backing up using the differential method each day. This control would mean instead of losing a week of data you may only lose one day of data, the cost for the control could be the time to change the schedule and perhaps the increased cost of storage for changing the backup method. The control in this situation might cost $4000.

So cost of control is $4000 and your Annualized loss is $4500 therefore it is worth implementing the control.

A control for the flood protection might be relocating your building to a higher elevation, the cost might be around $200,000. So control cost $200,000 and your annualized loss expectancy is $80,000 therefore the control is not worth putting in place and you would be accepting the financial loss for the risk.

Another risk mitigation method is called risk transference where you could implement insurance to mitigate loss, therefore transferring the risk to another company.