Risk Scenarios Annual Loss Expectancy (ALE) = likelihood x impact
Security Controls Select to model
Risk Reduction by Control
Residual vs Reduced Annual Loss by Scenario
Data Sources & Methodology
Breach Costs
- IBM Cost of a Data Breach Report 2025 — Global avg $4.44M; US avg $10.22M; ransomware $5.08M; phishing $4.80M
- Sophos State of Ransomware 2025 — Recovery cost $1.53M excl. ransom; median ransom $1.0M
- Ponemon/DTEX Insider Risk 2025 — Malicious insider $715K per incident
- MazeBolt DDoS Report 2025 — Avg damaging DDoS ~$500K
Probabilities
- Hiscox Cyber Readiness 2025 — 59% of orgs hit by cyber attack in past 12 months
- Verizon DBIR 2025 — 44% of breaches involve ransomware; 30% involve third parties
- Cloudflare 2025 — 20.5M DDoS attacks blocked in Q1 2025
Control Effectiveness
- Microsoft Research — MFA blocks 99.22% of account compromise
- IBM 2025 — Zero Trust saves $1.5M per breach; IR plans save $1.49M; AI/SIEM cuts lifecycle by 80 days
- Ponemon/KnowBe4 — Training reduces phishing clicks 54% in 6 months, up to 86% in 1 year
- Gartner — CSPM addresses 99% of cloud security failures
Industry Modifiers
- IBM 2025 — Healthcare 1.67x ($7.42M); Financial 1.25x ($5.56M); Tech 1.08x ($4.79M); Retail ~1.10x
Methodology
- Risk model uses Annualised Loss Expectancy: ALE = probability x single-loss expectancy
- Multiple controls use diminishing returns: residual = product of (1 - effectiveness) per control
- Costs and impacts scale with annual turnover using non-linear multipliers
- All figures are estimates for decision support — not actuarial precision