What Is Annual Loss Expectancy (ALE)?
Annual Loss Expectancy is the cornerstone of quantitative risk assessment in cybersecurity. Originally developed for insurance and financial risk, ALE provides a monetary estimate of how much an organisation can expect to lose from a specific threat each year.
The ALE Formula
ALE = Annual Rate of Occurrence (ARO) × Single Loss Expectancy (SLE)
The Annual Rate of Occurrence is the probability that a specific incident will happen in any given year. For example, if industry data suggests a 30% chance of ransomware affecting your organisation, the ARO is 0.30.
Single Loss Expectancy is the total financial impact of a single incident, including direct costs (recovery, ransom, legal fees), indirect costs (downtime, lost revenue), and long-term costs (brand damage, customer churn).
Why ALE Matters for CISOs
ALE converts abstract risk into financial language that boards understand. Instead of saying "ransomware is a high risk," a CISO can say "our estimated annual loss from ransomware is $750,000." This makes security investment discussions comparable to any other business decision.
Limitations to Acknowledge
ALE relies on probability estimates that carry inherent uncertainty. Industry averages may not reflect your specific threat landscape. Use ALE as a directional tool for prioritisation rather than a precise prediction. The value is in comparing scenarios and controls, not in the absolute numbers.