Annualized Loss Expectancy and Calculating the ROI
[no_toc]
Despite the rise of global hacking, only a small percentage of businesses are actually prepared for an attack. According to reporting from Forbes, nearly 30,000 websites are infected with some type of malware every single day. And small businesses are especially susceptible. According to a Duke University/CFO Magazine Global Business Outlook Survey, companies with fewer than 1,000 employees were the most vulnerable, with 85% of those polled saying their information systems had been hacked.
You might be worried about the financial fallout after an attack, but there are other factors to consider. After all, the catastrophic effects on your company can reach far beyond finances and customer loss. Cyber threats now affect Moody’s ratings, not to mention stock option drops for publicly-traded companies. A loss of reputation and costs like public relations campaigns and communication rollouts are also factors in a cybersecurity breach.
However, there’s a difference between knowing that your business should be covered, and knowing how much to spend on cybersecurity. And aside from budget concerns, many companies are also faced with justifying an increase in cybersecurity costs to their executive team and board members. But there actually is a way to calculate the ROI of cybersecurity and the annual loss expectancy from hacks that can help put you on the right path. Here’s how to do it.
Determine How Many Incidents Actually Led to a Data Breach
It’s easy to get caught up in the fear of an attack, but not every incident will lead to a costly data breach. Sit down with your CSO or security team to determine how many incidents actually resulted in a data breach.
Malicious incidents could include phishing scams, where a hacker tries to steal your information after posing as a legitimate business or your commercial bank, suspicious activity on your server or a report from customers that they’re receiving spam from your email address.
Look at the Percentage of Threats That Are Major Incidents
Once you identify which incidents led to a data breach, take a look at which ones were major incidents that had a financial impact on your business. Not all hacks will result in an expensive data breach requiring a full PR response and financial settlements to customers. Instead, you might discover that a hacker attempted to shut down your systems, but your security team was able to combat the activity.
But calculating the threat percentage is an important part of the annualized loss expectancy. In order to figure out the ROI of your cybersecurity, calculate the percentage of threats that turned into major incidents.
Calculate the Percentage of Threats That Are Minor Incidents
Your major hacks are obviously going to be the most costly, but they don’t tell the whole story. You may not have experienced a major data breach, but a collection of small incidents can still result in ongoing financial damages and a tarnished reputation.
Take inventory of your minor incidents and keep a tally of how much these hacks cost. The good news is that you may have a handful of incidents that just total a few hundred dollars in ransomware demands or other issues. However, you may discover that a few hundred or a few thousand dollars here and there totaled more than one of your major incidents.
Figure Out the Average Cost of an Incident
Once you have a clear idea of how many incidents your business has suffered and the overall damage, remember to calculate the entire cost of the incident. Those costs go beyond repair to your systems and IT services. At the end of the day, your actual breach may not have been that expensive to resolve, but you may have spent a small fortune on a public relations rollout to address public and customer concerns. Your costs could have also included hiring a new security person to oversee the resolution to the breach, or the costs associated with a loss in productivity.
Calculate the Annual Loss Expectancy
After you have some numbers pulled together to see how cybersecurity and data breaches are impacting your company, you will have the big picture behind your annual loss expectancy. Use those numbers to make sure you’re hitting an accurate ROI assessment for your cybersecurity.
CSO recommends using a straightforward formula to calculate an ALE (Annual Loss Expectancy): an expected [approximate] financial loss caused by particular risks and threats (if not properly mitigated). Here’s what the equation they recommend looks like:
ALE = (Number of Incidents per Year) X (Potential Loss per Incident)
Working through the equation should be relatively straightforward. However, there are a few other factors to take into account, like rising costs.
Consider the Rising Costs
The annualized loss expectancy can change as data breaches and hacking incidents rise. A loss of productivity and the costs of new cybersecurity protection tools will likely continue to rise as incidents increase. Google reported an increase in the number of hacked sites by approximately 32% in 2016 compared to the previous year. They also reported that hackers are getting more aggressive and continue to capitalize on infecting more sites. Those figures are likely to continue going up and will require ongoing adjustments to your ROI calculations. In other words, don’t be surprised if your figures change from year to year and require a budget adjustment.
It’s also important to remember that the costs associated with cleaning up a data breach will also rise. For example, the expenses surrounding a PR campaign and communications rollout will rise over time due to increased service costs and overall inflation. The costs for computer hardware and software, IT services and possible cyber investigations will also continue to increase.
While the annualized loss expectancy formula should give you a good idea of what to expect when calculating your ROI, you should leave room for error. This shifting number should ultimately remind you that making room in your budget for hacking prevention and ongoing maintenance is critical – and well worth it.
How do you calculate the annualized loss expectancy to calculate your ROI for cybersecurity? Let us know by leaving a comment below: