Intranet Journal
The online resource for intranet professionals
Doing the Math
Let's calculate a sample SLE and see how we turn these concepts into money. If the value of say an ERP database is $100,000, and a hacker breaks into the system and destroys 80% of it, the value has been reduced by $80,000. In this particular example, the SLE would be $80,000 calculated as follows:
$80,000 = $100,000 - $20,000
To calculate the Annual Loss Expectancy (ALE) of an organization, you calculate the individual component SLE values and multiply them by P (L). Since LAFE and SAFE are more precise ways of using P (L) values, you typically multiply SLE values by LAFE or SAFE. To summarize:
ALE = P (L) x SLE
LAFE and SAFE are types of probability values, so therefore the following equations are true:
ALE = SAFE x SLE
ALE = LAFE x SLE
Annualized Rates of Occurrence
In the risk analysis industry, LAFE and SAFE are often referred to as Annualized Rates of Occurrence (AROs). In calculating risk exposure, some experts use other types of AROs, but almost all the leading risk analysis tools use LAFE or SAFE. LAFE and SAFE are typically represented as decimal values and are rational numbers. A rational number is a number that can be expressed equivalently as a fraction. Typically SAFE values are determined, and then normalized to product LAFE values.
A threat that occurs once every 10 years would have a SAFE value of .1 since 1/10 = .1 .
Common SAFE values are listed in the below table:
|
SAFE
Value |
Frequency
of Occurrence |
|
.01 |
Once
every 100 years |
|
.02 |
Once
every 50 years |
|
.1 |
Once
every 10 years |
|
.2 |
Once
every 5 years |
|
.5 |
Once
every 2 years |
|
1 |
Once a
year |
|
10 |
10
times a year |
|
20 |
20
times a year |
Table 1. Threat Frequency Values