A method of determining whether a set of proposed security measures is cost effective.
For each threat that will be affected by the new security measures, the likelihood (annualized rate of occurrence) and severity (single loss expectancy) figures are calculated. The latter includes not only direct costs, but also any indirect costs such as loss of custom, loss of goodwill, political embarrassment, etc.
For each threat, we can then calculate:
annualized loss expectancy = annualized rate of occurrence * single loss expectancy
The estimates are then repeated assuming the proposed security measures are implemented.
Added to this latter figure are the costs of the proposed security measure may then be calculated, including setup fees (hardware, software, training, consulting fees, etc.) as well as on-going annual costs. This set of costs can viewed as additional losses if the security measures are implemented.
The difference in cost between the two scenarios can then be compared using the preferred accounting method (e.g. Internal Rate of Return) to determine if the investment in security measures is worthwhile.
Because of the uncertainty in the estimates used, a Monte Carlo method may be used to test the sensitivity of the assumptions. Minimum, expected, and maximum losses and likelihoods are used instead of a single estimate, and the result is then a graph of probable outcomes rather than a single figure.
More information on Return on Security Investment (ROSI), including a spreadsheet with a worked example, can be found from the Government of New South Wales' website
Note that on the government website ALE refers to an Avoidable Loss Expectancy rather than Annualized Loss Expectancy.
Errors or Omissions? Contact us and let us know!