Page 230 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 230
The single loss expectancy (SLE) is the monetary loss that is expected
each time the risk materializes. You can compute the SLE using the
following formula:
Continuing with the preceding example, if the building is worth
$500,000, the single loss expectancy would be 70 percent of
$500,000, or $350,000. You can interpret this figure to mean that a
single fire in the building would be expected to cause $350,000 worth
of damage.
The annualized loss expectancy (ALE) is the monetary loss that the
business expects to occur as a result of the risk harming the asset over
the course of a year. You already have all the data necessary to perform
this calculation. The SLE is the amount of damage you expect each
time a disaster strikes, and the ARO (from the likelihood analysis) is
the number of times you expect a disaster to occur each year. You
compute the ALE by simply multiplying those two numbers:
Returning once again to our building example, if fire experts predict
that a fire will occur in the building once every 30 years, the ARO is
~1/30, or 0.03. The ALE is then 3 percent of the $350,000 SLE, or
$10,500. You can interpret this figure to mean that the business
should expect to lose $10,500 each year due to a fire in the building.
Obviously, a fire will not occur each year—this figure represents the
average cost over the 30 years between fires. It’s not especially useful
for budgeting considerations but proves invaluable when attempting
to prioritize the assignment of BCP resources to a given risk. These
concepts were also covered in Chapter 2, “Personnel Security and Risk
Management Concepts.”
Be certain you’re familiar with the quantitative formulas
contained in this chapter and the concepts of asset value, exposure
factor, annualized rate of occurrence, single loss expectancy, and
annualized loss expectancy. Know the formulas and be able to
