If you’re in charge of a network you can spend an infinite amount of money and resources in defending that network. This is simply because there are such a huge amount of threats and numerous ways of defending them. However clearly not many organisations are going to be able to write a blank cheque to defend their network and data however valuable it may be to them. There is a whole branch of specialised calculations that have been developed to assess these risks in order to try and defend against them.
An interesting calculation is the Annualised Loss Expectancy (ALE) which occurs when a threat pairing can be expected to happen more than once in a specified year. ALE is not just used as an assessment in network defense it is equally valid in models which involve shoplifting, bad debt risks and hundreds of different areas. The decision that any firm must make is “How many ALE events can we withstand as a company?”. For instance say you own a web based mail order business – downtime on your website has direct cost implications. If we consider DoS attacks (a favorite against commercial web sites) – imagine each one takes down your site for an average of two hours and you can expect this to happen three times a month? How much should you spend to defend aganst this.
Protecting against DoS is a very good example simply because there is no real limit on the amount you can spend. Here’s the formula for calculating ALE –
SLE x Annulized Rate Occurence = Annual Loss Expectancy
It’s quite simple when you look through it, simply the the SLE multiplied by the number of expected events. The total and cost obviously depend largely on the calculation of SLE. How about applying it to a different scenario – perhaps the amount of wasted time by employees surfing the web in a given day. Lets imagine 500 employees and they spend 25% of their time messing around on the web on sites like Facebook and Twitter.
$50/hr x 125 = $6250
To calculate ALE from this figure we need to determine that they waste this money every single week except when they’re on holiday (lets give them only two weeks off the slackers!)
$6250 x $50 = $312,500
Which is a serious amount of money wasted. You could spend a small proportion of this amount in tightening up your internet gateway, make sure you put in restrictions and web filtering to block against the basic ninja surfing techniques and basically you’d be clawing back money lost pretty quickly.