Risks While Fishing?: A few weeks ago, I was fishing in the White Mountains. Fishing, not catching, but that was ok. I was there to escape the steadily building heat of a Sierra Vista June, and to receive lessons in patience and perseverance. While the former was intended, the latter was an unwelcomed bonus. Everything was going according to plan. The weather was enviable. White puffy clouds cast occasional shadows that provided mild relief for a beleaguered amateur angler, and the pine scented air had an unexpected autumn crispiness. Then my fourth and last golden Acme Kastmaster snagged on a mossy rock in the middle of the East Fork of the Black River (which was more of a creek really). I had a choice to make. Retrieve the lure and try, try again; or snap the line and accept defeat.
Assess: I was alone on the river and miles from help. What if I slipped? A good friend slipped on a rock in THIS river; after facing THIS choice. The difference was he had a family to drive him the 30 minutes or so to Springerville for his fiberglass arm charm.
Choices: We all have to make choices every day. Maybe not this exact choice, but still choices that involve risk. Without even thinking, most of us can conduct risk assessments in real-time. Risk is a function of probability, impact, and asset value. In the scenario I was facing, the probability of a fall was somewhat likely, the impact of a fall COULD have been high, and the asset was either my arm, or my life. Again, high. A quick mental calculation contrasted with ending my fishing trip early and I stepped solidly into the river. My worn leather ropers quickly filled with cool river water. I found sturdy footing and successfully rescued the remainder of my fishing excursion.
Business Risks: By now you’re asking me, “Tom, is this Field and Stream, or the Cyber Tripwire?” Stay with me. I’m getting to the point. On your business computer network, you have assets. I want you to calculate something. If you went into work today, and found that none of your computers worked, what would be the monetary loss? What if it took a week to recover? Now, I’m no Dallin Haws, so you may want to check with him first. But here is a recommendation from Dr. Eric Cole one of the leading cyber security experts in the country.
Calculating Risks: In calculating risk, two general formulas are used: SLE (single loss expectancy) and ALE (annualized loss expectancy). SLE is the starting point. With it you determine the single loss resulting from a malicious incident. The formula for SLE is:
SLE = asset value x exposure factor
While the SLE is a valuable starting point it only represents the loss for one incident. Since many organizations suffer the same loss multiple times a year, you have to include the ARO (annualized rate of occurrence) and use them both to calculate the ALE:
ALE = SLE x ARO
The ALE is what you always use to determine the cost of the risk and the TCO (total cost of ownership) and is used to calculate the cost of a solution.
Your Cybersecurity Budget: So, this leads to the question. How much should you spend on cyber security prevention, detection, deterrence, and recovery? Calculate the ALE, and spend less than that annually.
In retrospect, I probably should have cut bait on the river that day. The consequences could have been disastrous. But for your business, the consequences could be far worse if you remain in the dark regarding risk.