Expected Loss Avoided

Expected Loss Avoided (ELA), in the context of cybersecurity, is a financial metric that quantifies the economic benefit derived from implementing a specific security control, program, or mitigating action. It represents the calculated amount of monetary damage an organization anticipates preventing over a defined period by taking that action.

Conceptual Framework

ELA moves cybersecurity evaluation beyond technical metrics to a business-focused calculation, helping to justify security investments to stakeholders by translating risk reduction into measurable monetary value. It is the reduction in anticipated risk achieved through a protective measure.

The calculation of Expected Loss Avoided relies on a comparison between the potential losses with and without the security control in place. The core components of risk are the Annualized Loss Expectancy (ALE).

Calculation Breakdown

The metric is calculated by subtracting the Annualized Loss Expectancy (ALE) before the control is implemented from the ALE after the control is implemented.

The foundational formula for ALE is:

ALE = ARO x SLE

Where:

• Single Loss Expectancy (SLE): The estimated monetary loss from a single security incident (e.g., the cost of a data breach, including recovery, fines, and reputation damage).

• Annualized Rate of Occurrence (ARO): The estimated frequency of that incident occurring in one year (e.g., $0.1$ for an event expected once every ten years, or $2$ for an event expected twice a year).

The formula for Expected Loss Avoided (ELA) is:

ELA = ALE Before Control - ALE After Control

Impact of Security Controls

A security control reduces the ALE by impacting one or both of the primary components:

1. Reducing ARO (Frequency): Controls that prevent incidents, such as a strong firewall or a vulnerability patching program, reduce the estimated Annualized Rate of Occurrence.

2. Reducing SLE (Impact): Controls that minimize damage after an incident, such as a robust disaster recovery plan or data segmentation, reduce the Single Loss Expectancy.

Example:

If a system has an ALE of $\$1,000,000 without a specific backup system, and the implementation of that backup system reduces the post-incident recovery cost SLE and the frequency of total loss ARO, resulting in a new ALE After Control of $200,000, the Expected Loss Avoided is:

ELA = $1,000,000 - $200,000 = $800,000

This $$800,000 represents the direct monetary value that the backup system is expected to save the organization annually by mitigating the risk.

ThreatNG directly contributes to the calculation and validation of Expected Loss Avoided (ELA) by providing the external, real-world data necessary to accurately assess and reduce the Annualized Rate of Occurrence (ARO) and the Single Loss Expectancy (SLE). By finding and assessing risks before they are exploited, ThreatNG quantifies the value of proactive risk mitigation.

External Discovery and Continuous Monitoring

ThreatNG's external discovery is crucial for accurately defining the initial risk state ALE Before Control and identifying the vulnerabilities that, if left unmanaged, would increase the ARO. The continuous monitoring component then measures the sustained effectiveness of controls used to manage those risks, which is vital for confirming the ALE After Control.

• ThreatNG Helping Example: ThreatNG continuously discovers and monitors Shadow IT assets, such as forgotten testing portals and abandoned subdomains. The initial discovery establishes that these assets increase the ARO because they are unpatched and vulnerable to automated attacks. By forcing the organization to decommission or secure these assets, ThreatNG provides the basis for an ELA calculation: the monetary value of preventing a breach originating from those specific, high-risk assets.

External Assessment and Intelligence Repositories

These modules provide the quantitative and qualitative data needed to assign dollar values to the Single Loss Expectancy (SLE) and accurately refine the probability of occurrence (ARO).

External Assessment (Highlight and Detailed Examples)

The assessment module quantifies the exploitability and potential impact of a finding, which directly feeds into the SLE and ARO.

1. Refining ARO via Exploitability:

• Example: ThreatNG discovers a low-risk vulnerability on an exposed server. However, the external assessment module, leveraging its real-world visibility, confirms that the vulnerability is actively being exploited in automated attacks targeting organizations in the same industry. This external data necessitates an upward revision of the Annualized Rate of Occurrence (ARO) for that specific asset from 0.1 to 0.5, accurately reflecting a higher risk. This allows the ELA calculation to be based on realistic, external threat intelligence rather than internal assumptions.

2. Refining SLE via Asset Criticality:

• Example: ThreatNG discovers an exposed configuration file for a cloud environment. The assessment determines that if compromised, the attacker would gain access to a database containing 10 million customer records. The ELA model uses this number to calculate a high SLE based on expected regulatory fines (e.g., GDPR, CCPA) and breach notification costs. By forcing immediate remediation of the configuration file, ThreatNG enables the organization to claim the significant financial loss avoided associated with a massive data fine.

Intelligence Repositories

The repositories provide industry-specific threat and cost data to make the $\text{SLE}$ more defensible.

• Fabric Function: The intelligence fabric uses historical attack costs and outcomes from peer organizations. For instance, if an intelligence repository contains data showing the average price of a ransomware attack in the organization’s sector is $5 million, the SLE for a potential ransomware incident can be anchored to this external benchmark.

Investigation Modules and Reporting

The investigation modules facilitate the in-depth work required to prove that a control has been effective and fully implemented, thus validating the ALE After Control. The reporting module formally communicates the resulting ELA metric to management.

Investigation Modules (Highlight and Detailed Examples)

The investigation confirms that the risk has been neutralized across the entire attack surface.

1. Validating Control Effectiveness:

• Example: An investigation is launched after a remediation effort to secure a large population of exposed employee credentials. The investigation module is used to scan dark web sites for six months following the remediation. Suppose the investigation confirms the complete absence of those credentials in any new breach dumps. In that case, it directly supports the argument that the security program has successfully reduced the ARO for credential compromise and confirms the realized ELA.

2. Tracking Attack Source Elimination:

• Example: ThreatNG identifies that an external-facing API uses an insecure authentication method, which is a high SLE risk. After the organization implements two-factor authentication (2FA) as a control, the investigation module is used to monitor for any log-in attempts using the old, insecure method. If all such attempts cease, the investigation confirms that the attack vector (the high-risk vulnerability) has been eliminated, validating the ELA associated with implementing 2FA.

Cooperation with Complementary Solutions

ThreatNG's data ensures that the financial modeling used by other business tools is based on accurate, real-world cyber risk.

1. Cooperation with Governance, Risk, and Compliance (GRC) Tools:

• Example: ThreatNG's externally assessed risk scores, ARO adjustments, and quantified SLE impacts (e.g., potential fine amounts) are automatically fed into the organization’s GRC tool. The GRC tool then uses this high-fidelity data to calculate and report the official Expected Loss Avoided figures for the entire security portfolio, creating a unified, externally validated view of security's financial value.

2. Cooperation with Financial Planning and Budgeting Software:

• Example: ThreatNG identifies a new, pervasive phishing campaign targeting the organization’s industry and establishes a high ARO for a related breach. This critical intelligence is sent to the financial software. The finance team can then use the high ELA associated with mitigating this threat to justify an immediate, unscheduled budget increase for a new anti-phishing solution, demonstrating that the investment's return (Loss Avoided) far outweighs its cost.