Executives run businesses based on risk versus reward, right? To get action, we need to convey the dollars at stake and the likelihood there will be a loss. You’ll often see this as Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO).
The difficulty I run into is that there is not much hard data on the likelihood of an attack and the typical cost. We can guess, but then the figure ends up being skewed and the rationale does not stand up to scrutiny by senior management. I am hopeful that the recent disclosure laws change this by providing solid statistical information.Posted by