Annual Loss Expectancy: putting a dollar figure on breach risk

✍️ Francesco ZinghinìUpdated Jun 25, 2026⏱️ 8 min

Annual Loss Expectancy (ALE) puts a single dollar figure on breach risk by combining how bad one breach would be with how often you expect one. The formula is ALE = ARO × SLE: the Annual Rate of Occurrence (how many breaches you expect per year, expressed as a probability when it is below one) multiplied by the Single Loss Expectancy (the cost of one breach). A small business that models a $300,000 breach (SLE) and a one-in-four-years likelihood (ARO of 0.25) has an ALE of $75,000 per year — a number you can compare directly against the annual cost of security controls. This guide explains how to estimate each input, walks a worked example, and is honest about the model\'s limits. Compute it with the annual loss expectancy calculator.

Why annualize breach risk at all?

A breach is a single, lumpy event, but security budgets are annual. ALE bridges the two. By turning a per-incident cost into an expected yearly cost, it lets you put breach risk on the same footing as the recurring expenses it competes with — the cost of MFA, of monitoring, of an incident-response retainer. Without annualization you are comparing a one-off catastrophe against a yearly line item, which makes rational budgeting almost impossible. ALE is the standard way risk practitioners square that circle, and it is one of the core quantitative techniques described in NIST SP 800-30.

The formula and its three terms

Single Loss Expectancy (SLE) is the cost of one occurrence of the loss event. Classically it is the value of the asset at risk multiplied by an exposure factor — the fraction of that value destroyed by a single incident. For data breaches there is a shortcut: a modeled breach cost already is the SLE, because it estimates the full cost of one breach directly. So the cleanest way to set SLE for breach risk is to take the output of the data breach cost estimator for your profile.

Annual Rate of Occurrence (ARO) is how many times per year you expect the event. When the event happens less than once a year — as breaches usually do — the ARO is a probability below one. A breach you expect once every five years is an ARO of 0.2; once every four years, 0.25. The breach probability calculator gives sector-based starting points derived from Verizon DBIR incidence.

Annual Loss Expectancy (ALE) is simply the product: the per-incident cost spread across the years you expect to wait between incidents.

How to compute it, step by step

The procedure is short, and each step maps to a number you can defend.

1. Estimate the SLE. Model a realistic breach for your business — records, data type, industry, size — and take the expected cost. Say it comes out at $300,000.
2. Estimate the ARO. Start from your sector\'s annual breach probability and adjust for your posture. Suppose your sector\'s indicative rate is around one-in-four, an ARO of 0.25.
3. Multiply. ALE = 0.25 × $300,000 = $75,000 per year.
4. Compare against controls. A control costing less than the ALE reduction it buys is worth considering.
5. Stress-test. Re-run with higher and lower ARO and SLE and report a range.

A worked example

Consider a small professional-services firm holding around 15,000 client records of personal data. Its modeled breach cost — the SLE — is roughly $300,000. Its sector\'s indicative annual breach probability is about 25%, so the ARO is 0.25. The ALE is 0.25 × $300,000 = $75,000 per year.

Now suppose the firm is weighing two controls: multi-factor authentication and a tested incident-response plan, together costing about $12,000 a year to run. Each lowers the modeled breach cost (the SLE) through its mitigation factor, and tested response can also reduce the realistic ARO. Suppose together they cut the SLE to $240,000 and leave the ARO unchanged. The new ALE is 0.25 × $240,000 = $60,000. The controls reduce ALE by $15,000 a year for a $12,000 outlay — a positive return, and exactly the comparison the security control ROI calculator formalizes. The reasoning is laid out in the ROI of security controls.

The limits of the model

ALE is a decision aid, not a crystal ball, and using it well means respecting three limits.

It multiplies two uncertain estimates. Both ARO and SLE are educated approximations, and their product carries the combined uncertainty. That is why the result belongs in a range, and why the inputs should be stress-tested rather than quoted to the dollar.

It averages over time. An ALE of $75,000 does not mean you will lose $75,000 this year — in most years you lose nothing, and in a breach year you lose the full SLE. ALE smooths a lumpy reality into a budgeting average. It cannot tell you a catastrophe will not strike this year; it tells you the long-run expected cost.

It assumes independence and a stable rate. The simple ARO × SLE form does not capture correlated events, changing threat levels, or losses that exceed any single asset\'s value. For most small-business decisions it is more than adequate; for tail-risk planning, pair it with a worst-case figure such as the pessimistic end of your breach estimate or your full regulatory exposure.

Used with those caveats in mind, ALE is the single most useful number for turning a vague sense of cyber risk into a figure you can budget, compare and defend. Compute yours with the ALE calculator, and revisit it as your records, sector data and benchmarks change.

Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.