Annual Loss Expectancy (ALE) Calculator
Put a single annual dollar figure on a risk with the standard quantitative model: Annual Loss Expectancy = ARO × SLE. Enter how often the loss event is expected each year (the annualized rate of occurrence) and how much one occurrence would cost (the single loss expectancy) — either directly, or built from an asset value × exposure factor. The result is the average loss you should budget for per year, the number you compare against the cost of a control. Numbers update as you type. Benchmarks as of Jun 25, 2026 — sources; every figure is editable.
| Step | Value |
|---|---|
| Asset value | $500,000 |
| × Exposure factor | 1.00 |
| = Single loss expectancy (SLE) | $500,000 |
| × Annualized rate of occurrence (ARO) | 0.3 |
| = Annual Loss Expectancy (ALE) | $150,000 |
ALE = ARO × SLE
SLE = asset value × exposure factor
Default: SLE = $500,000 × 1.00 = $500,000, then ALE = 0.3 × $500,000 = $150,000/yr
This is the standard quantitative-risk model documented in NIST SP 800-30 and used by the FAIR risk methodology.
How it works
Annual Loss Expectancy is the single most useful number in quantitative risk analysis because it converts an uncertain, occasional event into a steady annual figure you can plan around. The idea is simple. Most security incidents do not happen every year; they happen sometimes, and when they do they cost a lot. If you only ever looked at the cost of one incident you would either over-react (treating a rare event as if it were certain) or under-react (ignoring it because last year was quiet). ALE solves this by multiplying the two things that actually matter — how often the event happens and how much it costs each time — into one number that represents the average yearly bite the risk takes out of your business over the long run.
The two inputs are the annualized rate of occurrence and the single loss expectancy. The annualized rate of occurrence, or ARO, is the expected number of times the loss event occurs in a year. For something that happens roughly once every three years the ARO is about 0.33; for something expected once a year it is 1.0; for a high-frequency problem such as successful phishing it might be 3 or 4. Crucially, ARO can be a fraction below one — most breach scenarios are — and it can also exceed one for events that recur within a single year. The single loss expectancy, or SLE, is the dollar cost of one occurrence. You can enter it directly, or you can build it from an asset value and an exposure factor, which is the classic textbook decomposition.
The exposure factor is the proportion of an asset's value that a single occurrence of the event destroys, expressed as a number between zero and one. An incident that wipes out half the value of an asset has an exposure factor of 0.5; one that effectively destroys the whole asset has an exposure factor of 1.0. In practice, for data breaches the exposure factor is often set at or near 1.0 because the "asset" being modeled is the breach response cost itself rather than a physical asset that is only partly damaged — and occasionally it is set above 1.0 to capture knock-on losses such as customer churn and reputational damage that exceed the bare value of the data. Multiplying asset value by exposure factor gives the SLE, and multiplying SLE by ARO gives the ALE. Because the model is purely multiplicative, it is transparent and easy to stress-test: change any one input and you can see exactly how the annual figure moves.
This structure is not an invention of this calculator; it is the standard quantitative risk model set out in NIST SP 800-30, the US government's guide for conducting risk assessments, and it underpins the widely used FAIR (Factor Analysis of Information Risk) methodology. Both treat risk as the product of a frequency term and a magnitude term, which is exactly what ARO and SLE provide. Using the same model means your numbers are comparable to those produced by professional risk assessors and acceptable to auditors and insurers who expect to see a defensible, repeatable method rather than a gut-feel figure.
Once you have an ALE, it becomes the yardstick for every security investment decision. A control that costs less per year than the ALE it eliminates pays for itself; one that costs more does not. That comparison is the basis of the security control ROI calculator, which takes an ALE, applies a control's risk-reduction percentage, and reports the return on the spend. ALE is also what cyber-insurance pricing is implicitly trying to approximate, so having your own ALE lets you judge whether a premium is reasonable.
A worked example
Suppose a small business wants to put a number on the risk of a customer-data breach. From the breach probability calculator its sector shows an indicative annual probability of about 30%, so it sets the ARO to 0.30 — meaning, on average, it expects a breach roughly once every three years or so. From the data breach cost estimator it gets an expected cost of $500,000 for one such breach, which becomes the SLE (here built as an asset value of $500,000 with an exposure factor of 1.00).
- Single loss expectancy SLE = $500,000 × 1.00 = $500,000
- Annual Loss Expectancy ALE = 0.3 × $500,000 = $150,000 per year
The interpretation is important: this business will not lose $150,000 next year. In most years it will lose nothing; in the year a breach occurs it will lose around $500,000. The $150,000 is the average it should budget for and the figure it should weigh any breach-prevention spending against. If a security control that reduces breach likelihood by a third costs less than roughly a third of $150,000 per year, the numbers say it is worth buying. To turn that comparison into an explicit return on investment, carry this ALE into the security control ROI calculator. To refine the SLE itself, return to the data breach cost estimator, and to sharpen the ARO, use the breach probability calculator.
Frequently asked questions
What is Annual Loss Expectancy (ALE)?
Annual Loss Expectancy is the average loss you would expect from a given risk per year, spread over the long run. It is the cornerstone of quantitative risk analysis and is defined as ALE = ARO × SLE: how often the loss event happens in a year (the annualized rate of occurrence) multiplied by how much it costs each time it happens (the single loss expectancy). For the default scenario here — a 30% annual chance of a breach that would cost $500,000 — the ALE is $150,000 per year.
What do ARO and SLE mean?
ARO (annualized rate of occurrence) is the expected number of times the loss event happens in a year. A once-in-three-years event has an ARO of about 0.33; an event expected twice a year has an ARO of 2.0. SLE (single loss expectancy) is the dollar loss from one occurrence, and is itself asset value × exposure factor, where the exposure factor is the fraction of the asset's value destroyed by a single event (0 to 1, occasionally above 1 when knock-on costs exceed the bare asset value).
Where do I get a number for ARO?
For breach risk, a practical starting point is your sector's annual breach probability. Use the breach probability calculator to read an indicative base rate for your industry, then adjust it up or down for your own security posture and threat exposure. ARO does not have to be below 1 — for high-frequency events such as phishing-driven incidents it can be several occurrences per year.
Where do I get a number for SLE?
SLE is the cost of one occurrence of the loss event. For a data breach, the most defensible figure comes from the data breach cost estimator, which models the expected cost from your industry, records, data type, size and controls. You can paste that figure straight into the SLE field, or build SLE here from an asset value and an exposure factor when you are reasoning about a single asset rather than a whole breach.
Is ALE a prediction of next year's loss?
No. ALE is a long-run average, not a forecast of any single year. In most years the actual loss from a low-frequency risk is zero; in the year the event occurs it is the full SLE. ALE is useful precisely because it lets you compare risks and weigh the cost of a control against the loss it avoids on a consistent annual basis — see the security control ROI calculator — not because it tells you what will happen next year.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.