Sara, a security analyst, is trying to prove to management what costs they could incur if their customer
database was breached. This database contains 250 records with PII. Studies show that the cost per
record for a breach is $300. The likelihood that their database would be breached in the next year is only
5%. Which of the following is the ALE that Sara should report to management for a security breach?

A.
$1,500

B.
$3,750

C.
$15,000

D.
$75,000

Explanation:
SLE × ARO = ALE, where SLE is equal to asset value (AV) times exposure factor (EF); and ARO is the
annualized rate of occurrence.
SLE = 250 x $300; ARO = 5%
$75000 x 0.05 = $3750
Incorrect Answers:A: A $1500 amount assumes a breach likelihood of 2%.
C: A $15000 amount assumes that the likelihood of a breach is 20%.
D: $75000 would be the single loss expectancy.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 5-6