
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
An Alternative: Attack Trees
|
15
Clearly, the Annualized Loss Expectancy for email eavesdropping or tampering
caused by system compromise is high. ABC Corp. would be well advised to call that
$2,400 trainer immediately!
There are a few problems with relying on the ALE as an analytical tool. Mainly, these
relate to its subjectivity; note how often in the example I used words like “unlikely”
and “reasonable.” This is because information security is a young profession com-
pared to other disciplines that use ALEs and similar techniques (e.g., Civil Engineer-
ing): we don’t have a large, public body of incident-cost data to work with.
Any ALE’s significance, therefore, depends much less on empirical data than it does
on the experience and knowledge of whoever is calculating it. Another drawback to
ALEs is that they don’t lend themselves too well to being correlated with one another
(except in short lists like Figures 1-1 and 1-2).
The ALE method’s strengths, though, are its simplicity and flexibility. Anyone suffi-
ciently familiar with their own system architecture, operating costs, and with current
trends in IS security (e.g., from reading CERT advisories and incident reports now
and then) can create lengthy lists of itemized ALEs for their environment with little
effort. If such a list ...