Now all of this works towards eventual cost benefit assessment. This is a typical calculation that we do in business for many different cases when it comes to making a determination about a step or product purchase. So we're going to use the annualized loss expectancy value that we have generated against the threats and compare it to the expected cost of the potential loss.

So in an example, if a server is worth $10,000 and one suggested security safeguard would cost the company 12, for that one server. This of course would be discouraged because it is not cost-effective, spending more than the asset itself is worth is rarely considered to be a wise move.

Now, there are many variables that will go into this, not just simply the cost. For one thing, we have to consider the tangible and intangible values such as value contribution by this particular asset to other processes and products. In such cases, we have to think about the direct secondary impacts that will be produced by taking this server out of operation. And instead of direct replacement cost what we might consider also, if this is your organization's practice, the cost of computational equivalent for this IT asset and use that instead of a direct cost replacement.

Overall, what we're trying to do is put together a cost justification for taking a proposed course of action. And this calculation is one as I mentioned, that businesses use all the time. And we should use the same decision logic if we want to get one of our mitigation recommendations considered and then implemented. Part of this calculation will be the calculation of the worth or value of a security control, whatever it might be.

First, we start with our effectiveness premise, operationally that it actually solves a real problem and produces a material risk reduction. And then from an economic perspective, that these are cost-effective as we just discussed. We also have to think about other things which you might consider to be soft.

Organizationally, the control achieves the goal and enables business success without undue or unacceptable impediment. Something that very much flies in the face of the common perception that security tends to intervene and impede proper productivity. So we use the formula, the ALE pre-implementation and the total loss potential from that we subtract the ALE, post-implementation and residual loss potential, and then add back the annual control TCO. And this gives us the economic value add of the control itself.

Now the EVA, economic value add of the control, is part of what we consider when we compare the cost to protect versus the cost of loss or compromise. This is the basis for the cost benefit analysis for the particular security control when we think about the operational effectiveness and the ultimate financial cost effectiveness, which you'd like to think of as most bang for the buck. But the caution is this is not purely lowest cost. This is one factor in calculating the EVA of the given control.

Now, as I've said before, all of these values must represent lifecycle total cost of ownership because each asset is considered that way on the books. And we should evaluate the security scenario and the controls that we're going to consider on the same basis. Otherwise, we will get a mismatch in value contribution or losses.

Now the cost to protect equates to the cost of the candidate control to be implemented. The cost of loss equates to the value of the asset at risk, if it is lost, or if it's compromised in its operation. Now there are three typical outcomes of this. The first one, if the cost to protect is less than the cost of loss or compromise, as you see in the formula there. The result here shows that it is less expensive to use a control than risk the loss of the asset.

Now, this does not indicate that compliance or similar requirements are considered, but bear in mind that through all of these, those factors have to be considered in all cases. Now, the outcome from this cost to protect is less than the cost of compromise. It shows that this is financially validating the decision to actively mitigate the risks to the asset through some means.

The next case is when the cost to protect is greater than the cost of loss or compromise. In this particular case, the result shows that it is more expensive to use the control than to risk the loss of the asset. Once again, we have to consider secondary concerns such as compliance or the value contribution or necessity of the asset in question to any process or product. Assuming that all of those things are considered, and we still come up with this particular result. This result financially validates the decision to accept the risk for the loss of this asset.

Now, having said that we are accepting the risk here, here's the caution to consider. Accepting risk does not by its term mean that we are doing nothing, doing nothing is considered to be by most regulations negligent. And that is not what acceptance of the risk means. Now, if we find in our calculations that the cost to protect is approximately equal to the cost of loss or compromise. What this result shows is that it is no more expensive to use a control than to lose the asset, which means we're faced with a decision that will probably be made on the basis of secondary considerations rather than simply considering the cost to protect versus the cost of loss as a simple monolithic number. So this decision to mitigate or accept the risk will be based on criteria other than cost alone.