As a security professional, you will need to understand that identifying and managing risks can help to keep your company environment safe from various types of attacks. In this chapter we will look at types of threats and vulnerabilities and the role that different threat actors play.
We will cover the following exam objectives in this chapter:
Explain threat actor types and attributes: Types of actors—script kiddies—hacktivist—organized crime—nation states/APT—insiders—competitors. Attributes of actors—internal/external—level of sophistication—resources/funding—intent/motivation. Use of open—source intelligence
Explain the importance of policies, plans and procedures related to organizational security: Standard operating procedure—agreement types—BPA—SLA—ISA—MOU/MOA. Personnel management—mandatory vacations—job rotation—separation of duties—clean desk—background checks—exit interviews—role—based awareness training—continuing education—acceptable use policy/rules of behavior—adverse actions. General security policies—social media networks/applications—personal email
Summarize business impact analysis concepts: RTO/RPO—MTBF—MTTR—mission—essential functions—identification of critical systems—impact—life—property—safety—finance—reputation. Privacy impact assessment—privacy threshold assessment
Explain risk management processes and concepts: Threat assessment—environmental—manmade—internal versus external. Risk assessment—SLE—ALE—ARO—asset value—risk register—likelihood of occurrence—supply chain assessment—impact—quantitative—qualitative. Testing—penetration testing authorization—vulnerability testing —authorization. Risk response techniques—accept—transfer—avoid—mitigate
Risk management is the process of identifying risks within a company and making decisions about how to reduce the risks so that an incident does not cause harm to the company and its assets. You may not be able to eliminate the risk completely, but you may be able to put procedures in place to reduce it or keep it an acceptable level.
The first step in risk management is to identify the asset. Is it a top—secret document? If that was the case you'd limit the access to the document. The top—secret document would be stored in a secure area at all times; nobody would be able to take copies or photographs of it.
For example, if you had 1 kg of trash and you placed it outside your front door at night, you would be certain that in the morning it would still be there; however, if the asset was 1 kg of 24 carat gold and you left it outside your house at night, it would probably not be there in the morning.
The first step in risk management is identifying the asset because how we classify the asset will then determine how the asset is handled, stored, protected, and who has access to the asset.
Creating policies, plans, and procedures is a part of risk management and helps reduce the attack surface and prevent incidents from happening. Let us look at the different type of policies that can be used.
Standard Operating Procedures (SOP) give us step—by—step instructions as to how an activity is to be carried out. An example would be how to carry out the backing up of data. The SOP will state which data needs to be backed up daily, weekly, or monthly. Critical data would be backed up every two hours whereas archive data may be backed up monthly. The SOP would also state what the medium is to be used for the backup; it may be backed up to a NetApp or network share rather than to tape so that quicker recovery can be carried out.
Stage one in risk assessment is the classification of the asset; this then determines how it is accessed, stored, and handled.
Contracts between companies that want to purchase or sell services are very common as they protect both partners participating in the contract. We will now look at different agreement types that may be used in those contracts.
Business Partnership Agreement (BPA): A BPA is used between two companies who want to participate in a business venture to make a profit. It sets out how much each partner should contribute, their rights and responsibilities, the rules for the day—to—day running of the business, who makes the decisions, and how the profits are agreed and shared. It also has rules for the partnership ending either over time or if one of the partners dies.
Service—Level Agreement (SLA): A SLA is a contract between a service provider and a company receiving the service that defines the level of service expected from the service provider; it is based on metrics within a specific time frame. The agreement can be either a fix or a response in a certain period of time.
SLA is measure in metrics, as to what percentage has been achieved.
For example, your company has an SLA with a service provider that will fix the printer within 4 hours. If the printer breaks down then the service provider needs to repair the printer within four hours or face a penalty. An SLA only relates to one product or service at one time. A company may have several SLAs in place that cover all of their equipment.
Interconnection Security Agreement (ISA): An ISA states how connections should be made between two business partners. If one of the business partners is a government agency and the connection agreement is not enforced, it could pose a security risk to their network. The connection agreement could specify which type of VPN and tunnel should be used or it could state that a dedicated T3 Line is used to make the connection between them.
Memorandum of Understanding (MOU): An MOU is a formal agreement between two or more parties. MOUs are stronger than a gentlemen's agreement and both parties must be willing to make a serious commitment to each other but they are not legally binding.
Memorandum of Agreement (MOA): An MOA is similar to an MOU but serves as a legal document and describes the terms and details of the agreement.
Non—Disclosure Agreement (NDA): An NDA is a legally binding contract made between an employee or a business partner where they promise not to disclose trade secrets to others without proper authorization. The reason for this is to stop trade secrets or proprietary information being sold onto competitors.
Employing personnel is a key function in a successful business; however, employing people is high risk as we need to employ the right type of person, who must be bright enough to identify cyber—crime attacks. To help reduce the risk that employees face or to prevent human resources from employing the wrong person and prevent fraud on an ongoing basis the following policies can be adopted:
Job rotation: Job rotation is used for two main reasons—the first so that all staff can be trained in all aspects of the jobs in the company. Employees may change departments every six months; this way they get fully trained. The second reason is that by rotating jobs any theft or fraudulent activities can be discovered by the new person coming in.
Mandatory vacations: Mandatory vacation helps detect if an employee has been involved in fraudulent activities by forcing them to take holidays of a week or more. When people are involved in fraudulent activities they tend not to take many holidays so that the fraud cannot be discovered. This is especially rife in jobs in which people have fiscal trust, such as someone working in finance or someone who can authorize credit card payments.
Separation of duties: Separation of duties is having more than one person participate in completing a task; this is internal control to prevent fraud or error. An example would be where a person who worked in the finance department collected all money being paid in and then authorized all payment being payed out. A charity in the United Kingdom was embezzled out of £1.3 million over a period of six years. if they had two distinct finance jobs one person received the money and another authorized payment, the bedazzlement would have been prevented, this is the aim of separation of duties, no one person does the whole task.
Let's look at an example. All members of the IT team can make any changes to the network firewall; this creates a huge risk to the network. An auditor could recommend that each time a firewall rule is changed it is authorized by the Change Advisory Board and two people should be responsible for checking the changes to the firewall. With two people being responsible for making the changes, any errors should be eliminated. This is an example of separation of duties.
Let's look at a second example. When I first got married, we opened a joint back account that only my wages were paid into. My wife did the spending from this account even though she had her own account. I paid in, my wife withdrew—a true separation of duties. Nowadays I have my own account!
Separation of duties is where one person does not complete all configuration or transactions by themselves.
Other policies adopted by the company to help reduce risk are as follows:
Clean desk policy: A clean desk policy (sometimes known as clear desk policy) is a company policy that specifies that employees should clear their desks of all papers at the end of the day. This prevents the cleaning staff or anyone else from breaking into the building and reading those papers.
Background checks: Completing background checks on new employees may involve looking into criminal records, employment and education history, and driving license and credit checks. This is to ensure that what the person has stated on their CV (resume) is correct. More stringent background checks are needed for those working with children and handling finance.
Exit interview: The purpose of an exit interview is to find out the reason behind why the employee has decided to leave; this can be used to improve employment retention.
Acceptable User Policy (AUP): The purpose of the AUP is to let the employee or contractor know what he can do with company computers and Bring Your Own Device (BYOD) devices. It lays out the practices relating to how you can access the company network and the internet. It will also state practices that are forbidden such as participating in blogs and social media sites such as Facebook or Twitter whilst at work.
Rules of behavior: Rules of behavior lay down the rules of how employees should conduct themselves when as work. There should be no bullying, discrimination, or sexual harassment. Employees should work together for good and for the benefit of the company, even if they are not from the same background. People should respect and tolerate other employee's religious beliefs even though they may not be their own beliefs and they may not agree with them.
Adverse action: Adverse action is action that is unlawful if it is taken for particular reasons. The fair work act defines a number of actions as adverse actions, such as a person threatening an employee, injuring them in their employment, or discriminating against them.
Policy violations: When employees or contractors do not follow the policies or procedures that they have agreed to, this may result in either disciplinary procedures or if serious instant dismissal. This is normally behavioral based.
Role—based awareness training is mandatory training that an employee carries out on an annual basis; an example of this would be security awareness training that is used by companies to reduce their security risks. During the training, employees will learn about social engineering attacks where the employee is targeted, for example a phishing email. There will be more information about attacks in Chapter 8, Protecting Against Attacks and Vulnerabilities, of this book.
Policy violation is where SOP and policies have been ignored. Transferring data from outside the company should be done via VPN.
General security policies affecting an employee using the internet are:
Social media networks/applications: Many people have social media accounts such as Twitter, Facebook, Reddit, or Instagram. These sites store personal details about everyone who has an account and employees need to be careful with the information that they post on the sites. For example, you could put your date of birth, where you live, your personal preferences, and your email address. This information is a security risk and it could lead to a phishing attack or identify theft.
Cognitive hacking is where a computer or information system attack relies on changing human users' perceptions and corresponding behaviors in order to be successful. This is a social engineering attack and the information required could be found on your various social media websites or applications.
You may also put comments on social media websites that could discredit your employer or one of their customers and this could lead to dismissal. These comments may also prevent you from gaining future employment as employers normally complete a background check and also look at your social media accounts.
If you have different social media sites then don't use the same password for each of them, especially if it is the same for your online banking account. One account hacked means that all accounts are hacked.
Personal email: Your company mailbox must not be used for personal email, for example if you decide to sell your car and then email all of the staff in the company—you will violates the Acceptable Use Policy.
Business impact analysis (BIA) looks at the financial loss relating to an incident and does not look at how the threat or how an event occurred. It measures the additional cost due to various factors.
Financial loss factors include the following:
Loss and delay of sales
Regulatory fines and contract penalties
Purchase of new equipment to return to an operational state
Additional labor required until returning to an operational state
Do we need to seek a new property to operate in?
Impact factors include the following:
Loss of company brand or reputation
Was there loss of life?
Were safety procedures in place?
BIA looks at the financial loss but does not look at the threat.
Personal data use, storage, and access are regulated and a company would be fined if they did not handle the data properly. There are two policies that we need to look at and these are the privacy threshold assessment and the privacy impact assessment. Let us now look at these:
Privacy threshold assessment: This assessment is to help identify personal information, described as either Personally Identifiable Information (PII), Sensitive Personal Information (SPI), or Public Health Information (PHI), as used in information security and privacy laws.
Privacy Impact Assessment (PIA): A PIA is an analysis of how personally identifiable information is collected, used, shared, and maintained. Should you have a project that requires access to the PII, SPI, or PHI information you may need to fill in a PIA screening form justifying the need for its use.
When we look at BIA as a whole we have to see what the company's mission—essential functions are; for example, an airline depends heavily on its website to sell airline tickets. If this was to fail it would result in a loss of revenue. Critical systems for the airline would be the server that the website was placed on and its ability to contact a backend database server such as SQL that would hold ticketing information and process the credit card transactions and order history for each of their customers.
What would be the mission essential functions for a newspaper and what would be its critical systems?
Newspapers generate revenue not only via sales but more importantly by selling advertisement space in the paper. The mission—essential function would be the ad creation program that creates the advertisements and the critical systems would be the server that the program resides upon, the database for processing payments, and the systems used to print the newspapers.
Your supply chain is the companies that you totally rely upon to provide the materials for you to carry out a business function or make a product for sale. Let's say that you are a laptop manufacturer and Company A provides the batteries and Company B provides the power supplies; if any of these runs short of either batteries or power supplies it stops you from manufacturing and selling your laptops.
Company C provides your broadband internet access and you are totally reliant upon them for the internet—you may mitigate the risk of the internet failing by adopting vendor diversity, where you purchase broadband from Company D so that if either of your suppliers fails you still have internet access, which is now crucial to any modern business.
The following concepts are used for determining the business impact analysis:
Recovery Point Object (RPO): RPO is how much time a company can last without its data before it affects the operation. This is also known as acceptable downtime, where a company could, agree that it can be without data for three hours—then the RPO is 3 hours. Should the IT systems in s company suffer loss of service at 13:00 hours then the RPO would be 16:00 hours. Any repair beyond that time would have an adverse impact on the business.
Recovery Time Object (RTO): RTO is the time that the company has been returned to an operational state. In the RPO scenario ,we would like the RTO to be before 16:00 hours. If the RTO is beyond 16:00 hours, then once again it has an adverse impact on the business.
Mean Time to Repair (MTTR): MTTR is the average amount of time it takes to repair a system. If my car broke down at 14:00 hours and it was repaired at 16:00 hours the MTTR would be two hours.
Mean Time Between Failures (MTBF): MTBF shows the reliability of a system. If I purchase a new car for $50,000 on January 1 then it breaks down on January 2, 4, 6 and 8th, I would take it back to the garage as the MTBF would be pretty high and for $50,000, I want a car that is more reliable.
Mean Time to Failure (MTTF): MTTF is the predicted lifespan of a system. Normally an IT system is expected to last about 5 years, therefore its MTTF is 5 years. If I bought a car in 1960 and I had to scrap it in 1992, the MTTF of the car would be 32 years.
RPO is the acceptable downtime whereas RTO is the return to an operational state.
The following concepts can be used to calculate the actual loss of equipment throughout the year and may be used to determine whether we need to take out additional insurance against the loss of the equipment:
Single Loss Expectancy (SLE): The SLE is the loss of one item, for example if my laptop was worth $1,000 and I lost it whilst travelling, then my SLE would be $1,000.
Annual Rate of Occurrence (ARO): The ARO is the number of times that an item has been lost in a year; if an IT team lost six laptops in a year the ARO would be dix.
Annual Loss Expectancy (ALE): The ALE is calculated by multiplying the SLE by the ARO—in the case of the previous examples then we have $1,000 x 6 =$6,000. The ALE is the total loss in a year.
A multinational corporation loses 300 laptops annually and these laptops are valued at $850; would they take out an insurance policy to cover the costs of replacement if the insurance premiums were $21,250 monthly?
The answer is no, because the cost of replacing them is the same as the cost of the insurance, they would take a risk on not losing 300 laptops next year.
The calculations are as follows:
ALE: SLE x ARO
ALE: $850 x 300 = $225,000
Monthly cost: $225,000 / 12 = $21,250
Annual loss expectancy = Single loss expectancy X Annual rate of occurrence.
Risk is the probability that an event will happen—it could bring profit to you, for example if you place a bet on the roulette wheel in a casino then you win more money. It is, however, more likely that a risk will result in financial loss or loss of service. Companies will adopt a risk management strategy to reduce the risk being posed to them but may not be able to eliminate the loss completely. In information technology, newer technology comes out every day and poses more risk to a business so therefore risk management is ever evolving.
The main components are assets, risks, threats, and vulnerabilities:
Asset: The first stage in risk management is the identifying and classification of the asset. If the asset is a top—secret document, you will handle and store it differently from an asset that is unclassified and available for free on the internet.
Risk: Risk is the probability that an event could occur, resulting in financial loss or the loss of service.
Threat: A threat is someone or something that wants to inflict loss on a company by exploiting vulnerability. It could be a hacker that wants to steal a company's data.
Vulnerability: This is the weakness that help an attacker exploit a system. It could be a weakness in a software package or a misconfiguration of a firewall.
A threat is something that will pose a danger by exploiting vulnerability. Vulnerability is a weakness that may be exploited and risk is the probability that an event will happen.
A threat assessment helps a company classify its assets and then looks at the vulnerabilities of that asset. It will look at all of the threats the company may face, the probably of the threat happening, and the potential loss should the threat be successful:
Environmental threat: This threat is based on environmental factors, for example the likelihood of a flood, hurricane, or tornado. If you live in Florida there is a peak season for hurricanes from mid—August to October, whereas if you live in Scotland, the last time they had a minor hurricane was in 1968. Florida has a high risk of having a hurricane whereas Scotland would be extremely low risk.
Man—made threat: This is a human threat—it could be a malicious insider attack where an employee deliberately deletes data or could just be an accidental deletion by an incompetent member of staff.
Internal threat: This could be the disgruntled employee who is called the malicious insider threat—they could deliberately sabotage the data and IT systems. This malicious insider threat is the hardest to discover as they can hide their tracks or use someone else's credentials.
External threat: This could be a hacker or could be an threat such as a flood, hurricane, or tornado.
A threat actor is another name for a hacker or attacker who is likely to attack your company; they all have different attributes. They will investigate your company from the outside looking for details or social media and search engines. Security companies provide an open source intelligence test and inform you of your vulnerabilities in terms of threat actors. Let us now look at threat actor types:
Hackavist: A hacktivist is an external threat who defaces your website or breaks into your computer or network as part of an organization that wants to send a social or political message.
Competitor: A competitor is another company in the same industry as yourself who tries to gain information from you on new products in the hope that they can build it faster and get it to market before you.
A competitor is a threat actor who will try and steal a company's trade secrets to gain a market edge.
Script kiddie: A script kiddie is a person who does not have high technical knowledge and uses script and code that he finds to make an attack against your company. His motivation is that he wants to be seen as a famous hacker.
Nation state: A nation state is another country who poses a threat to your country; their motivation is that they want to undermine your democracy.
Advanced persistent threat: An advanced persistent threat is an external threat that tries to steal data from your network, but they are there for an extremely long period of time. They are very sophisticated and could be funded by a foreign government.
Organized crime: Organized crime refers to criminals who target companies mainly to steal data and then sell it to competitors or the highest bidder to make a profit. They have people working for them that have a high level of sophistication and their motivation is financial wealth.
Insider threat: An insider threat is a disgruntled employee who might have been overlooked for promotion and their relationship with their company has gone sour. They are also known as malicious insider threats and are the most difficult to protect yourself from.
Risk treatment looks at each individual risk by the risk owner who is the best person to classify the asset; they will then decide what action is best to take to reduce the risk to the company. The risk will then be included in the company's risk register so that it can be monitored. New risks should be recorded in the risk register immediately and the risk register should be reviewed every six months as risks change frequently as technology changes.
Residual risk is the amount of risk remaining after you mitigate the risk. Remember you cannot eliminate a risk totally.
Risk acceptance is evaluating the risk and then deciding not to take any action as you believe the probability of it happening is very low or the impact is low. For example, I have company premises in Scotland and I was quoted $1,000 a year to insure the building against earthquakes. I would not take the insurance and accept the risk. This is because earthquakes rarely happen in Scotland and if they do, then their magnitude is very small and the cost of any damage is likely to be less than $1,000 even if it happens.
Risk transference is where you decide that the risk is great and want to offload the responsibility to a third party. For example, I purchase a car and decide that there is a high risk of someone crashing into the car, so I take out car insurance to transfer the risk to the insurance company. The car is insured but I am still the owner. An another example is an IT company installing an Exchange 2016 email server, but nobody in the company knows how to support it, therefore the risk of something going wrong is high so they take out an SLA with an outsourcing company to manage the mail server.
Risk avoidance is where the risk is too high therefore you decide to not carry out the task. For example, you are standing at the edge of the Grand Canyon looking down and you can see the drop is about 7,500 feet. You are thinking of jumping down to the bottom without a parachute but common sense kicks in and tells that you are likely to die, therefore you decide to adopt risk avoidance and not jump, as the risk is too high.
Risk mitigation is where you are evaluating the risk and decide whether the risk as it stands will result in financial loss, loss of service, or being vulnerable to attack. You decide to leave your home in the morning to go to work—if you leave the door open, you decide someone will enter your property and take some of your personal possessions. You then adopt risk mitigation by closing and locking the door. Another example is: you purchase 50 new laptops for your company, software installed, but there is no anti—virus installed. There is a high risk that you could encounter a virus, therefore you decide to mitigate the risk by installing anti—virus software on all of the laptops. Risk mitigation is technical control.
When we look at the overall risk for the company we will use a risk register. This is a list of all of the risks a company could face. The risk to the finance department with be assessed by a the financial director and IT—related risk would be looked at by the IT manager. Each department can identify the assets, classify them, and decide on the risk treatment. The financial director and IT manager are known as risk owners—they are responsible for them:
Ser |
Date |
Owner |
Description |
Probability |
Impact |
Severity |
Treatment |
Contingency |
Action taken |
1 |
01/05/18 |
IT Manager |
Loss of Switch |
Low |
High |
High |
Transfer—2—hour fix SLA |
Purchase spare switch |
02/05/2018 |
There are two different approaches to risk management and they are qualitative and quantitive risk assessments. Let us look at both of them:
Qualitative risk analysis: Qualitative risk analysis is when the risk is evaluated as a high, medium, or low risk.
Quantitative risk analysis: Quantitative risk analysis is where you look at the high qualitative risks and give them a number value so that you can associate them with a cost for the risk.
In this example, we are going to grade a risk and its probability from 1—9, with 1 being low and 9 being high. If we look at the impact of losing a mail server, the qualitive risk analysis would say that it is high but the probability of losing it would be low:
Qualitative |
Probability |
Quantitative risk |
9 |
3 |
9*3=27 |
What is the purpose of standard operating procedures?
What is the purpose of BPA?
What is the difference between an MOU and an MOA?
What is the purpose of an ISA?
What is the benefit of introducing separation of duties into the finance department?
What is the purpose of a risk register?
What is the purpose of job rotation?
What is the purpose of mandatory vacations?
What is the first stage in risk assessment?
Why would a company introduce a clean desk policy?
If someone brought their own laptop to be used at work apart from an On-Boarding policy,what other policy should be introduced?
What is the purpose of an exit interview?
When would you adopt risk avoidance?
What is the purpose of risk transference?
What are rules of behavior?
Why would a company run an annual security awareness training programme?
What is cognitive hacking and what should we avoid to mitigate it?
What would happen if I tried to sell my car and sent an email to everyone who worked in my company using my Gmail account?
Why would I make a risk assessment from one of my main suppliers?
What is the driving force of Business Impact Analysis?
What is the relationship between RPO and RTO?
What information can be established from MTTR?
What is the purpose of MTBF?
What is the purpose of SLE and how is it calculated?
How can we calculate the Annual Loss Expectancy (ALE)?
Standard operating procedures are step-by-step instructions and how a task should be carried out so that employees know exactly what to do.
A BPA is used by companies in a joint venture and it lays out each party's contribution, their right and responsibilities, how decisions are made, and who makes them.
A Memorandum of understanding is a formal agreement between two parties but it is not legally binding whereas the memorandum of agreement is similar but is legally binding.
An Interconnection Security Agreement (ISA) states how connections should be made between two business partners. They decide on what type of connection and how secure it for example they may use a VPN to communicate.
If we adopted separation of duties in the finance department, we would ensure that nobody in the department did both parts of a transaction. For example, we would have one person collecting revenue and another person authorizing payments.
A risk register lays out all of the risks that a company faces; each risk will have a risk owner who specializes in that area as well as the risk treatment.
Job rotation ensures that employees work in all departments so that if someone leaves at short notice or is ill, cover can be provided. It also ensures that any fraud or theft can be detected.
Mandatory vacations ensure that an employee takes at least five days of holiday and someone provides cover for them; this also ensures that fraud or theft can be detected.
The first stage in risk assessment is identifying and classifying an asset. How the asset is treated, accessed, or scored is based on the classification.
A Clean Desk policy is to ensure that no document containing company data is left unattended overnight.
Someone bringing their own laptop is called BYOD and this is governed by two policies, the on—boarding policy and the Acceptable Use Policy (AUP). The AUP lays out how the laptop can be used, and accessing social media sites such as Facebook or Twitter are forbidden whilst using the device at work.
An exit interview is to find out the reason why the employee has decided to leave; it may be the management style or that other factors in the company are not good. The information from an exit interview may help the employer improve terms and conditions and therefore have a higher retention rate.
When a risk is deemed too dangerous or high risk and could end in loss of life or financial loss, we would treat the risk with risk avoidance and avoid the activity.
Risk transference is where the risk is medium to high and you wish to offload the risk to a third party, for example insuring your car.
Rules of behavior are how people should conduct themselves at work to prevent sexual discrimination, bullying, or discrimination.
Annual security awareness training advises employees of the risk of using email, the internet, and posting information on social media websites. It also informs employees of any new risk posed since the last training.
Cognitive hacking is where a computer or information system attack relies on changing human users' perceptions and corresponding behaviors in order to be successful. This is a social engineering attack and we could reduce the risk by being careful what we post on social media websites.
Sending an email to everyone who works in your company using your Gmail account is a violation of the AUP and could lead to disciplinary action.
A manufacturing company would carry out supply chain risk assessment as they need a reputable supplier of raw materials so that they can manufacture goods.
Business impact analysis is just money; it looks at the financial impact following an event. The loss of earning, the cost of purchasing new equipment, and regulatory fines are calculated.
The Recovery Point Object (RPO) is the acceptable downtime that a company can suffer without causing damage to the company, whereas the Recovery Time Object (RTO) is the time that the company is returned to an operational state—this should be within the RPO.
Mean Time to Repair (MTTR) is the average time it takes to repair a system, but in the exam, it could be seen as the time to repair a system and not the average time.
Mean Time Between Failure (MTBF) is the measurement of the reliability of a system.
Single Loss Expectancy (SLE) is the cost of the loss of one item; if I lose a tablet worth $1,000, then the SLE is $1,000.
The Annual Loss Expectancy (ALE) is calculated by multiplying the SLE by the ARO (the number of losses per year). If I lost six laptops a year worth $1,000 each, the ALE would be $6,000.