When cybersecurity teams look at return on investment (ROI), they often want a model that translates security spending into business terms. In the past, the “5% rule” was a common guideline – spending roughly 5% of the potential loss value to mitigate a risk. This may have worked in slower-moving environments, but in 2025 it is rarely enough for evaluating the cost of today’s fast-moving, high-impact DDoS attacks.
Organizations researching the ROI of RADAR™ by MazeBolt tend to adopt models that balance risk probability, business impact, and the cost of controls. There are several approaches to quantifying the ROI; one that is widely used is the Annualized Loss Expectancy (ALE) model. For alternative approaches to quantifying ROI, see: Quantifying Cyber Risk: Operational ROI for Continuous DDoS Testing
Reducing the ALE to Stay Within Your Risk Appetite
Most cybersecurity leaders tie their investment to their risk tolerance, threat likelihood, and business impact – often using a risk-adjusted ROI model.
An ROI model for calculating DDoS risk costs in which you compare ALE to the cost of mitigation has some strong advantages, but also a few limitations you need to be aware of.
The principle behind this model is: Spend enough to reduce the ALE to within your risk appetite.
Generic example in percentage terms:
| Step | Description | Calculation | Result |
| 1 | ALE without controls | Probability × Impact | 100% baseline |
| 2 | ALE with controls | Probability × (1 − Effectiveness) × Impact | Reduced % |
| 3 | Loss avoided | ALE without − ALE with | Avoided % |
| 4 | ROI ratio | Loss avoided ÷ Cost of Control | ROI value |
Interpretation:
This is the formula for adjusting the likelihood of a damaging event after you’ve implemented a control (like RADAR).
- Probability = the annual chance of the event happening without any new controls.
- Effectiveness = how much the control reduces that probability, expressed as a percentage.
- 1 − Effectiveness = the portion of the original probability that still remains after controls are in place.
For example, if controls reduce your ALE from 1.00% of revenue to 0.25% of revenue, you have avoided 0.75% of annual revenue in losses. If the controls cost 0.25% of revenue to operate, your ROI is approximately 3:1, meaning that every 1% of spend avoids about 3% in losses.
Step-by-Step ALE ROI Calculation
1. Annualized Loss Expectancy without controls
ALEwithout = Probability x Impact
2. Annualized Loss Expectancy with controls
ALEwithout = Probability x (1 – Effectiveness) x Impact
3. Loss avoided
Loss Avoided = ALEwithout – ALEwith
4. ROI
ROI = Loss Avoided/Cost of Control
Total Business Impact – Building from Components
The biggest challenge with ALE is defining the total business impact accurately. This should not be viewed as an arbitrary percentage of company value. Instead, it should be broken down into measurable categories.
| Impact Category | Typical % of Annual Revenue | Basis |
| Direct revenue loss | 0.10 – 0.20% per hour | Calculated as total value of business activity × profit margin × hours of downtime |
| Service Level Agreement (SLA) penalties | 0.02 – 0.05% | Based on contractual uptime guarantees with high-value customers or partners |
| Operational disruption costs | 0.01 – 0.02% | Includes incident response, forensics, legal, and public relations |
| Regulatory fines | 0.05 – 0.50% | Sector-specific; DORA, SEC, PCI DSS |
| Customer churn / lifetime value (LTV) loss | 0.10 – 0.30% | Loss of high-value customers after outage |
Example:
For a 3-hour outage at the lower-mid range of these estimates:
- Direct loss: 0.30%
- SLA penalties: 0.03%
- Operational disruption: 0.015%
- Regulatory fines: 0.10%
- Churn: 0.20%
Based on the above, the total estimated impact for a 3-hour DDoS outage is approximately 0.645% of annual revenue. For an organization with $1B in yearly revenue, this would equate to approximately $6.45M in total business impact.
Advantages of the ALE Model
The ALE model quantifies the business case, translating DDoS risk into dollar terms that executives and boards understand. In other words, it allows security spend to be understood as an investment, not a sunk cost.
The model supports prioritization, helping security leaders decide whether to invest in DDoS controls now or later by comparing the ROI with other security projects. Moreover, it is both flexible and adaptable, as it can adjust for different transaction volumes, peak periods, or sector-specific risk factors.
By moving the conversation away from “fear and uncertainty” and toward measurable loss reduction, the ALE model focuses on business impact and is easy to communicate. Ratios like “for every $1 spent, we avoid $3.50 in losses” resonate with non-technical decision-makers. The ALE model provides board-ready data by being:
- Grounded in probability – factors in likelihood × impact rather than static percentages.
- Business-friendly – familiar in both finance and risk management.
- Supports prioritization – compares with other security projects objectively.
- Scenario-ready – models different probabilities, durations, and control effectiveness.
- Adaptable – works across sectors and scales.
Limitations to Consider
As with any statistical model, there are both pluses and minuses to this approach.
- Data quality matters – poor assumptions can distort results.
- Can oversimplify – averages do not capture peak-hour losses or long-tail effects.
- Reactive bias – based on known threats rather than emerging risks.
- Compliance blind spots – does not replace mandatory control investments.
- Static by default – must be updated as threats and operations change.
DDoS ALE ROI TemplateHere’s a DDoS-specific ALE ROI template you can use to model the ROI of MazeBolt’s RADAR for decision-makers. The basic concept is that if you plug in probability, downtime cost, and mitigation effectiveness, you should instantly see an approximate ROI. Inputs
Step 1 – Calculate Annualized Loss Expectancy (ALE) Without RADAR ALEwithout = Probability x Cost per Outage Example: 0.25 x 5,000,000 = 1,250,000 Step 2 – Calculate ALE With RADAR New probability after RADAR: Adjusted Probability = Probability x (1 – Effectiveness) Example: 0.25 x (1 – 0.80) = 0.05 ALE with RADAR: 0.05 x 5,000,000 = 250,000 Step 3 – Calculate Risk Reduction Formula: Loss Avoided = ALEwithout – ALEwith Example: 1,250,000 – 250,000 = 1,000,000 Step 4 – Calculate ROI Formula: ROI = Loss Avoided/Cost of RADAR Example: 1,000,000/500,000 = 2.0 ROI = 2:1 — for every $1 spent on RADAR, you avoid $2 in DDoS losses. Optional – Percentage of Revenue View If annual revenue = $1B: – ALE without RADAR = 0.125% of revenue – ALE with RADAR = 0.025% of revenue Risk reduction = 0.10% of revenue |
Quantifying DDoS Risk in Business Terms
The ALE approach’s main advantage is that it ties probability-based risk quantification directly to financial ROI, making it defensible in both technical risk management and board-level investment discussions.
ALE is one of the most practical options for quantifying DDoS risk in business terms. It works best as part of a continuous resilience funding model, with inputs reviewed quarterly or after major incidents. By combining ALE with accurate impact estimates and ongoing risk monitoring, organizations can make stronger, data-backed investment decisions for DDoS defense.
Interested in learning more about the ROI of RADAR by MazeBolt? Speak with an expert!
FAQ
Q1. What is the Annualized Loss Expectancy (ALE) model?
The ALE model calculates expected annual losses from cyber incidents by multiplying the probability of an event by its potential impact. It helps organizations compare potential loss with the cost of controls.
Q2. How does ALE apply to DDoS risk?
ALE translates DDoS risk into financial terms. By factoring in attack probability, business impact, and mitigation effectiveness, enterprises can see how much risk is reduced and whether investments are cost-effective.
Q3. What kinds of business impacts are included in ALE?
Impacts may include direct revenue loss, SLA penalties, operational disruption, regulatory fines, and customer churn. Together, these costs can amount to millions in losses from a single outage.
Q4. What are the advantages of using ALE?
ALE makes security spend understandable as an investment, not a sunk cost. It helps with prioritization, provides board-ready data, and can be adapted across industries and scenarios.
Q5. What are the limitations of ALE?
The model depends on data quality. Poor assumptions can skew results. It may oversimplify real-world impacts, overlook compliance obligations, or fail to capture long-tail risks. Regular updates are needed to keep it relevant.
Skim Summary
- Why it matters: DDoS attacks cause significant financial and reputational damage. Measuring ROI is critical for making security investments defensible to executives and shareholders.
- The model: Annualized Loss Expectancy (ALE) quantifies DDoS risk by combining probability, impact, and mitigation effectiveness.
- Example ROI: Reducing ALE from 1.00% to 0.25% of revenue avoids 0.75% in losses. If controls cost 0.25%, the ROI is roughly 3:1.
- Business impact components: Direct losses, SLA penalties, operational disruption, regulatory fines, and customer churn.
- Strengths: ALE is probability-based, business-friendly, adaptable, and helps prioritize security investments.
- Weaknesses: Can oversimplify, relies heavily on assumptions, and does not replace compliance requirements.
- Takeaway: ALE provides a practical way to translate DDoS risk into business terms, making ROI on security investments clearer and more defensible.
