Security leaders are often asked a deceptively simple question: “How much risk does phishing actually represent to our business?” Answering in terms of click rates or training completion percentages rarely satisfies a CFO or board member. They want a number with a dollar sign in front of it. The good news is that a well-established actuarial framework exists for exactly this purpose, and when you combine it with your phishing simulation data, you can produce a credible, defensible financial risk estimate that leadership will immediately understand and act on.
What Is the Annual Loss Expectancy (ALE) Framework?
Annual Loss Expectancy (ALE) is a standard risk-quantification method borrowed from actuarial science and widely used in information security risk management frameworks including NIST CSF and ISO 27005. The formula is straightforward:
ALE = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)
For phishing risk assessment, the Single Loss Expectancy is the estimated cost of a single successful phishing-driven breach, including all direct and indirect costs. The Annual Rate of Occurrence is the probability that such a breach will happen within a given year, informed by your organization's specific threat landscape, employee behavior data, and compensating controls. Together, these two variables produce an annualized dollar figure that represents your organization's expected phishing-related financial loss, a metric that finance teams and board members already understand from other domains of enterprise risk.
How Do You Estimate Single Loss Expectancy for Phishing?
Start with industry benchmarks and then adjust for your organization's specific profile. According to the IBM Cost of a Data Breach Report 2025, the average cost of a data breach reached $4.88 million globally, with phishing as the initial attack vector adding a premium due to longer detection and containment times, averaging 261 days from compromise to containment. For a mid-market company with 500 to 5,000 employees, a phishing-initiated breach typically costs between $1.2 million and $4.5 million when you include incident response, forensic investigation, legal fees, regulatory fines (especially under GDPR, HIPAA, or PCI DSS), customer notification and credit monitoring, business disruption and lost productivity, and long-term reputational damage. Use your own incident history, insurance claim data, or peer benchmarks from your industry vertical to refine this number for your specific context.
How Do You Calculate Annual Rate of Occurrence?
This is where your phishing simulation data becomes invaluable and transforms an abstract risk model into a data-driven business tool. Start with your organization's email volume: if your organization sends and receives 1,000 external emails per day and your measured phishing click rate from simulation campaigns is 12 percent, you can model the probability that at least one click leads to a credential compromise, lateral movement, and ultimately a material breach. Historical data from incident response firms suggests that roughly 1 in 10 successful phishing clicks leads to a material security incident when no additional compensating controls are in place. With multi-factor authentication, endpoint detection and response, and email security gateways, that ratio drops significantly, perhaps to 1 in 50 or 1 in 100, but it never reaches zero. The critical insight is that your simulation click rate is a direct, measurable proxy for the probability that drives your ARO calculation, making it the most important metric in your entire risk model.
How Do You Calculate ALE and Show the Risk Reduction Delta?
With SLE and ARO established, the ALE calculation is straightforward, but the real power of the framework lies in modeling the delta between your current state and your improved state after running a simulation program. Suppose your SLE is $2.5 million and your ARO, accounting for your current 12 percent click rate and compensating controls, is 0.3 (a 30 percent chance of a phishing-initiated breach per year). Your baseline ALE is $750,000. Now model what happens when your simulation program reduces the click rate from 12 percent to 4 percent over 12 months. With the improved click rate, your ARO drops to roughly 0.1, bringing ALE down to $250,000. The delta of $500,000 represents the annual risk reduction directly attributable to your phishing simulation program. This is not a theoretical number; it is a data-backed estimate grounded in your own employee behavior metrics and industry cost benchmarks.
How Do You Calculate Security ROI from Phishing Simulations?
Security ROI compares the annual risk reduction to the total cost of the program, expressed as a percentage:
ROI = (Risk Reduction - Program Cost) / Program Cost x 100
If your phishing simulation platform costs $60,000 per year (including licensing, administration time, and training content) and delivers $500,000 in annualized risk reduction based on the ALE delta, your ROI is 733 percent. This is the kind of number that gets budget approved, expansion funded, and executive sponsorship secured. For context, the SANS Institute has documented security awareness program ROI figures ranging from 200 to 1,000+ percent depending on organization size and initial click rates, confirming that well-run programs consistently deliver outsized returns relative to their cost.
How Do You Put the ALE Framework Into Practice?
The key to making this analysis credible and sustainable is grounding it in your own data and refreshing it regularly. Run simulations consistently, ideally monthly, and track click rates, report rates, and credential-submission rates over time. Feed those metrics into the ALE model quarterly to show leadership a rolling view of risk reduction. Document your assumptions, cite your benchmark sources, and present the model with confidence intervals rather than false precision. Over time, you build a defensible, data-backed narrative that connects your security awareness program directly to financial risk reduction. When the board asks what phishing costs the company, you will not only have an answer they can act on, you will have a trend line showing that the answer is getting better every quarter. For a deeper look at how to frame these numbers for executive audiences, see our guide on measuring phishing simulation ROI with metrics that matter to the C-suite.