Security leaders are often asked a deceptively simple question: “How much risk does phishing actually represent to our business?” Answering in terms of click rates or training completion percentages rarely satisfies a CFO or board member. They want a number with a dollar sign in front of it. Here is how to calculate phishing risk in financial terms using a framework your leadership team will immediately understand.
The Annual Loss Expectancy Framework
Annual Loss Expectancy (ALE) is a standard risk-quantification method borrowed from actuarial science. The formula is straightforward:
ALE = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)
For phishing risk assessment, the Single Loss Expectancy is the estimated cost of a single successful phishing-driven breach. The Annual Rate of Occurrence is the probability that such a breach will happen within a given year.
Step 1: Estimate Your Single Loss Expectancy
Start with industry benchmarks. The average cost of a data breach in 2025 reached $4.88 million globally, with phishing as the initial vector adding a premium due to longer detection times. For a mid-market company (500 to 5,000 employees), a phishing-initiated breach typically costs between $1.2 million and $4.5 million when you include incident response, legal fees, regulatory fines, customer notification, and business disruption. Use your own incident history or peer benchmarks to refine this number.
Step 2: Calculate Your Annual Rate of Occurrence
This is where your phishing simulation data becomes invaluable. If your organization sends 1,000 emails per day and your measured phishing click rate is 12 percent, you can model the probability that at least one click leads to a credential compromise, lateral movement, and ultimately a breach. Historical data suggests that roughly 1 in 10 successful phishing clicks leads to a material security incident when no additional controls are in place. With MFA and endpoint detection, that ratio drops significantly, but never to zero.
Step 3: Calculate ALE and Show the Delta
Suppose your SLE is $2.5 million and your ARO, accounting for your current click rate and compensating controls, is 0.3 (a 30 percent chance of a phishing breach per year). Your ALE is $750,000. Now model what happens when your simulation program reduces the click rate from 12 percent to 4 percent. With the improved click rate, your ARO drops to roughly 0.1, bringing ALE down to $250,000. The delta of $500,000 is the annual risk reduction directly attributable to your phishing simulation program.
Step 4: Calculate Security ROI
Security ROI compares the annual risk reduction to the cost of the program:
ROI = (Risk Reduction - Program Cost) / Program Cost x 100
If your phishing simulation platform costs $60,000 per year and delivers $500,000 in risk reduction, your ROI is 733 percent. This is the kind of number that gets budget approved.
Putting It Into Practice
The key to making this analysis credible is grounding it in your own data. Run simulations consistently, track click rates over time, and feed those metrics into the ALE model quarterly. Over time, you build a defensible, data-backed narrative that connects your security awareness program directly to financial risk reduction. When the board asks what phishing costs the company, you will have an answer they can act on.