Skip to main content
The Financial Exposure page translates your security risk score into monetary terms. It shows your estimated Annualized Loss Expectancy (ALE) — the financial amount your organization could expect to lose in an average year due to a cyber incident — based on your industry, revenue, and current posture score.

The three ALE estimates

SecurAtlas presents three exposure scenarios side by side:
EstimateScenarioColor
Low40th percentile — a favorable yearGray
ExpectedBase case — the most probable outcomeAmber
High250th percentile — a severe incident yearOrange
The expected estimate is the figure shown on your dashboard KPI card. The range bar below the three values shows where your expected ALE falls between the low and high extremes.
All figures are statistical estimates rounded to the nearest $10K. They are intended for risk awareness and do not constitute financial or legal advice. Actual exposure depends on incident severity, response costs, regulatory penalties, and insurance coverage.

How the model works

SecurAtlas calculates EAL using this formula: EAL = P × min(avg_breach_cost, annual_revenue × 30%) Where:
  • P is the breach probability derived from your risk score: P = 0.80 − (risk_score ÷ 100 × 0.75)
  • avg_breach_cost is the industry benchmark from IBM’s Cost of a Data Breach report
  • annual_revenue × 30% caps the exposure at a realistic maximum for your organization’s size — the formula uses whichever value is lower
A higher risk score means a lower breach probability, which directly reduces your EAL. Implementing controls and uploading validated evidence are the two most effective ways to improve your score and lower your financial exposure.

Setting your financial inputs

The model needs accurate inputs to produce a meaningful estimate. Set these in Settings → Financial & Risk Inputs.
1

Open Settings

Navigate to Settings from the sidebar and select Financial & Risk Inputs.
2

Enter your annual revenue

Provide your organization’s annual revenue. This sets the 30% revenue cap used in the EAL formula. Without a revenue figure, the model falls back to your revenue range from your organization profile.
3

Select your industry

Choose your industry sector. SecurAtlas uses industry-specific breach cost benchmarks from IBM and Verizon DBIR data. Industries such as healthcare and financial services have higher average breach costs than general business.
4

Add additional inputs

Optionally provide employee count, endpoint count, estimated records held, and recovery time (RTO/RPO in hours). These inputs improve confidence in the model — the confidence level (Low, Medium, or High) is shown alongside your EAL figure.
5

Save

Save your inputs. The model does not automatically recalculate — see the next section for how to trigger a recalculation.

Running the risk pipeline

After updating your financial inputs — or at any time when you want a fresh calculation — click Recalculate on the Financial Exposure page. This runs the risk pipeline, which:
  1. Recalculates your risk score based on current control status and evidence
  2. Derives your updated breach probability from the new score
  3. Applies your financial inputs to produce new Low, Expected, and High EAL estimates
The confidence level of the resulting estimate is shown alongside the EAL figure. High confidence means your inputs are complete; Low confidence means some inputs are missing and the estimate is less precise.

What reduces your exposure

The lower half of the Financial Exposure page shows the controls that have the highest potential to reduce your EAL if implemented. Each entry includes:
  • The control key and title
  • Current status (not started or in progress)
  • A risk impact percentage — how much this control could reduce your overall breach probability
  • An estimated EAL reduction in dollars
Use this list to prioritize which controls to tackle next. Addressing the top entry first delivers the greatest financial risk reduction per unit of effort.
Share the Financial Exposure page with executive stakeholders or board members who need to understand cybersecurity risk in dollar terms. The model is grounded in published industry benchmarks (IBM Cost of a Data Breach 2024 and Verizon DBIR) and is explained in plain language on the page.