For CISO · Board · Audit Committee

Security Breach Exposure.

Six inputs estimate the financial blast radius of a major breach (Expected Annual Loss). Best-case / Realistic / Worst-case mode toggle for scenario planning. Sector multipliers for healthcare, financial, public, defense. Share via URL or print as a single-page board memo.

Your inputs

Slide the inputs. EAL + composition update live.

Records at risk in the largest plausible breachCustomers + employees + 3rd-party records the attacker can reach

Regulated fraction (%)PHI · PII · PCI · CUI — anything that triggers notification + per-record liability 60

Notification + remediation cost per record ($)Industry baseline $164 (IBM 2024). Healthcare $328+ · Financial $245+

Legal + PR + settlements ($K)Class actions, outside counsel, crisis-comm retainer, regulatory fine baseline

Cost per day of downtime ($K)Revenue loss + payroll waste + recovery payroll

Recovery period (days)Time from detection → restored ops. Most are 14–60. 21

Annual probability of a major event (%)Industry baselines: low-risk SMB 1–3% · mid 5–10% · high-risk 15–25% 8

Sector multiplierAdjusts notification + legal/PR for regulated industries

Expected Annual Loss

—

Single-event cost composition

Notification, legal/PR, and downtime — if it happens, this is the bill.

Probability-weighted view

EAL = worst-case event × annual probability.

Sensitivity tornado

Each row shows how the result changes if you perturb that input. Bigger bar = more sensitive.

Move increases EAL Move decreases EAL

The math, openly

Notification = records × regulated% × perRecordCost × sectorMult × modeMult

Legal/PR = legalK × 1000 × sectorMult × modeMult

Downtime = perDayK × 1000 × recoveryDays × modeMult

Worst-case event = notification + legal/PR + downtime

Expected Annual Loss (EAL) = worstCase × annualProb × modeMult

Sector multipliers applied to notification + legal/PR: Healthcare 1.4× · FinServ 1.3× · Defense 1.5× · Public 1.25× · Low-reg B2B 0.85×.

Realistic mode (default)Modemult = 1.0. Industry-baseline numbers as entered. Use this for board reporting.

Best-case modeModemult = 0.7. Fast detection, tight comms, no class action, regulator non-action. Use as the floor of plausible range, not the planning baseline.

Worst-case modeModemult = 1.4. Coordinated campaign, slow detection, regulator escalation, class action consolidation. Use for catastrophic-scenario planning + reserve setting.

Numbers are board-readable; they're not actuarially precise. Use the EAL as a planning anchor for security capex, not as an insurance-grade figure.