The asset value is $1,500. Some hacker is likely to attack once per month. The likelihood of a successful attack is 25%. The Single Loss Expectancy (SLE) is 100% of the $1,500 asset value. The cost of an adequate security implementation is $2,000 / year. Which of the following options should be selected, and why?

Implement security actions, because ALE = $6,000 per year and security payment = $2,000 per year.

Implement security actions, because ALE = $4,500 per year and security payment = $2,000 per year.

Do not Implement security actions, because ALE = $1,500 per year and security payment = $2,000 per year.

Do not Implement security actions, because ALE = $6,000 per year and security payment = $8,000 per year.

Explanation

ARO (Annual rate occurrence) = 12 (months) * 0.25 (likelihood) = 3 times per year. SLE (Single loss expectancy) = $1,500. ALE (annual loss expectancy) = SLE * ARO = $4,500. Payment per year = $2,000, as explained in text. SUGGESTION** - Successful attack has no bearing on the loss. It should be said that the asset will suffer a complete loss in the event of a successful attack of which the likelihood is 25%.

Simple formula is here.. ALE = AV * EF * ARO. AV is 1500. EF is a likelihood (25%). and ARO is 12 (once a month or 12 times a year). This implies ALE = 1500 * (25/100) * 12 = $4500.
This means when an attack happens the loss is $4500. It is better to implement a control with $2000 than lose $4500.

EDIT: Modified answers to match $ sign notations. Not sure where 1000$ is used.