1.      If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional controls? Which should be evaluated last?

-          Switch L47 connects a network to the Internet. It has two vulnerabilities: it is susceptible to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflow attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. You are 75 percent certain of the assumptions and data.

-           Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of that attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implanted that reduces the impact of the vulnerability by 75 percent. You are 80 percent certain of the assumption and data.

-            Operators use an MGMT45 control console to monitor operations in the server room. It has no password and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has an impact rating of 5. You are 90 percent certain of the assumptions and data.

The second asset should be evaluated first. This asset has an impact value of 100 with 80 percent certainty. This asset should be assessed first and changed if needed. The third asset should be evaluated last. There is a misuse likelihood of only 0.1 and an impact of 5. This doesn’t have a high risk and should be last on the list.


2.      Using the data classification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information would be confidential, sensitive but unclassified, or for public release?

I have personal passwords and information that would not be good if it were misused. This would be the most sensitive information. I also have family photos and more general things that would be classified as less sensitive if it were stolen.

Discussion Questions

1.      Did Charlie effectively organize the work before the meeting? Why or why not? Make a list of important issues you think should be covered by the work plan. For each issue, provide a short explanation.

Charlie effectively organized the work before the meeting took place. He assessed the project and prepared a plan that fit the needs of the company. He also put together a team and had all of this ready before the meeting.  

Important Issues that should be covered by the work plan:

-           Putting together project teams: This will guarantee the work gets done by working in teams and doing the tasks together.

-          Giving those teams tasks to complete: This is important to give the right tasks to the right teams.

-          Having a schedule of completion: This is important to show how long it will take and how much it will cost the company.

2.      Will the company get useful information from the team it has assembled? Why or why not?

The company has put together the teams with people form all departments of the company. By having a diverse group, they are more likely to see every vulnerability and have an eye on every part of the company. These teams will then be able to identify the risks and then work to mitigate the risks.


3.      Why might some attendees resist the goals of the meeting? Does it seem that each person invited was briefed on the importance of the event and the issues behind it?

They might resist the goals of the meeting because they don’t feel the plan is relevant to their department. Each person has heard about the importance of the event and they have already made their decision on if it matters to them.


       Ethical Decision Making

     Suppose Amy Windahl left the kickoff meeting with a list of over 200 assets that needed to be evaluated. When she looked at the amount of effort needed to finish assessing the asset values and their risk evaluations, she decided to “fudge” the numbers so that she could attend a concert and then spend the weekend with her friends. In the hour just before meeting in which the data was due, she made up some values without much consideration beyond filling in the blanks. Is Amy’s approach to her assignment ethical?

What she did is not ethical. She filled the sheet out with the wrong numbers on purpose for her personal benefit. She doesn’t respect the company or the people that work in it. She changed the data and messed it up for the company.

Is Amy now ethically justified in falsifying her data? Has Charlie acted ethically by establishing an expected payback for this arrangement?

She wouldn’t be ethically justified, but it wouldn’t be totally her fault for changing the numbers. Charlie has acted unethically and is trying to be bribed for letting people get off easy.  This isn’t how a leader should act.