Bailey Johnson

ITS 370

CH 5


1.      If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional controls? Which should be evaluated last?

The vulnerability hardware failure of the switch L47 needs to evaluated first. The vulnerability misuse by the operators of the MGMT45 control console needs to be evaluated last.

2.      Using the data classification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment what information would be confidential sensitive but unclassified or for public release?

So there are three classifications but I guess the one that would be “confidential sensitive but unclassified for public release” would be External, which is all information that has been approved by management for public release.

3.      Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using  the following table, calculate the ARO and ALE for each threat category the company faces for this project.

Programmer mistakes                   ARO=52      ALE= $260,000

Loss of intellectual property         ARO=1   ALE=$75,000

Software piracy                             ARO= 52    ALE=$26,000

Theft of information (hacker)        ARO=4    ALE=$10,000

Theft of information (employee)   ARO=2  ALE=$10,000

Web defacement                           ARO=12  ALE=$6,000

Theft of equipment                      ARO=1  ALE=$5,000

Viruses, worms, Trojan horses    ARO=52  ALE=$78,000

Denial-of-service attacks             ARO=4   ALE=$10,000

Earthquake                                   ARO=0.05  ALE=$12,500

Flood                                           ARO=0.1  ALE=$25,000

Fire                                              ARO=0.1  ALE=$50,000


4.      How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry describe the process of determining the cost of incident and frequency of occurrence?


Cost per incident is the loss that takes place from an attack. This is calculated based on the total value of an asset and the % loss that occurs from an attack. There are no specific sources available to give the frequency of an attack. But, there are some threat/vulnerability assessments that the owners of the facility can get on their facilities. In case of information/data, the organization can gauge on these factors by relying on their internal information. The information is usually estimated. SLE (Cost per incident) is calculated as = asset value × exposure factor (EF)Where EF is the %loss that is expected to occur. Frequency of occurrence is simply how often you expect an attack to take place. XYZ Software Company could use any method to achieve each of these entries. The company could also prefer a scale rather than estimates. The company could also use bench marking as a means to arrive at the values in the table given. There are other best practices too. All of these methods combined could provide the values for the costs and frequency for the entries listed.

5.   Assume a year has passed and XYZ has improved security by applying a number of controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO, ALE, and CBA for each threat category listed. Why have some values changes in the columns Cost per Incident, and Frequency of Occurrence? How could a control affect one, but not the other? Assume that the values in the cost Control column are unique costs directly associated with protecting against the threat. In other words, don’t consider overlapping cost between controls. Calculate the CBA for the planned risk attack control approach in each threat category. For each threat category determine whether the proposed is worth the costs.

Some of the values have changed due to the fact that controls were implemented and they had a positive impact on the protection of the assets of the organization thus reducing the frequency of occurrences. However, the controls did not reduce the cost of an incident to occur because the value of an asset will remain the same and cost the organization the same amount of time and money to replace. The controls put into place are worth the costs listed.