1. If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional controls? Which should be evaluated last?
2. Using the data classification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on this potential for misuse or embarrassment, what information would be confidential, sensitive but unclassified, or for public release?
3. Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE for each threat category the company faces for this project.
4. How might XYZ Software Company arrive at the values in the table show in in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence.
5. Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO and ALE for each threat category listed.