Josh Hogan

Chapter 5- Risk Management

Exercises

2)      Using the data classification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information would be confidential, sensitive but unclassified, or for public release?

- According to the data classification scheme in the chapter, information should be split up into three different categories based on sensitivity: Confidential, sensitive but unclassified, and good for public release. This just indicates the level of security and protection such information should have on it. Confidential is going to be the most sensitive. Information on my computer that I would place here would be photographs, anything that has my banking or billing information on it, or any of my Marine Corps documents because most has my social security number on it along with my birth certificate. Sensitive material that is unclassified I would put in any homework assignments that I may be working on, certain deployment articles that I have saved, and possibly any legal documents I might have. As for public release, I would say that any movies that I have, music, and books would be able to go in public release sections because they are already accessible on the public domain.

 

3)      Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE for each threat category the company faces for this project.

-          According to the chapter, on page 304 tells us what these formulas are. ALE stands for annualized loss expectancy, ARO stands for annualized rate of occurrence. ARO is basically how many times per year the transaction is going to take place, i.e. if it is monthly, this would be 12. To find ALE, you take SLE x ARO, where SLE means single loss expectancy. So, the table tells us the SLE of each while we need to determine the ARO from the frequency of occurrence of each. Then times the SLE and ARO. So, the table should look as follows:

Threat Category

SLE

Frequency of Occurrence

ARO

ALE

Programmer Mistakes

$5,000

1 per week

52

$260,000

Loss of Intel. Property

$75,000

1 per year

1

$75,000

Software piracy

$500

1 per week

52

$26,000

Theft of Information (hacker)

$2,500

1 per quarter

4

$10,000

Theft of Information (employee)

$5,000

1 per 6 months

2

$10,000

Web defacement

$500

1 per month

12

$6,000

Theft of equipment

$5,000

1 per year

1

$5,000

Viruses, Worms, Trojan Horse

$1,500

1 per week

52

$78,000

Denial-of-service attacks

$2,500

1 per quarter

4

$10,000

Earthquake

$250,000

1 per 20 years

.05

$12,500

Flood

$250,000

1 per 10 years

.1

$25,000

Fire

$500,000

1 per 10 years

.1

$50,000

 

Case Exercises

Discussion Questions

1)      Did Charlie effectively organize the work before the meeting? Why or why not? Make a list of important issues you think should be covered by the work plan. For each issue, provide a short explanation.

-          I would say that Charlie has effectively organized the meeting that he led. He sent out a plan via email before the meeting so that everyone had the agenda, which also entailed a project plan. He also identified team members and gave teams tasks that needed to be done. For the work plan to be successful, some things need to be identified. I would say that these things would contain the teams themselves, the tasks that the teams need to get done, and the timeframe they need to get it done in, so some kind of schedule. For teams, you need to know the total number of teams that will be required to accomplish the tasks, who will lead each team and be the team manager, and what members will be in the teams. You need to divide up tasks for each team as well while describing each task to make sure it is understood by each team member and ensure they know their roles and what they are responsible for. For the schedule aspect, you need to make sure it is understood by each member the timeframe that each tasks need to be completed in. They should have a guideline and know how long each task will take and what goals that they need to achieve.

2)      Will the company get useful information from the team it has assembled? Why or why not?

-          I think that the company will get a lot of useful information from the team that it has assembled. They have a very diverse team, from all different departments that can bring a lot of different knowledge and expertise to the meeting agendas to accomplish tasks. I think that there is a lot of people from all departments that can add insight to the plan that can help mitigate risks while also maximizing profit and revenue. Once all the smartest people assess all risks that they will be facing, the can work to eliminate all possible risks with different angles and knowledge from across all sorts of business standpoints.

3)      Why might some attendees resist the goals of the meeting? Does it seem that each person invited was briefed on the importance of the event and the issues behind it?

-          Some of the attendees might resist the goals of the meeting because they might think that they have already done the necessary steps to make sure this stuff happens. So, some might thing it is redundant and not put forth all of their effort. It does seem that each person was properly briefed on the importance of each issue. There are a few key issues that need to be covered and they are talking about profitability, assessing the threats that may occur, many of the things covered in the chapter such as SLE (cost per incident), ARO (annualized rate of occurrence), and ALE (annual loss expectancy). Also, the loss that the organization will experience while recovering from the threats that have been analyzed.

Ethical Decision Making

Suppose Amy Windahl left the kickoff meeting with a list of over 200 assets that needed to be evaluated. When she looked at the amount of effort needed to finish assessing the asset values and their risk evaluations, she decided to “fudge” the numbers so that she could attend a concert….. Is Amy’s approach to her assignment ethical?

-          No, I would say that Amy’s approach to her assignment is not ethical. Work comes before play, so if you don’t get your work done, you have to finish it before going out and doing other things. Not to mention that these numbers are highly important when it comes to making certain decisions and analyzing data that the company deems to be important. So, if the numbers are wrong, and the company makes adjustments based off of these fake made up numbers and the turnaround is impacted because of the falsified data, then that is not just a harmless thing anymore. Her doing this could impact the company greatly in many ways that she hadn’t projected when she thought that she was doing a harmless act that nobody would notice or care about. No, this is not acting in an ethical way.

Is Amy now ethically justified in falsifying her data? Has Charlie acted ethically by establishing an expected payback for this arrangement?

-          I still think that Amy would be ethically in the wrong because she still knows that this data is false. Just because a superior told her that it was okay, still doesn’t make it right. Although, she now has a bailout if it comes to bite her later because she can say Charlie told her to do it. At that point it would be her word against his though. I still think if she did it knowing it was wrong, it is ethically unacceptable. Charlie has acted unethically in doing this. This is a prime example of a quid pro quo which is typically unethical, although most time not illegal. But the question is about his ethics and I would come to the conclusion that he is acting in an extremely unethical manner even though it might seem harmless.