Chapter 5: Risk Management

Exercises

3.) Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 Million. Using the following table, calculate the ARO and ALE for each threat category the company faces for this project.

Threat category

Cost per incident

Frequency of occurence

ARO

ALE

Programmer mistake

$5000

1 per week

52

$260,000

Loss of intellectual property

$75,000

1 per year

1

$75,000

Software piracy

$500

1 per week

52

$26,000

Theft of information

$5,000

1 per quarter

4

$10,000

earthquake

$250,000

1 per 20 years

0.05

$12,500

flood

$250,000

1 per 10 years

0.01

$25,000

fire

$500,000

1 per 10 years

0.1

$50,000

 

5.) Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3 and following table, calculate the post-control ARO and ALE for each theat category listed.

Threat category

Cost per incident

Frequency of occurence

Cost of control

Types of control

Programmer mistake

$5,000

1 per month

$20,000

training

Loss of intellectual property

$75,000

1 per 2 years

$15,000

Firewall/IDS

Software piracy

$500

1 per month

$30,000

Firewall/IDS

Earthquake

$250,000

1 per 20 years

$5,000

Insurance/backups

flood

$50,000

1 per 10 years

$10,000

Insurance/backups

fire

$100,000

1 per 10 years

$10,000

Insurance/backups

Web defacement

$500

1 per quarter

$10,000

Firewall

 

Case Exercises

1.)    Did Charlie effectively organize the work before the meeting? Why or why not? Make a list of important issues you think should be covered by the work plan. For each issue, provide a short explanation.

Charlie didn’t really organize work before the meeting he kind of assigned homework for the next meeting. I think that an important issue for their company is programmer mistakes, theft of information by an employee, and theft of equipment, and viruses. Programmer mistakes are easy to prevent but can be potentially hard to fix If there is a lot of information. Theft is easy to prevent, and the business can lock down all of the equipment just like what UWS does for their computers. Also, viruses can play a role if they don’t take the necessary measures for virus protection.

2.)    Will the company get useful information from the team it has assembled? Why or why not?

Yes, with a large team the company will get different views from the team and can help prevent any sort of risks in the future. Their team will have many different aspects from the risk assessments and can pool together to develop a strategy to prevent anything from happening.

3.)    Why might some attendees resist the goals of the meeting? Does it seem that each person invited was briefed on the importance of the event and the issues behind it?

Some people might view the meeting as extra work even though it can be beneficial for the company to have plans in place. I don’t feel that everyone was briefed on how important the even was and their could be more issues that arise from this if there are not steps properly executed.

Ethical Decision Making

Amy’s approach to “fudging” the numbers so she could attend a concert raises some concern for ethical decision making since she didn’t really care about how accurate the asses values. They could be way off and could lead to some problems for the business down the road.

Since it was not a big deal for the numbers to be correct, she now has to buy lunch but its not ethical for a payback that is not related to their assignment. This could lead to some form of favoritism in the work place and the employee wouldn’t take their work seriously since they could just get out of anything by buying Charlie lunch.