Yunze Wang

ITS 370







  1. If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional safety controls? Which should be evaluated last?


First, I would calculate the risk of vulnerability by using the formula:

Rr = (Lv x I)(1 – Rc + U)

Switch L47 vulnerability 1 = (0.2 x 90) (1 – 0 + 0.25)

= 22.5

Switch L47 vulnerability 2 = (0.1 x 90) (1 – 0 + 0.25)

= 11.25

Server WebSrv6 vulnerability 3 = (0.1 x 100) (1 – 0.75 + 0.2)

= 4.5

MGMT45 control console vulnerability 4 = (0.1 x 5) (1 – 0 + 0.1)

= 0.55

Therefore, the vulnerability of Switch L47 would need to evaluated first because it has the highest risk rate (22.5) and the MGMT45 control console would be evaluated last because it has the lowest risk rate (0.55).


  1. Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO and ALE for each threat category listed.


Programmer mistake - ARO = 12 *3 = 36

                    ALE = 36 * 5000 = 1,80,000

Cost of control 20000

CBA = 1,80,000 - 20000 = 1,60000 (It is worth it)


Loss of Intellectual property - ARO =0.5

                    ALE = 0.5 * 25000 = 12,500

Cost of control 20000

CBA = 12500 - 20000 = -7500 (It is not worth it)


Software piracy - ARO =12 * 0.5 = 6

                    ALE = 6 * 500 = 3000

Cost of control 9000

CBA = 3000 - 9000 = -6000(It is not worth it)

Theft of information - ARO =4

                    ALE = 4 * 1500 = 6000

Cost of control 20000

CBA = 6000 - 20000 = -12000(It is not worth it)


Case Exercises:

Discussion Questions

1.      Did Charlie effectively organize the work before the meeting? Why or why not? Make a list of important issues you think should be covered by the work plan. For each issue, provide a short explanation.


Before We can say that Charlie has effectively organized the work before meeting because he had investigated the needs, designed a work plan and even submitted it to each employee in before. He planned everything properly.

A work plan is a tool for planning during a specific period of time that identifies the problems to be solved, and ways to solve them

Following are some major issues that are to be covered by a workplan.

Introduction: it includes things like who can use the document and what the work plans will not deal with etc.

Why a work plan is needed and within what time it is to be covered.

Goals and objectives: Here it is determined that what outputs are to be drawn based on the goals and objectives of the organization.


2.      Will the company get useful information from the team it has assembled? Why or why not?


Yes, the company will surely get useful information from the team. The team was asked to identify the assets. While identifying the assets they come across various like, the most valuable assets, the assets that generate profit, the assets which are more expensive etc. Once they identify and classify the risks the assets are facing, they can reduce or eliminate the risks. Hence it is helpful for the company.


3.      Why might some attendees resist the goals of the meeting? Does it seem that each person invited was briefed on the importance of the event and the issues behind it?


Some attendees resist because of the security issues in the IT department. The security issues may include the loss of data, unauthorized access or theft of data etc. The importance of the event and the issues behind it are briefed to each person by saying about the management of risk while using automated systems. Since everyone uses the automated systems, it is needed for everyone to learn about the importance of the event and the issues behind it.


Ethical Decision Making

1.      Suppose Amy Windahl left the kickoff meeting with a list of over 200 assets that needed to be evaluated. When she looked at the amount of effort needed to finish assessing the asset values and their risk evaluations, she decided to “fudge” the numbers so that she could attend a concert and then spend the weekend with her friends. In the hour just before the meeting in which the data was due, she made up some values without much consideration beyond filling in the blanks. Is Amy’s approach to her assignment ethical? After the kickoff meeting, suppose Charlie had said, “Amy, the assets in your department are not that big of a deal for the company, but everyone on the team has to submit something. Just put anything on the forms so we can check you off the list, and then you will get the bonus being paid to all team members. You can buy me lunch for the favor.” Is Amy now ethically justified in falsifying her data? Has Charlie acted ethically by establishing an expected payback for this arrangement?


Question) Is Amy's approach to her assignment ethical?

1) No, Amy's approach to the assignment is not ethical. If she wants to leave for a concert or enjoy her weekend then it is ethical to ask the permission for postponement of submission. There is more probability for giving the permission because it is just a kickoff meeting (not very urgent).


Question) Is Amy ethically justified for falsifying her data (after Charlie spoke to Amy)

2) No, she is not ethically justified in falsifying the data. Just because she was told to write something by her immediate superior (Charlie) it doesn’t mean to do, because she works for the organization not for a single person. Even if they were told to be not important, it is the moral responsibility of her to perform the work as mentioned in the meeting or she may submit the work by mentioning the approximate values (which should be clearly specify that they are approximate).


Question) Has Charlie acted ethically by establishing an expected payback for the arrangement?

3)No, Charlie did not act ethical. If the work given to Amy is not really important then he should have mentioned it in the meeting or he should have never encouraged to give the work (as it is of no use by falsifying the data). Charlie moreover expected a payback form Amy, which clearly says that he skipped some rules of his work ethics and he wanted a payback for this activity.