ITS 370

    Nan Hu

    Chapter 5

1.      If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional safety controls? Which should be evaluated last?

 

         I would go with the issue 2 first, we should first look every possibility of attack first, and the second one seems the second one is the most important one above these all. If it was get attacked, the damages will be huge, all of your customs personal information will be stolen. For the last one I might be look up to the third one. Because seems this is the most irrelevant issues. 

 

2.  Using the data identification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information would be confidential, sensitive but unclassified, or for public release?

      Confidential information would include my passwords, credit card information, nearly all my personal information and all my assignment are on there, and for more, that even include the browser history, download history and software access history in my personal desktop.

3.     Suppose XYZ Software Company has a new application development project, with projected revenues of $1,200,000. Using the following table, calculate the ARO and ALE for each threat category that XYZ Software Company faces for this project.

                      

ARO and ALE threat cost

ARO

ALE

Programmer mistakes

52

$260,000

Loss if intellectual property

1

$75,000

Software Piracy

52

$26,000

Theft of information (hacker)

4

$10,000

Theft of information (employee)

2

$10,000

Web defacement

12

$6,000

Theft of equipment

1

$5,000

Viruses, worms, Trojan Horses

52

$78,000

Denial-of-service attacks

4

$10,000

Earthquake

0.05

$12,000

Flood

0.1

$25,000

Fire

0.1

$50,000

 

4.     How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence.

    Each attack will cost some incidents, and this will calculated based on the total value of asset and the % of the asset that lost from the attack. And some of the assessments can get the owner’s own facilities. But some are not. So the SLE is calculates by asset value x exposure factor while EF is the % that lost and expected to be appear.

 

5. Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO and ALE for each threat category listed.

 

Why have some values changed in the Cost per Incident and Frequency of Occurrence columns?

Because their factors and methods are different. 

How could a control affect one but not the other?

Chose a control that is less affected.

 

 

 

 

ARO and ALE threat cost

ARO

ALE

 

Programmer mistakes

100

$60,000

 

Loss if intellectual property

50

$37,000

 

Software Piracy

100

$6,000

 

Theft of information (hacker)

100

$6,000

 

Theft of information (employee)

100

$5,000

 

Web defacement

100

$2,000

 

Theft of equipment

50

$2,500

 

Viruses, worms, Trojan Horses

100

$18,000

 

Denial-of-service attacks

100

$6,000

 

Earthquake

5

$12,500

 

Flood

10

$5,000

 

Fire

10

$10,000