0% found this document useful (0 votes)
33 views9 pages

Exercise 1

The document discusses evaluating risks for three information assets: a network switch, web server, and control console. It provides details on calculating risk rates for each asset's vulnerabilities based on likelihood, impact, and control effectiveness. The second part discusses calculating annualized rate of occurrence (ARO) and annualized loss expectancy (ALE) for various threat categories facing a software development project.

Uploaded by

Bình Quốc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
33 views9 pages

Exercise 1

The document discusses evaluating risks for three information assets: a network switch, web server, and control console. It provides details on calculating risk rates for each asset's vulnerabilities based on likelihood, impact, and control effectiveness. The second part discusses calculating annualized rate of occurrence (ARO) and annualized loss expectancy (ALE) for various threat categories facing a software development project.

Uploaded by

Bình Quốc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Exercise 1 - If an organization has three information assets to

evaluate for risk management purposes, as shown in the


accompanying data, which vulnerability should be evaluated
for additional controls first? Which vulnerability should be
evaluated last?
-Switch L47 connects a network to the Internet. It has two
vulnerabilities: (1) susceptibility to hardware failure, with a
likelihood of 2, and (2) susceptibility to an SNMP buffer
overflow attack, with a likelihood of 1. There is a 75 percent
certainty of the assumptions and data.
For: 1) susceptibility to hardware failure
For switch L47:
Lv=0.2, I = 90, Rc= 0
U= 100 – 75%= 25%
Risk Vulnerability
Rr= (0.2* 90)(1- 0 + 25%) = 22.5
For (2) susceptibility to an SNMP buffer overflow attack:
Lv= 0.1, I= 90, Rc = 0
U= 100 – 75%= 25%
Now let's find the rate of risk vulnerability:
Rr= (0.1* 90)(1 – 0 + 25%) = 11.25
Server WebSrv6 hosts a company Web site and performs e-
commerce transactions. It has a Web server version that can be
attacked by sending it invalid Unicode values. The likelihood of
that attack is estimated at 0.1. The server has been assigned an
impact value of 100, and a control has been implanted that
reduces the impact of the vulnerability by 75 percent. You are
80 percent certain of the assumptions and data.
Risk rate: Rr = (0.1*100)(1 – 0.75 + 0.2) = 4.5
- Operators use the MGMT45 control console to monitor
operations in the server room. It has no passwords and is
susceptible to unlogged misuse by the operators. Estimates
show the likelihood of misuse is 2. There are no controls in
place on this asset, which has an impact rating of 4. There is a
90 percent certainty of the assumptions and data.
Lv= 0.1, I=5, Rc= 0
U= 100-90%= 10%
Risk rate
(0.1*5)(1- 0 + 0.1) = 0.55
3. Suppose XYZ Software Company has a new application
development project with projected revenues of $1.2 million.
Using the table shown at right, calculate the ARO and ALE for
each threat category the company faces for this project.
Programmer mistakes:
SLE = $5,000 x $1,200,000 = $6,000,000
ARO = 1 per week x 52 weeks = 52
ALE = $6,000,000 x 52 = $312,000,000
Loss of intellectual property:
SLE = $75,000 x $1,200,000 = $90,000,000
ARO = 1 per year
ALE = $90,000,000 x 1 = $90,000,000
Software piracy:
SLE = $500 x $1,200,000 = $600,000
ARO = 1 per week x 52 weeks = 52
ALE = $600,000 x 52 = $31,200,000
Theft of information (hacker):
SLE = $2,500 x $1,200,000 = $3,000,000
ARO = 1 per quarter x 4 quarters = 4
ALE = $3,000,000 x 4 = $12,000,000
Theft of information (employee):
SLE = $5,000 x $1,200,000 = $6,000,000
ARO = 1 per 6 months x 2 occurrences per year = 2
ALE = $6,000,000 x 2 = $12,000,000
Web defacement:
SLE = $500 x $1,200,000 = $600,000
ARO = 1 per month x 12 months = 12
ALE = $600,000 x 12 = $7,200,000
Theft of equipment:
SLE = $5,000 x $1,200,000 = $6,000,000
ARO = 1 per year
ALE = $6,000,000 x 1 = $6,000,000
Viruses, worms, Trojan horses:
SLE = $1,500 x $1,200,000 = $1,800,000
ARO = 1 per week x 52 weeks = 52
ALE = $1,800,000 x 52 = $93,600,000
Denial-of-service attack:
SLE = $2,500 x $1,200,000 = $3,000,000
ARO = 1 per quarter x 4 quarters = 4
ALE = $3,000,000 x 4 = $12,000,000
Earthquake:
SLE = $250,000 x $1,200,000 = $300,000,000
ARO = 1 per 20 years
ALE = $300,000,000 x (1/20) = $15,000,000
Flood:
SLE = $250,000 x $1,200,000 = $300,000,000
ARO = 1 per 10 years
ALE = $300,000,000 x (1/10) = $30,000,000
Fire:
SLE = $500,000 x $1,200,000 = $600,000,000
ARO = 1 per 10 years
ALE = $600,000,000 x (1/10) = $60,000,000

4. How might XYZ Software Company arrive at the values in


the table shown in Exercise 3? For each entry, describe the
process of determining the cost per incident and frequency of
occurrence.
Programmer Mistakes:
Cost per Incident: XYZ might consider the average cost to fix
bugs or issues caused by programmer mistakes, including the
time spent on debugging, potential loss of revenue, and any
additional expenses incurred. This could be based on past
incidents or industry benchmarks.
Frequency of Occurrence: XYZ might analyze historical data on
the occurrence of programmer mistakes within their
organization or similar companies. They might also consider
factors such as the complexity of projects, skill level of
programmers, and quality assurance processes.
Loss of Intellectual Property:
Cost per Incident: This could be determined by estimating the
value of the intellectual property lost, including research and
development costs, potential revenue loss, legal fees, and
damage to the company's reputation.
Frequency of Occurrence: XYZ might assess the likelihood of
intellectual property theft based on historical data, industry
trends, and the effectiveness of their security measures.
Software Piracy:
Cost per Incident: This could involve estimating the revenue
loss due to unauthorized copying or distribution of software,
including potential legal fees for enforcement actions.
Frequency of Occurrence: XYZ might gather data on the
prevalence of software piracy in their industry or region and
consider factors such as the popularity of their software and
the effectiveness of anti-piracy measures.
Theft of Information (Hacker):
Cost per Incident: XYZ might estimate the cost of a security
breach caused by a hacker, including damage to systems, data
recovery expenses, potential fines or legal settlements, and
reputational damage.
Frequency of Occurrence: XYZ might analyze data on hacking
incidents, cybersecurity threats, and vulnerabilities in their
systems, as well as industry trends and threat intelligence
reports.
Theft of Information (Employee):
Cost per Incident: This could involve estimating the cost of data
breaches caused by insider threats, including investigation
costs, regulatory fines, legal fees, and damage to trust and
customer relationships.
Frequency of Occurrence: XYZ might analyze past incidents of
insider threats, employee turnover rates, access controls, and
employee training programs.
Web Defacement:
Cost per Incident: XYZ might estimate the cost of restoring and
securing their website after a defacement attack, including IT
resources, downtime, and potential damage to their brand.
Frequency of Occurrence: This could be based on historical data
on web defacement incidents, industry trends, and the visibility
of XYZ's website.
Theft of Equipment:
Cost per Incident: This could involve estimating the cost of
replacing stolen equipment, including hardware costs, data
loss, productivity losses, and potential legal or insurance
expenses.
Frequency of Occurrence: XYZ might analyze historical data on
thefts within their organization, security measures in place, and
external factors such as crime rates in their area.
Viruses, Worms, Trojan Horses:
Cost per Incident: XYZ might estimate the cost of cleaning
infected systems, restoring data, lost productivity, and
potential damage to their reputation.
Frequency of Occurrence: This could be based on historical data
on malware incidents, cybersecurity threats, and the
effectiveness of their antivirus and security measures.
Denial-of-Service Attack:
Cost per Incident: This could involve estimating the cost of
mitigating a denial-of-service attack, including IT resources,
downtime, potential revenue loss, and reputational damage.
Frequency of Occurrence: XYZ might analyze past denial-of-
service attacks, industry trends, and the visibility and
importance of their online services.
Natural Disasters (Earthquake, Flood, Fire):

Cost per Incident: This could involve estimating the cost of


property damage, business interruption, data loss, and
recovery efforts following a natural disaster.
Frequency of Occurrence: XYZ might consult historical data on
natural disasters in their region, assess the likelihood of such
events occurring, and consider factors such as climate patterns
and building resilience measures

You might also like