The document discusses evaluating risks for three information assets: a network switch, web server, and control console. It provides details on calculating risk rates for each asset's vulnerabilities based on likelihood, impact, and control effectiveness. The second part discusses calculating annualized rate of occurrence (ARO) and annualized loss expectancy (ALE) for various threat categories facing a software development project.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
33 views9 pages
Exercise 1
The document discusses evaluating risks for three information assets: a network switch, web server, and control console. It provides details on calculating risk rates for each asset's vulnerabilities based on likelihood, impact, and control effectiveness. The second part discusses calculating annualized rate of occurrence (ARO) and annualized loss expectancy (ALE) for various threat categories facing a software development project.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9
Exercise 1 - If an organization has three information assets to
evaluate for risk management purposes, as shown in the
accompanying data, which vulnerability should be evaluated for additional controls first? Which vulnerability should be evaluated last? -Switch L47 connects a network to the Internet. It has two vulnerabilities: (1) susceptibility to hardware failure, with a likelihood of 2, and (2) susceptibility to an SNMP buffer overflow attack, with a likelihood of 1. There is a 75 percent certainty of the assumptions and data. For: 1) susceptibility to hardware failure For switch L47: Lv=0.2, I = 90, Rc= 0 U= 100 – 75%= 25% Risk Vulnerability Rr= (0.2* 90)(1- 0 + 25%) = 22.5 For (2) susceptibility to an SNMP buffer overflow attack: Lv= 0.1, I= 90, Rc = 0 U= 100 – 75%= 25% Now let's find the rate of risk vulnerability: Rr= (0.1* 90)(1 – 0 + 25%) = 11.25 Server WebSrv6 hosts a company Web site and performs e- commerce transactions. It has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of that attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implanted that reduces the impact of the vulnerability by 75 percent. You are 80 percent certain of the assumptions and data. Risk rate: Rr = (0.1*100)(1 – 0.75 + 0.2) = 4.5 - Operators use the MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 2. There are no controls in place on this asset, which has an impact rating of 4. There is a 90 percent certainty of the assumptions and data. Lv= 0.1, I=5, Rc= 0 U= 100-90%= 10% Risk rate (0.1*5)(1- 0 + 0.1) = 0.55 3. Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the table shown at right, calculate the ARO and ALE for each threat category the company faces for this project. Programmer mistakes: SLE = $5,000 x $1,200,000 = $6,000,000 ARO = 1 per week x 52 weeks = 52 ALE = $6,000,000 x 52 = $312,000,000 Loss of intellectual property: SLE = $75,000 x $1,200,000 = $90,000,000 ARO = 1 per year ALE = $90,000,000 x 1 = $90,000,000 Software piracy: SLE = $500 x $1,200,000 = $600,000 ARO = 1 per week x 52 weeks = 52 ALE = $600,000 x 52 = $31,200,000 Theft of information (hacker): SLE = $2,500 x $1,200,000 = $3,000,000 ARO = 1 per quarter x 4 quarters = 4 ALE = $3,000,000 x 4 = $12,000,000 Theft of information (employee): SLE = $5,000 x $1,200,000 = $6,000,000 ARO = 1 per 6 months x 2 occurrences per year = 2 ALE = $6,000,000 x 2 = $12,000,000 Web defacement: SLE = $500 x $1,200,000 = $600,000 ARO = 1 per month x 12 months = 12 ALE = $600,000 x 12 = $7,200,000 Theft of equipment: SLE = $5,000 x $1,200,000 = $6,000,000 ARO = 1 per year ALE = $6,000,000 x 1 = $6,000,000 Viruses, worms, Trojan horses: SLE = $1,500 x $1,200,000 = $1,800,000 ARO = 1 per week x 52 weeks = 52 ALE = $1,800,000 x 52 = $93,600,000 Denial-of-service attack: SLE = $2,500 x $1,200,000 = $3,000,000 ARO = 1 per quarter x 4 quarters = 4 ALE = $3,000,000 x 4 = $12,000,000 Earthquake: SLE = $250,000 x $1,200,000 = $300,000,000 ARO = 1 per 20 years ALE = $300,000,000 x (1/20) = $15,000,000 Flood: SLE = $250,000 x $1,200,000 = $300,000,000 ARO = 1 per 10 years ALE = $300,000,000 x (1/10) = $30,000,000 Fire: SLE = $500,000 x $1,200,000 = $600,000,000 ARO = 1 per 10 years ALE = $600,000,000 x (1/10) = $60,000,000
4. How might XYZ Software Company arrive at the values in
the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence. Programmer Mistakes: Cost per Incident: XYZ might consider the average cost to fix bugs or issues caused by programmer mistakes, including the time spent on debugging, potential loss of revenue, and any additional expenses incurred. This could be based on past incidents or industry benchmarks. Frequency of Occurrence: XYZ might analyze historical data on the occurrence of programmer mistakes within their organization or similar companies. They might also consider factors such as the complexity of projects, skill level of programmers, and quality assurance processes. Loss of Intellectual Property: Cost per Incident: This could be determined by estimating the value of the intellectual property lost, including research and development costs, potential revenue loss, legal fees, and damage to the company's reputation. Frequency of Occurrence: XYZ might assess the likelihood of intellectual property theft based on historical data, industry trends, and the effectiveness of their security measures. Software Piracy: Cost per Incident: This could involve estimating the revenue loss due to unauthorized copying or distribution of software, including potential legal fees for enforcement actions. Frequency of Occurrence: XYZ might gather data on the prevalence of software piracy in their industry or region and consider factors such as the popularity of their software and the effectiveness of anti-piracy measures. Theft of Information (Hacker): Cost per Incident: XYZ might estimate the cost of a security breach caused by a hacker, including damage to systems, data recovery expenses, potential fines or legal settlements, and reputational damage. Frequency of Occurrence: XYZ might analyze data on hacking incidents, cybersecurity threats, and vulnerabilities in their systems, as well as industry trends and threat intelligence reports. Theft of Information (Employee): Cost per Incident: This could involve estimating the cost of data breaches caused by insider threats, including investigation costs, regulatory fines, legal fees, and damage to trust and customer relationships. Frequency of Occurrence: XYZ might analyze past incidents of insider threats, employee turnover rates, access controls, and employee training programs. Web Defacement: Cost per Incident: XYZ might estimate the cost of restoring and securing their website after a defacement attack, including IT resources, downtime, and potential damage to their brand. Frequency of Occurrence: This could be based on historical data on web defacement incidents, industry trends, and the visibility of XYZ's website. Theft of Equipment: Cost per Incident: This could involve estimating the cost of replacing stolen equipment, including hardware costs, data loss, productivity losses, and potential legal or insurance expenses. Frequency of Occurrence: XYZ might analyze historical data on thefts within their organization, security measures in place, and external factors such as crime rates in their area. Viruses, Worms, Trojan Horses: Cost per Incident: XYZ might estimate the cost of cleaning infected systems, restoring data, lost productivity, and potential damage to their reputation. Frequency of Occurrence: This could be based on historical data on malware incidents, cybersecurity threats, and the effectiveness of their antivirus and security measures. Denial-of-Service Attack: Cost per Incident: This could involve estimating the cost of mitigating a denial-of-service attack, including IT resources, downtime, potential revenue loss, and reputational damage. Frequency of Occurrence: XYZ might analyze past denial-of- service attacks, industry trends, and the visibility and importance of their online services. Natural Disasters (Earthquake, Flood, Fire):
Cost per Incident: This could involve estimating the cost of
property damage, business interruption, data loss, and recovery efforts following a natural disaster. Frequency of Occurrence: XYZ might consult historical data on natural disasters in their region, assess the likelihood of such events occurring, and consider factors such as climate patterns and building resilience measures