1. If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional controls? Which should be evaluated last?
• Switch L47 connects a network to the Internet. It has two vulnerabilities: It is susceptible to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflow attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. You are 75 percent certain of the assumptions and data.
• Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of that attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implanted that reduces the impact of the vulnerability by 75 percent. You are 80 percent certain of the assumptions and data.
• Operators use an MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has an impact rating of 5. You are 90 percent certain of the assumptions and data.
2. Using the data classification scheme in this module, identify and classify the information
in your personal computer or personal digital assistant. Based on the potential for misuse
or embarrassment, what information would be confidential, internal, or for public release?
ans:
Confidential:
Personal identification information (e.g., Social Security number, passport number)
Financial records
Health records
Internal:
Work-related documents
Emails containing proprietary information or discussions about company projects
Personal documents not intended for public consumption (e.g., resumes, tax documents)
Public Release:
Publicly available documents
Non-sensitive personal files (e.g., photos, personal blogs)
Information intended for sharing with a wider audience without restrictions
3. Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the table shown at right, calculate the ARO and ALE for each threat category the company faces for this project.
answer:
Programmer mistakes
Frequency: 1 per week
ARO: 52 (weeks per year)
Cost per Incident: $5,000
ALO: 52 * $5,000 = $260,000
Loss of intellectual property
Frequency: 1 per year
ARO: 1
Cost per Incident: $75,000
ALO: 1 * $75,000 = $75,000
Software Piracy
Frequency: 11 per week
ARO: 11 * 52 = 572
Cost per Incident: $500
ALO: 572 * $500 = $286,000
Theft of information (hacker)
Frequency: 1 per quarter
ARO: 4 (quarters per year)
Cost per Incident: $2,500
ALO: 4 * $2,500 = $10,000
Theft of information (employee)
Frequency: 1 per 6 months
ARO: 2 (half-years per year)
Cost per Incident: $5,000
ALO: 2 * $5,000 = $10,000
Web defacement
Frequency: 1 per month
ARO: 12 (months per year)
Cost per Incident: $4,500
ALO: 12 * $4,500 = $54,000
Theft of equipment
Frequency: 1 per year
ARO: 1
Cost per Incident: $5,000
ALO: 1 * $5,000 = $5,000
Viruses, worms, trojan horses
Frequency: 1 per week
ARO: 52 (weeks per year)
Cost per Incident: $1,500
ALO: 52 * $1,500 = $78,000
Denial of service
Frequency: 1 per quarter
ARO: 4 (quarters per year)
Cost per Incident: $2,500
ALO: 4 * $2,500 = $10,000
Earthquake
Frequency: 1 per 20 years
ARO: 1/20 = 0.05
Cost per Incident: $250,000
ALO: 0.05 * $250,000 = $12,500
Flood
Frequency: 1 per 10 years
ARO: 1/10 = 0.1
Cost per Incident: $250,000
ALO: 0.1 * $250,000 = $25,000
Fire
Frequency: 1 per 10 years
ARO: 1/10 = 0.1
Cost per Incident: $500,000
ALO: 0.1 * $500,000 = $50,000
4. How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence.
Programmer Mistakes
Cost per Incident: Estimated by analyzing the average time and resources required to correct coding errors, including developer time, testing, and potential delays in project timelines.
Frequency of Occurrence: Determined based on historical data from similar projects and industry benchmarks, typically observed as 1 per week in agile development environments.
Loss of Intellectual Property
Cost per Incident: Calculated by considering the potential revenue loss, legal costs, and damage to company reputation. This includes lost competitive advantage and potential market share.
Frequency of Occurrence: Based on historical incidents within the company and industry trends, typically occurring once per year for most companies with robust security measures.
Software Piracy
Cost per Incident: Derived from the estimated revenue loss per pirated copy and the number of copies typically pirated per incident.
Frequency of Occurrence: Estimated using industry data on software piracy rates, typically measured as a weekly frequency multiplied by the number of incidents.
Theft of Information (Hacker)
Cost per Incident: Includes the cost of data breaches, such as regulatory fines, notification costs, and remediation efforts.
Frequency of Occurrence: Based on industry reports and the company’s historical data, typically occurring quarterly.
Theft of Information (Employee)
Cost per Incident: Calculated by considering the impact of lost sensitive information, potential legal action, and remediation costs.
Frequency of Occurrence: Based on internal audit reports and industry studies, typically occurring bi-annually.
Web Defacement
Cost per Incident: Includes the cost of restoring the website, investigating the breach, and potential loss of business during downtime.
Frequency of Occurrence: Determined from historical data and industry trends, typically occurring monthly.
Theft of Equipment
Cost per Incident: Considers the replacement cost of equipment, potential data loss, and associated downtime.
Frequency of Occurrence: Based on internal records and industry averages, typically once per year.
Viruses, Worms, Trojan Horses
Cost per Incident: Calculated by considering the cost of detection, removal, and potential business disruption.
Frequency of Occurrence: Based on the frequency of malware detection in the company’s IT environment, typically once per week.
Denial of Service
Cost per Incident: Includes the impact of downtime, lost revenue, and costs associated with mitigating the attack.
Frequency of Occurrence: Estimated based on historical data and industry reports, typically occurring quarterly.
Earthquake
Cost per Incident: Based on potential damage to facilities and infrastructure, including business disruption and repair costs.
Frequency of Occurrence: Determined using geological data and historical records, typically once every 20 years.
Flood
Cost per Incident: Includes damage to property, business disruption, and recovery costs.
Frequency of Occurrence: Based on historical weather patterns and floodplain data, typically once every 10 years.
Fire
Cost per Incident: Calculated by considering the damage to property, business disruption, and recovery efforts.
Frequency of Occurrence: Based on historical fire incident data and risk assessments, typically once every 10 years.
5. Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO and ALE for each threat category listed.
Frequency: 1 per week
ARO: 52
Cost per Incident: $5,000
ALE: 52 * $5,000 = $260,000
Control Effectiveness: 50%
Post-Control ARO: 52 * (1 - 0.50) = 26
Post-Control ALE: 26 * $5,000 = $130,000
Frequency: 1 per year
ARO: 1
Cost per Incident: $75,000
ALE: 1 * $75,000 = $75,000
Control Effectiveness: 50%
Post-Control ARO: 1 * (1 - 0.50) = 0.5
Post-Control ALE: 0.5 * $75,000 = $37,500
Frequency: 11 per week
ARO: 572
Cost per Incident: $500
ALE: 572 * $500 = $286,000
Control Effectiveness: 50%
Post-Control ARO: 572 * (1 - 0.50) = 286
Post-Control ALE: 286 * $500 = $143,000
Frequency: 1 per quarter
ARO: 4
Cost per Incident: $2,500
ALE: 4 * $2,500 = $10,000
Control Effectiveness: 50%
Post-Control ARO: 4 * (1 - 0.50) = 2
Post-Control ALE: 2 * $2,500 = $5,000
Frequency: 1 per 6 months
ARO: 2
Cost per Incident: $5,000
ALE: 2 * $5,000 = $10,000
Control Effectiveness: 50%
Post-Control ARO: 2 * (1 - 0.50) = 1
Post-Control ALE: 1 * $5,000 = $5,000
Frequency: 1 per month
ARO: 12
Cost per Incident: $4,500
ALE: 12 * $4,500 = $54,000
Control Effectiveness: 50%
Post-Control ARO: 12 * (1 - 0.50) = 6
Post-Control ALE: 6 * $4,500 = $27,000
Frequency: 1 per year
ARO: 1
Cost per Incident: $5,000
ALE: 1 * $5,000 = $5,000
Control Effectiveness: 50%
Post-Control ARO: 1 * (1 - 0.50) = 0.5
Post-Control ALE: 0.5 * $5,000 = $2,500
Frequency: 1 per week
ARO: 52
Cost per Incident: $1,500
ALE: 52 * $1,500 = $78,000
Control Effectiveness: 50%
Post-Control ARO: 52 * (1 - 0.50) = 26
Post-Control ALE: 26 * $1,500 = $39,000
Frequency: 1 per quarter
ARO: 4
Cost per Incident: $2,500
ALE: 4 * $2,500 = $10,000
Control Effectiveness: 50%
Post-Control ARO: 4 * (1 - 0.50) = 2
Post-Control ALE: 2 * $2,500 = $5,000
Frequency: 1 per 20 years
ARO: 0.05
Cost per Incident: $250,000
ALE: 0.05 * $250,000 = $12,500
Control Effectiveness: 50%
Post-Control ARO: 0.05 * (1 - 0.50) = 0.025
Post-Control ALE: 0.025 * $250,000 = $6,250
Frequency: 1 per 10 years
ARO: 0.1
Cost per Incident: $250,000
ALE: 0.1 * $250,000 = $25,000
Control Effectiveness: 50%
Post-Control ARO: 0.1 * (1 - 0.50) = 0.05
Post-Control ALE: 0.05 * $250,000 = $12,500
Frequency: 1 per 10 years
ARO: 0.1
Cost per Incident: $500,000
ALE: 0.1 * $500,000 = $50,000
Control Effectiveness: 50%
Post-Control ARO: 0.1 * (1 - 0.50) = 0.05
Post-Control ALE: 0.05 * $500,000 = $25,000
Why have some values changed in the Cost per Incident and Frequency of Occurrence columns? How could a control affect one but not the other? Assume that the values in the Cost of Controls column are unique costs directly associated with protecting against the threat. In other words, don’t consider overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs.
answer:
The changes in the "Cost per Incident" and "Frequency of Occurrence" columns can be attributed to the implementation of controls aimed at mitigating or reducing the impact of the identified threats. A control may affect one or both of these parameters depending on its effectiveness in preventing incidents or reducing their severity. Here's how this can happen:
Cost per Incident Changes:
The implementation of controls may lead to a reduction in the financial impact of incidents. For example, if a control reduces the severity or scope of an incident, the associated cost per incident may decrease.
Controls can also incur costs themselves, such as the initial investment in technology, training, or processes. These costs may increase the overall cost per incident, depending on their effectiveness in preventing or mitigating incidents.
Frequency of Occurrence Changes:
Controls can directly impact the likelihood or frequency of incidents occurring. Effective controls can reduce the probability of incidents happening, leading to a decrease in the frequency of occurrence.
Conversely, if controls are ineffective or only partially effective, the frequency of incidents may remain unchanged or even increase if they fail to address the underlying causes of the threats.
Now, let's calculate the Cost-Benefit Analysis (CBA) for the planned risk control approach in each threat category. The CBA compares the costs of implementing controls with the expected benefits, typically measured in terms of risk reduction or avoided losses. To determine whether the proposed control is worth the costs, we'll calculate the net benefit (benefits minus costs) for each threat category.
Given that the control effectiveness is not specified for each threat category, we'll assume a uniform 50% control effectiveness for simplicity. If control effectiveness percentages are provided, they should be incorporated into the analysis.
Let's proceed with the calculations.
To perform the Cost-Benefit Analysis (CBA) for the planned risk control approach in each threat category, we need to calculate the net benefit for each case. The net benefit is the difference between the expected benefits (reduction in losses due to incidents) and the costs associated with implementing the controls.
Given the absence of specific control effectiveness percentages, we'll assume a uniform 50% control effectiveness across all threat categories for simplicity. Here's how we can calculate the CBA for each threat category:
Programmer Mistakes
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $260,000 to $130,000
Costs: Not specified
Net Benefit: $260,000 - $130,000 = $130,000
Loss of Intellectual Property
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $75,000 to $37,500
Costs: Not specified
Net Benefit: $75,000 - $37,500 = $37,500
Software Piracy
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $286,000 to $143,000
Costs: Not specified
Net Benefit: $286,000 - $143,000 = $143,000
Theft of Information (Hacker)
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $10,000 to $5,000
Costs: Not specified
Net Benefit: $10,000 - $5,000 = $5,000
Theft of Information (Employee)
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $10,000 to $5,000
Costs: Not specified
Net Benefit: $10,000 - $5,000 = $5,000
Web Defacement
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $54,000 to $27,000
Costs: Not specified
Net Benefit: $54,000 - $27,000 = $27,000
Theft of Equipment
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $5,000 to $2,500
Costs: Not specified
Net Benefit: $5,000 - $2,500 = $2,500
Viruses, Worms, Trojan Horses
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $78,000 to $39,000
Costs: Not specified
Net Benefit: $78,000 - $39,000 = $39,000
Denial of Service
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $10,000 to $5,000
Costs: Not specified
Net Benefit: $10,000 - $5,000 = $5,000
Earthquake
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $12,500 to $6,250
Costs: Not specified
Net Benefit: $12,500 - $6,250 = $6,250
Flood
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $25,000 to $12,500
Costs: Not specified
Net Benefit: $25,000 - $12,500 = $12,500
Fire
Cost of Control: Not specified
Expected Benefits: Reduction in ALE from $50,000 to $25,000
Costs: Not specified
Net Benefit: $50,000 - $25,000 = $25,000
These net benefit values represent the financial advantage or disadvantage of implementing controls in each threat category. A positive net benefit indicates that the benefits outweigh the costs, suggesting that the proposed control is worth implementing. Conversely, a negative net benefit suggests that the costs exceed the benefits, indicating that the control may not be worth pursuing.