Professional Documents
Culture Documents
Using the following table, calculate the SLE, ARO, and ALE for each threat category listed:
XYZ Software Company, major Cost per Frequency of threat categories for new Incident Occurrence applications development Programmer mistakes Loss of intellectual property Software piracy Theft of information (hacker) Theft of information (employee) Web defacement Theft of equipment Virus, worms, Trojan horses Denial-of-service attacks Earthquake Flood Fire $5,000 $75,000 $500 1 per week 1 per year 1 per week
SLE
ARO
ALE
52.0 $ 260,000 1.0 $ 52.0 $ 4.0 $ 2.0 $ 12.0 $ 1.0 $ 52.0 $ 4.0 $ 0.1 $ 0.1 $ 0.1 $ 75,000 26,000 10,000 10,000 6,000 5,000 78,000 10,000 12,500 25,000 50,000
$2,500 1 per quarter $5,000 1 per 6 months $500 $5,000 $1,500 1 per month 1 per year 1 per week
$250,000 1 per 20 years 250,000 $250,000 1 per 10 years 250,000 $500,000 1 per 10 years 500,000
4. How might XYZ Software Company arrive at the values in the above table? For each entry, describe the process of determining the cost per incident and frequency of occurrence a. b. It is most likely that the XYZ Software Company employed an economic feasibility study or cost benefit analysis to arrive at the values in their cost\incident table. For each of the entries in the chart, the cost per incident and the frequency of occurrence could have been reached through several, varied methods. Businesses often use benchmarking, best practices, and baselining to determine the values of cost per incident and frequency of occurrence. These techniques take in to account internal investigation and asset valuation, along with information that has been gathered by other sources in the industry, such as frequency of virus, worm, or Trojan attacks. All of these methods combined could provide the numbers for the costs and frequency for the chart listed.
5. Assume a year has passed and XYZ has improved security. Using the following table, calculate the SLE, ARO, and ALE for each threat category listed:
ALE
Web defacement
500
100%
2,000
-14,000
Theft of equipment Virus, worms, Trojan horses Denial-of-service attacks Earthquake Flood Fire
Some of the values have changed due to the fact that controls were implemented and they had a positive impact on the protection of the assets of the organization thus reducing the frequency of occurrences. However, the controls did not reduce the cost of an incident to occur because the value of an asset will remain the same and cost the organization the same amount of time and money to replace. The controls put into place are worth the costs listed.