3.

Using the following table, calculate the SLE, ARO, and ALE for each threat category listed:

XYZ Software Company, major Cost per Frequency of threat categories for new Incident Occurrence applications development Programmer mistakes Loss of intellectual property Software piracy Theft of information (hacker) Theft of information (employee) Web defacement Theft of equipment Virus, worms, Trojan horses Denial-of-service attacks Earthquake Flood Fire $5,000 $75,000 $500 1 per week 1 per year 1 per week

SLE

ARO

ALE

5,000 75,000 500 2,500 5,000 500 5,000 1,500 2,500

52.0 $ 260,000 1.0 $ 52.0 $ 4.0 $ 2.0 $ 12.0 $ 1.0 $ 52.0 $ 4.0 $ 0.1 $ 0.1 $ 0.1 $ 75,000 26,000 10,000 10,000 6,000 5,000 78,000 10,000 12,500 25,000 50,000

$2,500 1 per quarter $5,000 1 per 6 months $500 $5,000 $1,500 1 per month 1 per year 1 per week

$2,500 1 per quarter

$250,000 1 per 20 years 250,000 $250,000 1 per 10 years 250,000 $500,000 1 per 10 years 500,000

4. How might XYZ Software Company arrive at the values in the above table? For each entry, describe the process of determining the cost per incident and frequency of occurrence a. b. It is most likely that the XYZ Software Company employed an economic feasibility study or cost benefit analysis to arrive at the values in their cost\incident table. For each of the entries in the chart, the cost per incident and the frequency of occurrence could have been reached through several, varied methods. Businesses often use benchmarking, best practices, and baselining to determine the values of cost per incident and frequency of occurrence. These techniques take in to account internal investigation and asset valuation, along with information that has been gathered by other sources in the industry, such as frequency of virus, worm, or Trojan attacks. All of these methods combined could provide the numbers for the costs and frequency for the chart listed.

5. Assume a year has passed and XYZ has improved security. Using the following table, calculate the SLE, ARO, and ALE for each threat category listed:

SLE Programmer mistakes Loss of intellectual property 5,000 75,000

ARO 100% 50% 60,000 37,500

ALE

CBA 180,000 22,500

Software piracy Theft of information (hacker) Theft of information (employee)

500 2,500 5,000

100% 100% 100%

6,000 5,000 5,000

-10,000 -10,000 -10,000

Web defacement

500

100%

2,000

-14,000

Theft of equipment Virus, worms, Trojan horses Denial-of-service attacks Earthquake Flood Fire

5,000 1,500 2,500 250,000 50,000 100,000

50% 100% 100% 5% 10% 10%

2,500 18,000 5,000 12,500 5,000 10,000

-12,500 45,000 -12,500 -5,000 10,000 30,000

Some of the values have changed due to the fact that controls were implemented and they had a positive impact on the protection of the assets of the organization thus reducing the frequency of occurrences. However, the controls did not reduce the cost of an incident to occur because the value of an asset will remain the same and cost the organization the same amount of time and money to replace. The controls put into place are worth the costs listed.