Assume a year has passed and XYZ has improved security by applying a number of controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO and ALE for each threat category listed.

Why have some values changed in the columns Cost per Incident and Frequency of Occurrence? How could a control affect one but not the other?

Assume the values in the Cost of Control column presented in the table are those unique costs directly associated with protecting against that threat. In other words, don€™t worry about overlapping costs between controls. Calculate the CBA for the planned risk control approach for each threat category. For each threat category, determine if the proposed control is worth thecosts.

Transcribed Image Text:

Cost Cost of Incident Occurrence per Frequency of Threat Category Programmer mistakes Control Type of Control $5,000 1 per month $20,000 Training Loss of intellectual property $75,000 1 per 2 years $15,000 Firewal/IDS Software piracy $500 1 per month $30,000 FirewallIDS Theft of information (hacker) $2,500 1 per 6 months $15,000 Firewall/DS Theft of information (employee) Web defacement $5,000 1 per year $15,000 Physical security $500 1 per quarter $10,000 Firewall Theft of equipment $5,000 per 2 years $15,000 Physical security Viruses, worms, Trojan horses 1,5001 per month $15,000 Antivirus Denial-of-service attacks Earthquake Flood Fire $2,500 per 6 months $10,000 Firewall $250,000 1 per 20 years $5,000 Insurance/backups $50,000 per 10 years $10,000 Insurance/backups $100,0001 per 10 years $10,000 Insurance/backups