The value of the data in Shearwater Corporation's customer relationship management database has been valued at $2,000,000. Due to a SQL injection flaw in a public-facing website, the chance that an unauthorized person could access this data has been put at 40% by the risk assessment team, they also expect that this may happen once every four years. If a web application firewall costs $150,000 per year to maintain and run is this a cost-effective control when considering the ROSI formula?

The risk assessment team has come back and said that there was a mistake in their calculations, the exposure factor is only 6% as the injectable form is in a password-protected area of the site that only staff can access. How does this impact the equation? How does the figure change if the WAF is controlling for multiple risks?