Information System Security Risk Management Assignment

5. Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO and ALE for each threat category listed. Why have some values changed in the Cost per Incident and Frequency of Occurrence columns? How could a control affect one but not the other? Assume that the values in the Cost of Control column are unique costs directly associated with protecting against the threat. In other words, don't consider overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs. Cost per Incident $5,000 $75,000 Frequency of Occurrence 1 per month 1 per 2 years 1 per month 1 per 6 months 6 1 per year Threat Category Programmer mistakes Loss of intellectual property Software piracy Theft of information (hacker Theft of information (employee) Web defacement Theft of equipment Viruses, worms, Trojan horses Denial-of-service attacks - Earthquake Cost of Control $20,000 $15,000 $30,000 $15.000 $15,000 Type of Control Training FirewalVIDS FirewalVIDS Firewal VIDS Physical security $500 $2,500 $5,000 $500 $ $5,000 $1.500 $2.500 $250,000 1 per quarter 1 per 2 years 1 per month 1 1 per 6 months 6 1 per 20 years $10,000 $15,000 $15,000 $10,000 $5,000 Firewall Physical security Antivirus Firewall Insurance backups Insurance backups Insurance/ backups Flood $50,000 1 per 10 years $10,000 Fire $100,000 1 per 10 years $10,000