Quantitative Threat Analysis

Springfield I.T$.$ Consulting develops and maintains business software for IT clients. Springfield is doing a threat analysis as part of a BCP creation project and so far they have identified several threats. In this exercise, we will focus on Data Loss.

When Springfield IT Consulting loses data it could be any of the following:

$$ Work in progress,

$$ Completed work

$$ Financial data

$$ Customer data

$$ Work order data,

$...$

Three threat sources have been identified for data loss:

$1.$ Hacking,

$2.$ Worker Error

$3.$ Hardware Failure

Please calculate the total annualized risk cost of the data loss threat.

Costs:

$$ During a data loss, fixed costs $($must be paid even if work is not being done$)$ are $$4,000$ per day

$$ Reputation loss is calculated at $$20,000$ per day $($since this is a consulting firm this value is high$)$

When a data loss happens there are overtime costs and contract extension costs $$ each project has a deadline it must meet depending on the contract, Springfield could be charged a penalty if it does not meet the deadline. These overtime and contract extension costs vary depending on the source of the threat. These will be given as total cost per event, $($not per day$)$ and have been calculated based on historical data and current$/$future changes.

Note:

This means that when you are calculating your annualized risk cost your formula will be different from our other example.

$$ You need to add fixed costs for each day of doing nothing to reputation loss costs for one day and then multiply this sum by number of days.

$$ To this result you need to add the cost of overtime and contract extension.

$$ Then you need to multiply this total by likelihood $*$ vulnerability.

$$ You don$$t include the overtime and contract extension costs in the first calculation because it is not a per day cost but rather a per event cost.

$$ Every organization will have its own method of specifying impact.

Over the last $10$ years Springfield IT Consulting has experienced the following:

$$ Each year they experience at least one hacking event.

o About half the time they lose data because of that. When a hacking even occurs they typically have to shut down their systems for $2$ days in order to investigate and eliminate the threat. They cannot move forward in any customer work, so they lose $2$ days of work $($do nothing$).$

o Contract extension and overtime costs for a typical event are $$3500.$

$$ There were $8$ major instances of worker error.

o In $6$ of these, data was lost.

o Each incident of data loss due to worker error requires much research, attempts to recreate data, etc. Typically, the equivalent of one day of work is lost, plus extra research or overtime or contract delays are $$3,000$ per event.

$$ There were $4$ hardware failures $($servers$)$;

o Data was lost during one of these events.

o $(1)/(2)$ day of work was lost

o Overtime$/$investigation$/$contract extension costs are estimated at $$2000$ per event.

Qualitative Threat Analysis Exercise

Using the background information provided by the Springfield IT Consulting and using the Qualitative Scale given below, fill out the

qualitative analysis for Springfield IT Consulting.

QUALITATIVE SCALE TO USE: