Question: Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE
- Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million.
- Using the following table, calculate the ARO and ALE for each threat category the company faces for this project.
| Threat Category | Cost per Incident (SLE) | Frequency of Occurrence |
| Programmer mistakes | $5,000 | 1 per week |
| Loss of intellectual property | $75,000 | 1 per year |
| Software piracy | $500 | 1 per week |
| Theft of information (hacker) | $2,500 | 1 per quarter |
| Theft of information (employee) | $5,000 | 1 per 6 months |
| Web defacement | $500 | 1 per month |
| Theft of equipment | $5,000 | 1 per year |
| Viruses, worms, Trojan horses | $1,500 | 1 per week |
| Denial-of-service attacks | $2,500 | 1 per quarter |
| Earthquake | $250,000 | 1 per 20 years |
| Flood | $250,000 | 1 per 10 years |
| Fire | $500,000 | 1 per 10 years |
- How might XYZ Software Company arrive at the values in the table shown above? For each entry, describe the process of determining the cost per incident and frequency of occurrence.
- Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from the above and the following table, calculate the post-control ARO and ALE for each threat category listed. Why have some values changed in the Cost per Incident and Frequency of Occurrence columns? How could a control affect one but not the other? Assume that the values in the Cost of Control column are unique costs directly associated with protecting against the threat. In other words, dont consider overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs.
| Threat Category | Cost per Incident | Frequency of Occurrence | Cost of Control | Type of Control |
| Programmer mistakes | $5,000 | 1 per month | $20,000 | Training |
| Loss of intellectual property | $75,000 | 1 per 2 years | $15,000 | Firewall/IDS |
| Software piracy | $500 | 1 per month | $30,000 | Firewall/IDS |
| Theft of information (hacker) | $2,500 | 1 per 6 months | $15,000 | Firewall/IDS |
| Theft of information (employee) | $5,000 | 1 per year | $15,000 | Physical security |
| Web defacement | $500 | 1 per quarter | $10,000 | Firewall |
| Theft of equipment | $5,000 | 1 per 2 years | $15,000 | Physical security |
| Viruses, worms, Trojan horses | $1,500 | 1 per month | $15,000 | Antivirus |
| Denial-of-service attacks | $2,500 | 1 per 6 months | $10,000 | Firewall |
| Earthquake | $250,000 | 1 per 20 years | $5,000 | Insurance/ backups |
| Flood | $50,000 | 1 per 10 years | $10,000 | Insurance/ backups |
| Fire | $100,000 | 1 per 10 years | $10,000 | Insurance/ backups |
Step by Step Solution
There are 3 Steps involved in it
Lets tackle the problem and computations step by step Part 1 Calculate the ARO and ALE for the original scenario Definitions ARO Annual Rate of Occurrence This is essentially the frequency with which ... View full answer
Get step-by-step solutions from verified subject matter experts
Study Help