If an organization has three information assets to evaluate for risk management purposes, as shown in the list below, which vulnerability should be evaluated for a

1

Useful Hints on Assignment 5

Exercise 1: (Chapter 6)

To help you better understand the calculations for Exercise 1 of Assignment 5, see below for an explanation on how to correctly compute the risk rating of an asset. Using the terminology from Chapter 6 of the textbook, the formula for calculating the risk rating of an asset can be written as:

Risk rating = I x V x (1.0 – C + U) where, I : is Impact value of an asset V : is Likelihood of vulnerability C : is Percentage of risks mitigated by controls on the asset (example: Firewall etc.) U : is Uncertainty of assumptions and data

Worked Example: Let us see how we can apply this to an example problem. Assume that an organization has three assets A, B, C as follows:

(1) Asset A: has an impact value of 50, and likelihood of vulnerability is estimated to be 1.0. Also assume that there are no current controls in place to protect the asset, and there is a 90% certainty of these assumptions and data. Thus we can write:  I : Impact value of asset is given as 50  V : Likelihood of vulnerability is given as 1.0  C : Assume that there are no current controls in place to protect this asset.

(So, Percentage of risk mitigated by current controls = 0% (i.e. 0))  U : Certainty of assumptions is given as 90%

– so the Uncertainty of assumptions = 10% (i.e. 0.1) Risk rating for asset A = I x V x (1 – C + U) = (50 x 1.0) x (1.0 – 0 + 0.1) = 55

(2) Asset B: has an impact value of 100, and likelihood of vulnerability is estimated to be 0.5. Also assume that current controls in place address 50% of the risk, and there is an 80% certainty of these assumptions and data. Thus we can write:  I : Impact value of asset is given as 100  V : Likelihood of vulnerability is given as 0.5  C : Assume that current controls for this vulnerability address 50% of the risk.

(So, Percentage of risk mitigated by current controls = 50% (= 0.50))  U : Certainty of assumptions is given as 80%

– so Uncertainty of assumptions = 20% (i.e. 0.2) Risk rating for asset B = I x V x (1 – C + U) = (100 x 0.5) X (1.0 – 0.5 + 0.2) = 35

(3) Asset C: has an impact value of 100, and likelihood of vulnerability is estimated to be 0.1. Also assume that there are no current controls in place to protect the asset, and there is an 80% certainty of these assumptions and data. Thus we can write:  I : Impact value of asset is given as 100  V : Likelihood of vulnerability is given as 0.1  C : Assume that there are no current controls in place to protect this asset.

2

(So, Percentage of risk mitigated by current controls = 0% (i.e. 0))  U : Certainty of assumptions is given as 80%

– so Uncertainty of assumptions = 20% (i.e. 0.2) Risk rating for asset C = I x V x (1 – C + U) = (100 x 0.1) – (1.0 – 0 + 0.2) = 12 Conclusion: Based on these risk ratings, asset A has the highest vulnerability score and asset C has the lowest score. Hence, the vulnerabilities on Asset A should be addressed first for additional controls, and those of Asset C should be addressed last.

Exercise 3(a): (Chapter 7)

For this exercise you need to use the data given in the Table to calculate the SLE, ARO, and ALE for each threat category listed.

In this exercise, you are given the cost per incident, which effectively is the SLE. For example, in the Table given for this exercise, the cost per incident for a Programmer Mistake is given as $5,000; hence the SLE for this incident is $5,000.

To compute the ARO for an incident use the hints given below. And once you know the SLE and the ARO, you can compute ALE using the formula: ALE = SLE x ARO.

Detemining the Annualized Rate of Occurence (ARO): The term ARO simply means how many incidents will occur in one year. If the data is given in other time intervals such as one per quarter, one every week, one every six months etc. then you convert that to number of incidents that will occur in a year to calculate ARO.

Here are some examples to illustrate this:

 One incident per week means: ARO = 52 (since there are 52 weeks in a year)

 One incident per quarter means: ARO = 4 (since there are 4 quarters in a year)

 One incident every 10 years means: ARO = 0.1 (1/10)

 One incident per month means: ARO = 12 (since there are 12 months in a year)

 One every six months means: ARO = 2 (in one year there will be 2 incidents)

For example, when you apply this to the first Table entry (Programmer Mistakes) of Exercise 4, we have:

SLE = $5,000 ARO = 52 (since frequency = 1 incident per week) –> ALE = SLE x ARO = ($5000) x 52 = $260,000

We can therefore write the first line of the Table as follows:

Cost per incident Frequency ARO SLE ALE

Programmer Mistakes $5,000 1 per week 52 $5,000 $260,000

3

Exercise 3(b): (Chapter 7) In a typical cost-benefit analysis, sometimes it is informative to determine if the value of protecting an asset is worth the cost incurred in implementing the control mechanisms protecting the asset. In Exercise 4 of the assignment you computed the ALE values for different assets to determine the expected loss from those assets if they were compromised.

Exercise 3(b) explores whether the cost-benefits from implementing protection controls are worthwhile when compared to the value of the assets being protected. Such analysis could be performed before implementing a control or safeguard, or they can be performed after controls have been in place for a while. To calculate the cost-benefit of implementing those controls use the equation given below (as discussed on page 386 in Chapter 7 of the textbook):

Cost Benefit = ALE(precontrol) – ALE(postcontrol) – ACS

where:

ALE(precontrol) = ALE of the risk before the implementation of the control ALE(postcontrol) = ALE after the control has been implemented

ACS = Annualized Cost of Control

For the data given for each of the assets listed in the table provided for this exercise, use the above formulae to compute the Cost Benefit figure for each asset by determining its SLE, ARO, and ALE for each threat category listed.