Principles of Information Security (MindTap Course List)
Principles of Information Security (MindTap Course List)
6th Edition
ISBN: 9781337102063
Author: Michael E. Whitman, Herbert J. Mattord
Publisher: Cengage Learning
Question
Book Icon
Chapter 5, Problem 5E
Program Plan Intro

Annualized Rate Occurrence (ARO):

Annualized Rate Occurrence is the estimated frequency at which a given threat is expected to happen.

ARO can be calculated by using the following formula:

ARO = One yearFrequency of occurrence (1)

Annualized Loss Expectancy (ALE):

Annualized Loss Expectancy is the loss expected from the attack of a specific information asset which has been carried over for a year. It is a product of single loss expectancy and the annualized rate of occurrence.

ALE can be calculated by using the following formula:

ALE = SLE × ARO (2)

Cost-Benefit Analysis (CBA):

  • CBA is the study that determines the cost required for protecting an asset.
  • It is a process of feasibility which is carried with a formal documentation process. It is also called as economic feasibility study.
  • System value is an estimated total cost of the organization in terms of the cost of equipment, and more important, in terms of the cost of information stored in the system.

CBA can be calculated by using the following formula:

CBA = ALE(prior) - ALE(post) - ACS (3)

Here, the term ALE(prior) refers “Annualized Lost Expectancy for earlier assessment” and ALE(post) refers “Annualized Lost Expectancy for revised assessment” and ACS refers “Annualized Cost of a Safeguard”.

Expert Solution & Answer
Check Mark

Explanation of Solution

Calculate ARO for Programmer mistakes:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “ 36512 ” in the equation (1).

=36530.417=12

Hence, the ARO for programmer mistakes is “12 (approximately)”.

Calculate ARO for Loss if intellectual property:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “ 365×2 ”  in the equation (1).

=365365×2=0.5

Hence, the ARO for Loss if intellectual property is “0.5 (approximately)”.

Calculate ARO for Software Piracy:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “ 36512 ” in the equation (1).

=36530.417=12

Hence, the ARO for Software Piracy is “12 (approximately)”.

Calculate ARO for Theft of information (hacker):

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “ 12 ” (i.e 3652 ) in the equation (1).

=365182.5=2

Hence, the ARO for Theft of information (hacker) is “2 (approximately)”.

Calculate ARO for Theft of information (employee):

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per year)” as “365” in the equation (1).

=365365=1

Hence, the ARO for Theft of Theft of information (employee) is “1 (approximately)”.

Calculate ARO for Web defacement:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per quarter)” as “ 14 ” (i.e 3654 ) in the equation (1).

=36591.25=4

Hence, the ARO for Web defacement is “4 (approximately)”.

Calculate ARO for Theft of equipment:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “ 365×2 ”  in the equation (1).

=365365×2=0.5

Hence, the ARO for Theft of equipment is “0.5 (approximately)”.

Calculate ARO for Viruses, worms, Trojan Horses:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “ 36512 ” in the equation (1).

=36530.417=12

Hence, the ARO for Viruses, worms, Trojan Horses is “12 (approximately)”.

Calculate ARO for Denial-of-service attacks:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “ 12 ” (i.e 3652 ) in the equation (1).

=365182.5=2

Hence, the ARO for Denial-of-service attacks is “2 (approximately)”.

Calculate ARO for Earthquake:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 20 years)” as “ 365×20 ”  in the equation (1).

=3657300=0.05

Hence, the ARO for Earthquake is “0.05 (approximately)”.

Calculate ARO for Food:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “ 365×10 ”  in the equation (1).

=3653600=0.1

Hence, the ARO for Food is “0.1 (approximately)”.

Calculate ARO for Fire:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “ 365×10 ”  in the equation (1).

=3653600=0.1

Hence, the ARO for Fire is “0.1 (approximately)”.

Calculate ALE for Programmer mistakes:

Substitute the value of “SLE” as “5000” and “ARO” as “12” in the equation (2).

=5000×12=60000

Hence, the ALE for programmer mistakes is “60000”.

Calculate ALE for Loss if intellectual property:

Substitute the value of “SLE” as “75000” and “ARO” as “0.5” in the equation (2).

       =75000×0.5=37500

Hence, the ALE for Loss if intellectual property is “37500”.

Calculate ALE for Software Piracy:

Substitute the value of “SLE” as “500” and “ARO” as “12” in the equation (2).

       =500×12=6000

Hence, the ALE for Software Piracy is “6000”.

Calculate ALE for Theft of information(hacker):

Substitute the value of “SLE” as “2500” and “ARO” as “2” in the equation (2).

       =2500×2=5000

Hence, the ALE for Theft of information (hacker)is “5000”.

Calculate ALE for Theft of information (employee)

Substitute the value of “SLE” as “5000” and “ARO” as “1” in the equation (2).

       =5000×1=5000

Hence, the ALE for Theft of information (employee) is “5000”.

Calculate ALE for Web defacement:

Substitute the value of “SLE” as “500” and “ARO” as “4” in the equation (2).

       =500×4=2000

Hence, the ALE for Web defacement is “2000”.

Calculate ALE for Theft of equipment:

Substitute the value of “SLE” as “5000” and “ARO” as “0.5” in the equation (2).

       =5000×0.5=2500

Hence, the ALE for Theft of equipment is “2500”.

Calculate ALE for Viruses, worms, Trojan Horses:

Substitute the value of “SLE” as “1500” and “ARO” as “12” in the equation (2).

       =1500×12=18000

Hence, the ALE for Viruses, worms, Trojan Horses is “18000”.

Calculate ALE for Denial-of-service attacks:

Substitute the value of “SLE” as “2500” and “ARO” as “2” in the equation (2).

       =2500×2=5000

Hence, the ALE for Denial-of-service attacks is “5000”.

Calculate ALE for Earthquake:

Substitute the value of “SLE” as “250000” and “ARO” as “0.05” in the equation (2).

       =250000×0.05=12500

Hence, the ALE for Earthquake is “12500”.

Calculate ALE for Food:

Substitute the value of “SLE” as “50000” and “ARO” as “0.1” in the equation (2).

       =50000×0.1=5000

Hence, the ALE for Food is “5000”.

Calculate ALE for Fire:

Substitute the value of “SLE” as “100000” and “ARO” as “0.1” in the equation (2).

       =100000×0.1=10000

Hence, the ALE for Fire is “10000”.

To calculate CBA for Programmer mistakes:

Substitute the value of “ALE (prior)” as “260000” and “ALE (post)” as “60000” and “ACS” as “20000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=2600006000020000=180000

Hence, the CBA for programmer mistakes is “180000”.

To calculate CBA for Loss if intellectual property:

Substitute the value of “ALE (prior)” as “75000” and “ALE (post)” as “37500” and “ACS” as “15000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=750003750015000=22500

Hence, the CBA for Loss if intellectual property is “22500”.

To calculate CBA for Software Piracy:

Substitute the value of “ALE (prior)” as “26000” and “ALE (post)” as “6000” and “ACS” as “30000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=26000600030000=10000

Hence, the CBA for Software Piracy is “-10000”.

To calculate CBA for Theft of information (hacker):

Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “15000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=10000500015000=10000

Hence, the CBA for Theft of information (hacker) is “-10000”.

To calculate CBA for Theft of information (employee):

Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “15000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=10000500015000=10000

Hence, the CBA for Theft of information (employee) is “-10000”.

To calculate CBA for Web defacement:

Substitute the value of “ALE (prior)” as “6000” and “ALE (post)” as “2000” and “ACS” as “10000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=6000200010000=6000

Hence, the CBA for Web defacement is “-6000”.

To calculate CBA for Theft of equipment:

Substitute the value of “ALE (prior)” as “5000” and “ALE (post)” as “2500” and “ACS” as “15000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=5000250015000=12500

Hence, the CBA for Theft of equipment is “-12500”.

To calculate CBA for Viruses, worms, Trojan Horses:

Substitute the value of “ALE (prior)” as “78000” and “ALE (post)” as “18000” and “ACS” as “15000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=780001800015000=45000

Hence, the CBA for Viruses, worms, Trojan Horses is “45000”.

To calculate CBA for Denial-of-service attacks:

Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “10000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=10000500010000=5000

Hence, the CBA for Denial-of-service attacks is “-5000”.

To calculate CBA for Earthquake:

Substitute the value of “ALE (prior)” as “12500” and “ALE (post)” as “12500” and “ACS” as “5000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=12500125005000=5000

Hence, the CBA for Earthquake is “-5000”.

To calculate CBA for Food:

Substitute the value of “ALE (prior)” as “25000” and “ALE (post)” as “5000” and “ACS” as “10000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=25000500010000=10000

Hence, the CBA for Food is “10000”.

To calculate CBA for Fire:

Substitute the value of “ALE (prior)” as “50000” and “ALE (post)” as “10000” and “ACS” as “10000” in the equation (3).

CBA=ALE(prior)-ALE(post)-ACS=500001000010000=30000

Hence, the CBA for Fire is “30000”.

ARO and ALE table for all the threat cost is given below:

ARO and ALE threats SLE ARO ALE CBA
Programmer mistakes 5,000 12 60,000 180,000
Loss if intellectual property 75,000 0.5 37,500 22,500
Software Piracy 500 12 6,000 -10,000
Theft of information(hacker) 2,500 2 5,000 -10,000
Theft of information (employee) 5,000 1 5,000 -10,000
Web defacement 500 4 2,000 -6,000
Theft of equipment 5,000 0.5 2,500 -12,500
Viruses, worms, Trojan Horses 1,500 12 18,000 45,000
Denial-of-service attacks 2,500 2 5,000 -5000
Earthquake 250,000 0.05 12,500 -5,000
Food 50,000 0.1 5,000 10,000
Fire 100,000 0.1 10,000 30,000

Reason for changes in values:

Some values have been changed because of the implementation controls which had a positive impact on protection of XYZ’s assets. Thus, reducing the frequency of occurrences. However, the controls did not decrease cost for a single incident because the importance of an asset will stay the same and cost XYZ the same amount of time and money to replace. The costs that are listed are worth when the controls are in their place.

Want to see more full solutions like this?

Subscribe now to access step-by-step solutions to millions of textbook problems written by subject matter experts!
Students have asked these similar questions
Write at least 4 examples of how you arrive at the risk rating for a given threat by asking questions to quantify the DREAD categories?
Describe how the nett present value relates to the risk involved. Utilize mathematical models to back up your assertions over a wide range of scenarios with varied degrees of danger.
Give a brief description of each of the five risk-control strategies.
Knowledge Booster
Background pattern image
Similar questions
SEE MORE QUESTIONS
Recommended textbooks for you
Text book image
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
Text book image
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,