Risk Analysis Calculation

TheRealStudent
Week3ExerciseRiskAnalysisSol.doc

MIS 4850 Systems Security

Week3 Risk Analysis Exercises

Submission instructions:

1) Edit this Word file and type in your answers to the questions for Exercise 1 and Exercise 2.

2) When done, save the file to your flash disk and upload a copy to the Week3 Risk Analysis Exercises dropbox

Exercise 1

As a junior Security Analyst at Zinder Inc., your boss asked you to perform a classic risk analysis in order to help the company make a decision about whether or not to investing in one of the countermeasures that the company is planning on implementing. The countermeasures are meant to help protect the company’s multifunction server (that has a value of $15,000) and all the software and databases it host against security attacks. The value of the software and the databases is estimated at $485,000. In case of a successful attack, it is expected that 80 percent of the asset’s value will be lost. An attack is expected to be successful once every five years. Countermeasure A will cut the amount lost per incident by 75 percent. Countermeasure B will cut the frequency of successful attack in half. Countermeasure A will cost $30,000 per year, while Countermeasure B will cost $5,000 per year.

Question 1: Conduct a classic risk analysis using the template below. Note: you need to calculate all the numbers and use them to complete this template (table).

 

Base Case

Countermeasure

 

 

A

B

Asset Value

AV

$500,000

$500,000

$500,000

Exposure Factor

EF

80%

20%

80%

Single Loss Expectancy

SLE

$400,000

$100,000

$400,000

Annualized Rate of Occurrence

ARO

20%

20%

10%

Annualized Loss Expectancy

ALE

$80,000

$20,000

$40,000

ALE Reduction for Countermeasure

--

NA

$60,000

$40,000

Annualized Countermeasure Cost

--

NA

$30,000

$5,000

Annualized Net Countermeasure Value

--

NA

$30,000

$35,000

Question 2: Based on the results of the risk analysis, which of the two countermeasures Zinder Inc. should implement (if any). Explain your choice of countermeasure by providing supporting evidence from the result the risk analysis you performed when answering Question 1.

Countermeasure B seems to be the best because:

· Its annualized cost is less costs ($5000 versus $30000)

· Its net annualized value is also higher than the net value of A ($35000 versus $30000)

· Finally, it cuts the ARO by half from 20% to 10

Exercise 2:

A company has a resource XYZ. If there is a single breach of security, the company may face a fine of $100,000 and pay another $20,000 to clean up the breach. Based on statistics gathered by the SANS Government agency, an attack targeting the company’s assets is likely to be successful about once in five years. A proposed countermeasure should cut the frequency of occurrence in half. How much should the company be willing to pay for the countermeasure

Question 1: Use you classic risk analysis skills to complete the template below based on the information provided in this case. Note: you need to calculate all the numbers.

Base Case

With Countermeasure

Single Loss Expectancy

$120,000

$120,000

Annualized Rate of Occurrence

20% (1 in 5 years)

10% (1/2 of base frequency)

Annualized Loss Expectancy

$24,000

$12,000

ALE Reduction for Countermeasure

$12,000

Question 2: Based on the results of the risk analysis, what is the maximum that the company should be willing to pay for the countermeasure? Explain.

The countermeasure’s annualized expected benefit is $12,000 per year. The company should be willing to pay up to $12,000 annually but no more. If the countermeasure’s cost is > $12,000 then, the Annualized net value for the countermeasure will be negative.