Annualized Rate Occurrence (ARO):
Annualized Rate Occurrence is the estimated frequency at which a given threat is expected to happen.
ARO can be calculated by using the following formula:
Annualized Loss Expectancy (ALE):
Annualized Loss Expectancy is the loss expected from the attack of a specific information asset which has been carried over for a year. It is a product of single loss expectancy and the annualized rate of occurrence.
ALE can be calculated by using the following formula:
Cost-Benefit Analysis (CBA):
- CBA is the study that determines the cost required for protecting an asset.
- It is a process of feasibility which is carried with a formal documentation process. It is also called as economic feasibility study.
- System value is an estimated total cost of the organization in terms of the cost of equipment, and more important, in terms of the cost of information stored in the system.
CBA can be calculated by using the following formula:
Here, the term
Explanation of Solution
Calculate ARO for Programmer mistakes:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “
Hence, the ARO for programmer mistakes is “12 (approximately)”.
Calculate ARO for Loss if intellectual property:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Loss if intellectual property is “0.5 (approximately)”.
Calculate ARO for Software Piracy:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “
Hence, the ARO for Software Piracy is “12 (approximately)”.
Calculate ARO for Theft of information (hacker):
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “
Hence, the ARO for Theft of information (hacker) is “2 (approximately)”.
Calculate ARO for Theft of information (employee):
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per year)” as “365” in the equation (1).
Hence, the ARO for Theft of Theft of information (employee) is “1 (approximately)”.
Calculate ARO for Web defacement:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per quarter)” as “
Hence, the ARO for Web defacement is “4 (approximately)”.
Calculate ARO for Theft of equipment:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Theft of equipment is “0.5 (approximately)”.
Calculate ARO for Viruses, worms, Trojan Horses:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “
Hence, the ARO for Viruses, worms, Trojan Horses is “12 (approximately)”.
Calculate ARO for Denial-of-service attacks:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “
Hence, the ARO for Denial-of-service attacks is “2 (approximately)”.
Calculate ARO for Earthquake:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 20 years)” as “
Hence, the ARO for Earthquake is “0.05 (approximately)”.
Calculate ARO for Food:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Food is “0.1 (approximately)”.
Calculate ARO for Fire:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Fire is “0.1 (approximately)”.
Calculate ALE for Programmer mistakes:
Substitute the value of “SLE” as “5000” and “ARO” as “12” in the equation (2).
Hence, the ALE for programmer mistakes is “60000”.
Calculate ALE for Loss if intellectual property:
Substitute the value of “SLE” as “75000” and “ARO” as “0.5” in the equation (2).
Hence, the ALE for Loss if intellectual property is “37500”.
Calculate ALE for Software Piracy:
Substitute the value of “SLE” as “500” and “ARO” as “12” in the equation (2).
Hence, the ALE for Software Piracy is “6000”.
Calculate ALE for Theft of information(hacker):
Substitute the value of “SLE” as “2500” and “ARO” as “2” in the equation (2).
Hence, the ALE for Theft of information (hacker)is “5000”.
Calculate ALE for Theft of information (employee)
Substitute the value of “SLE” as “5000” and “ARO” as “1” in the equation (2).
Hence, the ALE for Theft of information (employee) is “5000”.
Calculate ALE for Web defacement:
Substitute the value of “SLE” as “500” and “ARO” as “4” in the equation (2).
Hence, the ALE for Web defacement is “2000”.
Calculate ALE for Theft of equipment:
Substitute the value of “SLE” as “5000” and “ARO” as “0.5” in the equation (2).
Hence, the ALE for Theft of equipment is “2500”.
Calculate ALE for Viruses, worms, Trojan Horses:
Substitute the value of “SLE” as “1500” and “ARO” as “12” in the equation (2).
Hence, the ALE for Viruses, worms, Trojan Horses is “18000”.
Calculate ALE for Denial-of-service attacks:
Substitute the value of “SLE” as “2500” and “ARO” as “2” in the equation (2).
Hence, the ALE for Denial-of-service attacks is “5000”.
Calculate ALE for Earthquake:
Substitute the value of “SLE” as “250000” and “ARO” as “0.05” in the equation (2).
Hence, the ALE for Earthquake is “12500”.
Calculate ALE for Food:
Substitute the value of “SLE” as “50000” and “ARO” as “0.1” in the equation (2).
Hence, the ALE for Food is “5000”.
Calculate ALE for Fire:
Substitute the value of “SLE” as “100000” and “ARO” as “0.1” in the equation (2).
Hence, the ALE for Fire is “10000”.
To calculate CBA for Programmer mistakes:
Substitute the value of “ALE (prior)” as “260000” and “ALE (post)” as “60000” and “ACS” as “20000” in the equation (3).
Hence, the CBA for programmer mistakes is “180000”.
To calculate CBA for Loss if intellectual property:
Substitute the value of “ALE (prior)” as “75000” and “ALE (post)” as “37500” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Loss if intellectual property is “22500”.
To calculate CBA for Software Piracy:
Substitute the value of “ALE (prior)” as “26000” and “ALE (post)” as “6000” and “ACS” as “30000” in the equation (3).
Hence, the CBA for Software Piracy is “-10000”.
To calculate CBA for Theft of information (hacker):
Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Theft of information (hacker) is “-10000”.
To calculate CBA for Theft of information (employee):
Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Theft of information (employee) is “-10000”.
To calculate CBA for Web defacement:
Substitute the value of “ALE (prior)” as “6000” and “ALE (post)” as “2000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Web defacement is “-6000”.
To calculate CBA for Theft of equipment:
Substitute the value of “ALE (prior)” as “5000” and “ALE (post)” as “2500” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Theft of equipment is “-12500”.
To calculate CBA for Viruses, worms, Trojan Horses:
Substitute the value of “ALE (prior)” as “78000” and “ALE (post)” as “18000” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Viruses, worms, Trojan Horses is “45000”.
To calculate CBA for Denial-of-service attacks:
Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Denial-of-service attacks is “-5000”.
To calculate CBA for Earthquake:
Substitute the value of “ALE (prior)” as “12500” and “ALE (post)” as “12500” and “ACS” as “5000” in the equation (3).
Hence, the CBA for Earthquake is “-5000”.
To calculate CBA for Food:
Substitute the value of “ALE (prior)” as “25000” and “ALE (post)” as “5000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Food is “10000”.
To calculate CBA for Fire:
Substitute the value of “ALE (prior)” as “50000” and “ALE (post)” as “10000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Fire is “30000”.
ARO and ALE table for all the threat cost is given below:
ARO and ALE threats | SLE | ARO | ALE | CBA |
Programmer mistakes | 5,000 | 12 | 60,000 | 180,000 |
Loss if intellectual property | 75,000 | 0.5 | 37,500 | 22,500 |
Software Piracy | 500 | 12 | 6,000 | -10,000 |
Theft of information(hacker) | 2,500 | 2 | 5,000 | -10,000 |
Theft of information (employee) | 5,000 | 1 | 5,000 | -10,000 |
Web defacement | 500 | 4 | 2,000 | -6,000 |
Theft of equipment | 5,000 | 0.5 | 2,500 | -12,500 |
Viruses, worms, Trojan Horses | 1,500 | 12 | 18,000 | 45,000 |
Denial-of-service attacks | 2,500 | 2 | 5,000 | -5000 |
Earthquake | 250,000 | 0.05 | 12,500 | -5,000 |
Food | 50,000 | 0.1 | 5,000 | 10,000 |
Fire | 100,000 | 0.1 | 10,000 | 30,000 |
Reason for changes in values:
Some values have been changed because of the implementation controls which had a positive impact on protection of XYZ’s assets. Thus, reducing the frequency of occurrences. However, the controls did not decrease cost for a single incident because the importance of an asset will stay the same and cost XYZ the same amount of time and money to replace. The costs that are listed are worth when the controls are in their place.
Want to see more full solutions like this?
Chapter 5 Solutions
Principles of Information Security (MindTap Course List)
- The output of Risk decomposition is: Select one: a. Risk description b. Root cause analysis c. Dependibility requirements d. Risk assessmentarrow_forwardWhich five risk-control strategies should be mentioned and quickly explained?arrow_forwardIn this section, you will prepare a risk mitigation plan using SimpleRisk. Before using SimpleRisk, you will create a paper-based plan. You will need to create three security controls in your risk mitigation plan: one control that reduces the asset value, one that reduces the vulnerability severity, and one that reduces the threat impact. Your security controls should also include examples of both strategic and tactical controls. You can refer to the following table for a clearer picture of the requirements. Security Control Reduces Level (strategic/tactical) Asset value Vulnerability severity Threat Impact Define three security controls designed to mitigate the risk associated with a recent leak of sensitive information that was stored in cleartext files. Once you have identified your security controls, use SimpleRisk to create a Risk Mitigation plan. You do not need to perform a management review in this section.arrow_forward
- After reading the case presented in the module, write a short response to the following discussion questions and ethical decision making scenario. Discussion Questions Before the discussion at the start of this chapter, how do Fred, Gladys, and Charlie each perceive the scope and scale of the new information security effort? Did Fred’s perception change after that? How should Fred measure success when he evaluates Gladys’ performance for this project? How should he evaluate Charlie’s performance? Which of the threats discussed in this chapter should receive Charlie’s attention early in his planning process?arrow_forwardThere should be a list with brief explanations of the five risk-control approaches.arrow_forwardSpiral model is a. phase-driven model b. risk-driven model c. risk-process model d. risk-safe modelarrow_forward
- Risk tolerance and residual hazards must be specified. Using a real-world example, the trade-off between risk appetite and residual risk may be shown.arrow_forward1. For each of the resources in the network diagram above, specify one possible risk. Also, use a ranking system of 1 to 5, where “5” is the most critical for the likelihood of occurrence and degree of impact. Based on any tool or formula you would like to implement, list and prioritize the risks to start with.arrow_forwardA list and short description of the five risk-control strategies should be provided.arrow_forward
- Can you distinguish between inherent and control risk?arrow_forwardPlace the capital letter of the control goal that best matches the situation described. Provide a one- or two-sentence explanation of how the situation relates to the control goal you selected. If you select more than one control goal for a situation, provide an explanation for each that you select. Hint: Some letters may be used more than once. Conversely, some letters may not apply at all. Control Goals Ensure effectiveness of operations Ensure efficient employment of resources Ensure security of resources Ensure input validity Ensure input completeness Ensure input accuracy Ensure update completeness Ensure update accuracy Situations An accounts payable clerk at C&C Company enters vendor invoices into the computer. When the invoices for a particular day were entered, the computer noted that vendor invoice 12345 appeared twice. The computer rejected the second entry (i.e., the duplicate, the invoice with the same number). In entering the invoices mentioned in situation 1, the…arrow_forwardDefine risk appetite and residual hazards. Real-world scenarios may demonstrate the risk appetite-residual risk trade-off.arrow_forward
- Principles of Information Security (MindTap Cours...Computer ScienceISBN:9781337102063Author:Michael E. Whitman, Herbert J. MattordPublisher:Cengage LearningManagement Of Information SecurityComputer ScienceISBN:9781337405713Author:WHITMAN, Michael.Publisher:Cengage Learning,