Annualized Rate Occurrence (ARO):
Annualized Rate Occurrence is the estimated frequency at which a given threat is expected to happen.
ARO can be calculated by using the following formula:
Annualized Loss Expectancy (ALE):
Annualized loss expectancy is the loss expected from the attack of a specific information asset which has been carried over for a year. It is a product of single loss expectancy and the annualized rate of occurrence.
ALE can be calculated by using the following formula:
Explanation of Solution
Calculate ARO for Programmer mistakes:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per week)” as “7” in the equation (1).
Hence, the ARO for programmer mistakes is “52 (approximately)”.
Calculate ARO for Loss if intellectual property:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per year)” as “365” in the equation (1).
Hence, the ARO for Loss if intellectual property is “1 (approximately)”.
Calculate ARO for Software Piracy:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per week)” as “7” in the equation (1).
Hence, the ARO for Software Piracy is “52 (approximately)”.
Calculate ARO for Theft of information (hacker):
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per quarter)” as “
Hence, the ARO for Theft of information (hacker) is “4 (approximately)”.
Calculate ARO for Theft of information (employee):
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “
Hence, the ARO for Theft of Theft of information (employee) is “2 (approximately)”.
Calculate ARO for Web defacement:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “
Hence, the ARO for Web defacement is “12 (approximately)”.
Calculate ARO for Theft of equipment:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per year)” as “365” in the equation (1).
Hence, the ARO for Theft of equipment is “1 (approximately)”.
Calculate ARO for Viruses, worms, Trojan Horses:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per week)” as “7” in the equation (1).
Hence, the ARO for Viruses, worms, Trojan Horses is “52 (approximately)”.
Calculate ARO for Denial-of-service attacks:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per quarter)” as “
Hence, the ARO for Denial-of-service attacks is “4 (approximately)”.
Calculate ARO for Earthquake:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 20 years)” as “
Hence, the ARO for Earthquake is “0.05 (approximately)”.
Calculate ARO for Food:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Food is “0.1 (approximately)”.
Calculate ARO for Fire:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Fire is “0.1 (approximately)”.
Calculate ALE for Programmer mistakes:
Substitute the value of “SLE” as “5000” and “ARO” as “52” in the equation (2).
Hence, the ALE for programmer mistakes is “260000”.
Calculate ALE for Loss if intellectual property:
Substitute the value of “SLE” as “75000” and “ARO” as “1” in the equation (2).
Hence, the ALE for Loss if intellectual property is “75000”.
Calculate ALE for Software Piracy:
Substitute the value of “SLE” as “500” and “ARO” as “52” in the equation (2).
Hence, the ALE for Software Piracy is “26000”.
Calculate ALE for Theft of information(hacker):
Substitute the value of “SLE” as “2500” and “ARO” as “4” in the equation (2).
Hence, the ALE for Theft of information (hacker)is “10000”.
Calculate ALE for Theft of information (employee)
Substitute the value of “SLE” as “5000” and “ARO” as “2” in the equation (2).
Hence, the ALE for Theft of information (employee) is “10000”.
Calculate ALE for Web defacement:
Substitute the value of “SLE” as “500” and “ARO” as “12” in the equation (2).
Hence, the ALE for Web defacement is “6000”.
Calculate ALE for Theft of equipment:
Substitute the value of “SLE” as “5000” and “ARO” as “1” in the equation (2).
Hence, the ALE for Theft of equipment is “6000”.
Calculate ALE for Viruses, worms, Trojan Horses:
Substitute the value of “SLE” as “1500” and “ARO” as “52” in the equation (2).
Hence, the ALE for Viruses, worms, Trojan Horses is “78000”.
Calculate ALE for Denial-of-service attacks:
Substitute the value of “SLE” as “2500” and “ARO” as “4” in the equation (2).
Hence, the ALE for Denial-of-service attacks is “10000”.
Calculate ALE for Earthquake:
Substitute the value of “SLE” as “250000” and “ARO” as “0.05” in the equation (2).
Hence, the ALE for Earthquake is “12500”.
Calculate ALE for Food:
Substitute the value of “SLE” as “250000” and “ARO” as “0.1” in the equation (2).
Hence, the ALE for Food is “25000”.
Calculate ALE for Fire:
Substitute the value of “SLE” as “500000” and “ARO” as “0.1” in the equation (2).
Hence, the ALE for Fire is “50000”.
ARO and ALE table for all the threat cost is given below:
ARO and ALE threat cost | ARO | ALE |
Programmer mistakes | 52 | $260,000 |
Loss if intellectual property | 1 | $75,000 |
Software Piracy | 52 | $26,000 |
Theft of information(hacker) | 4 | $10,000 |
Theft of information (employee) | 2 | $10,000 |
Web defacement | 12 | $6,000 |
Theft of equipment | 1 | $5,000 |
Viruses, worms, Trojan Horses | 52 | $78,000 |
Denial-of-service attacks | 4 | $10,000 |
Earthquake | 0.05 | $12,500 |
Food | 0.1 | $25,000 |
Fire | 0.1 | $50,000 |
Want to see more full solutions like this?
Chapter 5 Solutions
EBK PRINCIPLES OF INFORMATION SECURITY
- How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence.arrow_forwardQ2. What would be the risk assessment matrix & sequence diagram for WhatsApp?arrow_forwardFor your client, a regional distribution center for an auto parts manufacturer, please explain the differences between a qualitative and quantitative approach to risk assessment. Be sure to discuss, why a schema is important and how it will be defined and used in the assessment you are discussing.arrow_forward
- After reading examples in the book, provide an example of an asset that is important to you, a threat that could impact that asset and what is the likelihood that asset is vulnerable to that threat?arrow_forwardDetermining if estimated threats are real threats is the goal of what phase? Static Analysis Dynamic Analysis Casing the Joint Takedownarrow_forwardWhich of the following is true regarding vulnerability appraisal? a. Vulnerability appraisal is always the easiest and quickest step. b. Every asset must be viewed in light of each threat. c. Each threat could reveal multiple vulnerabilities. d. Each vulnerability should be cataloged.arrow_forward
- You are the new information security consultant company for the XYZ Group, a medium-sized software development company. Before hiring you, the company had been plagued with security incidents that are listed below. Management has asked you to help assess the risk and conduct a cost/benefit analysis of proposed solutions. Incident #1: Two years ago, plans for a new product were leaked onto the Internet, and as a result a competitor was able to produce a rival version of the software and get it to market first. XYZ estimates that sales of that software, which were expected to be at $1 million annually, were reduced by 50% due to the information leakage. Next year, the company is planning to introduce a new software that will be a major upgrade to the previous model. It should regain the company's market share in that product line. The cost for averting a similar information leak for the new product is not yet known, but training the staff, which would cost about $50,000 per year, is…arrow_forwardyou are required using your own words to discuss each of the topics below. You need to limit your discussion on each topic to be between 200 to 400 words. Risk Management Strategies in Software Engineeringarrow_forwardThreat modeling is a risk assessment approach for analyzing security of an application. Briefly identify and explain the various stages in threat modelling.Using you knowledge in the modelling approach, design a threat model for you organization with any 5 types of security threatsarrow_forward
- Using a project that aims at developing an online banking system for a Canadian bank, identify 3 areas where you expect to see the highest security risks. Explain what types of risks may be associated with the identified areas, and indicate what types of tests you will need to carry out to fully incorporate security as part of the overall Software testing & Quality Assurance in the projectarrow_forwardSuppose there is a big ABC organization which offers different products for their customers. When the said organization develops the different products for customers, then there is a possibility of different hazards, which may affect the process of development. What type of procedure and process should be follow by management department for risk management to avoid or mitigate the incoming risks, to produce better quality products at the end?arrow_forwardCOSO ERM 2017 is a risk management method for evaluating a company's prospective and real threats and benefits.arrow_forward
- Management Of Information SecurityComputer ScienceISBN:9781337405713Author:WHITMAN, Michael.Publisher:Cengage Learning,Principles of Information Security (MindTap Cours...Computer ScienceISBN:9781337102063Author:Michael E. Whitman, Herbert J. MattordPublisher:Cengage LearningInformation Technology Project ManagementComputer ScienceISBN:9781337101356Author:Kathy SchwalbePublisher:Cengage Learning
- Principles of Information Systems (MindTap Course...Computer ScienceISBN:9781305971776Author:Ralph Stair, George ReynoldsPublisher:Cengage Learning