Annualized Rate Occurrence (ARO):
Annualized Rate Occurrence is the estimated frequency at which a given threat is expected to happen.
ARO can be calculated by using the following formula:
Annualized Loss Expectancy (ALE):
Annualized Loss Expectancy is the loss expected from the attack of a specific information asset which has been carried over for a year. It is a product of single loss expectancy and the annualized rate of occurrence.
ALE can be calculated by using the following formula:
Cost-Benefit Analysis (CBA):
- CBA is the study that determines the cost required for protecting an asset.
- It is a process of feasibility which is carried with a formal documentation process. It is also called as economic feasibility study.
- System value is an estimated total cost of the organization in terms of the cost of equipment, and more important, in terms of the cost of information stored in the system.
CBA can be calculated by using the following formula:
Here, the term
Explanation of Solution
Calculate ARO for Programmer mistakes:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “
Hence, the ARO for programmer mistakes is “12 (approximately)”.
Calculate ARO for Loss if intellectual property:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Loss if intellectual property is “0.5 (approximately)”.
Calculate ARO for Software Piracy:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “
Hence, the ARO for Software Piracy is “12 (approximately)”.
Calculate ARO for Theft of information (hacker):
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “
Hence, the ARO for Theft of information (hacker) is “2 (approximately)”.
Calculate ARO for Theft of information (employee):
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per year)” as “365” in the equation (1).
Hence, the ARO for Theft of Theft of information (employee) is “1 (approximately)”.
Calculate ARO for Web defacement:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per quarter)” as “
Hence, the ARO for Web defacement is “4 (approximately)”.
Calculate ARO for Theft of equipment:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Theft of equipment is “0.5 (approximately)”.
Calculate ARO for Viruses, worms, Trojan Horses:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “
Hence, the ARO for Viruses, worms, Trojan Horses is “12 (approximately)”.
Calculate ARO for Denial-of-service attacks:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “
Hence, the ARO for Denial-of-service attacks is “2 (approximately)”.
Calculate ARO for Earthquake:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 20 years)” as “
Hence, the ARO for Earthquake is “0.05 (approximately)”.
Calculate ARO for Food:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Food is “0.1 (approximately)”.
Calculate ARO for Fire:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Fire is “0.1 (approximately)”.
Calculate ALE for Programmer mistakes:
Substitute the value of “SLE” as “5000” and “ARO” as “12” in the equation (2).
Hence, the ALE for programmer mistakes is “60000”.
Calculate ALE for Loss if intellectual property:
Substitute the value of “SLE” as “75000” and “ARO” as “0.5” in the equation (2).
Hence, the ALE for Loss if intellectual property is “37500”.
Calculate ALE for Software Piracy:
Substitute the value of “SLE” as “500” and “ARO” as “12” in the equation (2).
Hence, the ALE for Software Piracy is “6000”.
Calculate ALE for Theft of information(hacker):
Substitute the value of “SLE” as “2500” and “ARO” as “2” in the equation (2).
Hence, the ALE for Theft of information (hacker)is “5000”.
Calculate ALE for Theft of information (employee)
Substitute the value of “SLE” as “5000” and “ARO” as “1” in the equation (2).
Hence, the ALE for Theft of information (employee) is “5000”.
Calculate ALE for Web defacement:
Substitute the value of “SLE” as “500” and “ARO” as “4” in the equation (2).
Hence, the ALE for Web defacement is “2000”.
Calculate ALE for Theft of equipment:
Substitute the value of “SLE” as “5000” and “ARO” as “0.5” in the equation (2).
Hence, the ALE for Theft of equipment is “2500”.
Calculate ALE for Viruses, worms, Trojan Horses:
Substitute the value of “SLE” as “1500” and “ARO” as “12” in the equation (2).
Hence, the ALE for Viruses, worms, Trojan Horses is “18000”.
Calculate ALE for Denial-of-service attacks:
Substitute the value of “SLE” as “2500” and “ARO” as “2” in the equation (2).
Hence, the ALE for Denial-of-service attacks is “5000”.
Calculate ALE for Earthquake:
Substitute the value of “SLE” as “250000” and “ARO” as “0.05” in the equation (2).
Hence, the ALE for Earthquake is “12500”.
Calculate ALE for Food:
Substitute the value of “SLE” as “50000” and “ARO” as “0.1” in the equation (2).
Hence, the ALE for Food is “5000”.
Calculate ALE for Fire:
Substitute the value of “SLE” as “100000” and “ARO” as “0.1” in the equation (2).
Hence, the ALE for Fire is “10000”.
To calculate CBA for Programmer mistakes:
Substitute the value of “ALE (prior)” as “260000” and “ALE (post)” as “60000” and “ACS” as “20000” in the equation (3).
Hence, the CBA for programmer mistakes is “180000”.
To calculate CBA for Loss if intellectual property:
Substitute the value of “ALE (prior)” as “75000” and “ALE (post)” as “37500” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Loss if intellectual property is “22500”.
To calculate CBA for Software Piracy:
Substitute the value of “ALE (prior)” as “26000” and “ALE (post)” as “6000” and “ACS” as “30000” in the equation (3).
Hence, the CBA for Software Piracy is “-10000”.
To calculate CBA for Theft of information (hacker):
Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Theft of information (hacker) is “-10000”.
To calculate CBA for Theft of information (employee):
Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Theft of information (employee) is “-10000”.
To calculate CBA for Web defacement:
Substitute the value of “ALE (prior)” as “6000” and “ALE (post)” as “2000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Web defacement is “-6000”.
To calculate CBA for Theft of equipment:
Substitute the value of “ALE (prior)” as “5000” and “ALE (post)” as “2500” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Theft of equipment is “-12500”.
To calculate CBA for Viruses, worms, Trojan Horses:
Substitute the value of “ALE (prior)” as “78000” and “ALE (post)” as “18000” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Viruses, worms, Trojan Horses is “45000”.
To calculate CBA for Denial-of-service attacks:
Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Denial-of-service attacks is “-5000”.
To calculate CBA for Earthquake:
Substitute the value of “ALE (prior)” as “12500” and “ALE (post)” as “12500” and “ACS” as “5000” in the equation (3).
Hence, the CBA for Earthquake is “-5000”.
To calculate CBA for Food:
Substitute the value of “ALE (prior)” as “25000” and “ALE (post)” as “5000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Food is “10000”.
To calculate CBA for Fire:
Substitute the value of “ALE (prior)” as “50000” and “ALE (post)” as “10000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Fire is “30000”.
ARO and ALE table for all the threat cost is given below:
ARO and ALE threats | SLE | ARO | ALE | CBA |
Programmer mistakes | 5,000 | 12 | 60,000 | 180,000 |
Loss if intellectual property | 75,000 | 0.5 | 37,500 | 22,500 |
Software Piracy | 500 | 12 | 6,000 | -10,000 |
Theft of information(hacker) | 2,500 | 2 | 5,000 | -10,000 |
Theft of information (employee) | 5,000 | 1 | 5,000 | -10,000 |
Web defacement | 500 | 4 | 2,000 | -6,000 |
Theft of equipment | 5,000 | 0.5 | 2,500 | -12,500 |
Viruses, worms, Trojan Horses | 1,500 | 12 | 18,000 | 45,000 |
Denial-of-service attacks | 2,500 | 2 | 5,000 | -5000 |
Earthquake | 250,000 | 0.05 | 12,500 | -5,000 |
Food | 50,000 | 0.1 | 5,000 | 10,000 |
Fire | 100,000 | 0.1 | 10,000 | 30,000 |
Reason for changes in values:
Some values have been changed because of the implementation controls which had a positive impact on protection of XYZ’s assets. Thus, reducing the frequency of occurrences. However, the controls did not decrease cost for a single incident because the importance of an asset will stay the same and cost XYZ the same amount of time and money to replace. The costs that are listed are worth when the controls are in their place.
Want to see more full solutions like this?
Chapter 5 Solutions
Principles of Information Security (MindTap Course List)
- Determine whether the dangers are within your control. Which part of risk management is accountable for addressing these threats? Are they able to be quantified?arrow_forwardPerform an abbreviated risk management study on your personal computer. Conduct an asset identification, threat identification, vulnerability appraisal, risk assessment, and risk mitigation. Under each category, list the elements that pertain to your system. What major vulnerabilities did you uncover? How can you mitigate these risks? What is your plan for securing your personal system? Are you going to implement the plan? Why or why not?arrow_forwardWhich of the following is true regarding vulnerability appraisal? a. Vulnerability appraisal is always the easiest and quickest step. b. Every asset must be viewed in light of each threat. c. Each threat could reveal multiple vulnerabilities. d. Each vulnerability should be cataloged.arrow_forward
- It is important to understand that the distinction between Response and Recovery is often a fuzzy one, and that the end of one phase and the beginning of another depends on the Incident Commander declaring it to be so. Explain why the Recovery phase can be considered as a "window of opportunity" for Risk Reduction, and describe some kinds of Risk Reduction measures that are easier to achieve during Recovery than at other times (and WHY are they easier?).arrow_forwardFirst, let's evaluate the similarities and differences between two extremes: dangers and attacks. Provide evidence to support your assertion.arrow_forwardExecute a condensed risk management analysis on your computer. It is necessary to identify assets, analyse threats, assess vulnerabilities, evaluate risks, and take risk mitigation measures. Make a list of the parts that each category applies to in your system. What grave errors did you discover? How may these risks be diminished? What safety precautions have you taken with your own computer? Do you intend to follow through on the plan? Otherwise, why not?arrow_forward
- After reading examples in the book, provide an example of an asset that is important to you, a threat that could impact that asset and what is the likelihood that asset is vulnerable to that threat?arrow_forwardWhat is difference between Risk and Threat?arrow_forwardAssume a year has passed and XYZ has improved its security. Using the following table, calculate the SLE, ARO, and ALE for each threat category listed. YXZ Software Company (Asset Value: $1,200,000 Threat Category Cost per Incident Frequency of Occurrence Cost of Controls Type of Control Programmer mistakes $5,000 1 per month $20,000 Training Loss of intellectual property $75,000 1 per 2 years $15,000 Firewall/IDS Software piracy $500 1 per month $30,000 Firewall/IDS Theft of information (hacker) $2,500 1 per 6 months $15,000 Firewall/IDS Threat of information (employees) $5,00 1 per year $15,000 Physical security Web defacement $500 1 per quarter $10,000 Firewall Theft of equipment $5,000 1 per 2 years $15,000 Physical security Viruses, worms, Trojan horses $1,500 1 per month $15,000 Antivirus Denial-of-service attack $2,500 1 per 6 months $10,000 Firewall…arrow_forward
- A company sells products through its webpage. An attacker finds a way to inject commands into their website and retrieve information. The company stores its data unencrypted and uses a weak password for the main server. The company lost major customers’ information due to a hacking incident. From the above scenario, A. Which CIA security model elements were affected in this scenario? a.Define and identify the threat, vulnerability, and impact in this scenario? b.Suggestsome security controls, at least 3, that can be used to secure the system.arrow_forwardFor your initial post, select two parameters in the first column of Table 1 in Section IV of the article A Study of Methodologies Used in Intrusion Detection and Prevention Systems (IDPS). Then describe a situation in which those two parameters would be the most important evaluation criteria. Your situation should be informed by relevant variables from the following list: Industry (e.g., e-commerce, financial, medical) Security team capabilities and skills Potential threat actor motivation (e.g., theft of data, money, or intellectual property; denial of service; political gain)arrow_forwardYour organization has delegated to you the responsibility of developing a program for risk management. The Chief Executive Officer of the company recently requested you to succinctly explain the relationship between impact, danger, and vulnerability. Create hastily a single statement that elucidates the interaction between the parties.arrow_forward
- Principles of Information Security (MindTap Cours...Computer ScienceISBN:9781337102063Author:Michael E. Whitman, Herbert J. MattordPublisher:Cengage LearningManagement Of Information SecurityComputer ScienceISBN:9781337405713Author:WHITMAN, Michael.Publisher:Cengage Learning,Principles of Information Systems (MindTap Course...Computer ScienceISBN:9781285867168Author:Ralph Stair, George ReynoldsPublisher:Cengage Learning
- Fundamentals of Information SystemsComputer ScienceISBN:9781337097536Author:Ralph Stair, George ReynoldsPublisher:Cengage Learning