Management Of Information Security
6th Edition
ISBN: 9781337405713
Author: WHITMAN, Michael.
Publisher: Cengage Learning,
expand_more
expand_more
format_list_bulleted
Question
Chapter 7, Problem 2E
Program Plan Intro
Single Loss Expectancy:
- The expected monetary loss every time a risk occurs is called the Single Loss Expectancy.
- The Single Loss Expectancy (SLE), Exposure Factor (EF) and Asset Value (AV) are related by the formula:
- SLE = EF * AV
- Introducing this conceptual breakdown of Single Loss Expectancy into Exposure Factor and Asset Value allows us to adjust the two terms independently and is related to risk management and risk assessment.
- Asset Value may vary with market changes, inflation while Exposure Factor can be reduced by enabling preventive measures.
Annualized Loss Expectancy:
- The product of the Single Loss Expectancy (SLE) and the Annual Rate of Occurrence (ARO) give Annualized Loss Expectancy (ALE).
- It is mathematically expressed as:
- ALE = SLE * ARO
- The important feature of Annualized Loss Expectancy is that it can be used directly in a cost- benefit analysis.
Expert Solution & Answer
Trending nowThis is a popular solution!
Students have asked these similar questions
How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence.
Provide a short description of each of the five methods used to mitigate risk.
Assume a year has passed and XYZ has improved its security. Using the following table, calculate the SLE, ARO, and ALE for each threat category listed.
YXZ Software Company (Asset Value: $1,200,000
Threat Category
Cost per Incident
Frequency of Occurrence
Cost of Controls
Type of Control
Programmer mistakes
$5,000
1 per month
$20,000
Training
Loss of intellectual property
$75,000
1 per 2 years
$15,000
Firewall/IDS
Software piracy
$500
1 per month
$30,000
Firewall/IDS
Theft of information (hacker)
$2,500
1 per 6 months
$15,000
Firewall/IDS
Threat of information (employees)
$5,00
1 per year
$15,000
Physical security
Web defacement
$500
1 per quarter
$10,000
Firewall
Theft of equipment
$5,000
1 per 2 years
$15,000
Physical security
Viruses, worms, Trojan horses
$1,500
1 per month
$15,000
Antivirus
Denial-of-service attack
$2,500
1 per 6 months
$10,000
Firewall…
Chapter 7 Solutions
Management Of Information Security
Ch. 7 - Prob. 1RQCh. 7 - Prob. 2RQCh. 7 - Prob. 3RQCh. 7 - Prob. 4RQCh. 7 - Prob. 5RQCh. 7 - Prob. 6RQCh. 7 - Prob. 7RQCh. 7 - Prob. 8RQCh. 7 - Prob. 9RQCh. 7 - Prob. 10RQ
Ch. 7 - Prob. 11RQCh. 7 - Prob. 12RQCh. 7 - Prob. 13RQCh. 7 - Prob. 14RQCh. 7 - Prob. 15RQCh. 7 - Prob. 16RQCh. 7 - Prob. 17RQCh. 7 - Prob. 18RQCh. 7 - Prob. 19RQCh. 7 - Prob. 20RQCh. 7 - Prob. 1ECh. 7 - Prob. 2ECh. 7 - Prob. 3ECh. 7 - Prob. 4ECh. 7 - Prob. 5ECh. 7 - Prob. 6ECh. 7 - Prob. 7ECh. 7 - Prob. 1DQCh. 7 - Prob. 2DQCh. 7 - Prob. 1EDM
Knowledge Booster
Similar questions
- A list of procedures and utilities that will determine how vulnerable the areas identified in “b)” are (= the vulnerability assessment)arrow_forwardFor your client, a regional distribution center for an auto parts manufacturer, please explain the differences between a qualitative and quantitative approach to risk assessment. Be sure to discuss, why a schema is important and how it will be defined and used in the assessment you are discussing.arrow_forward1. For each of the resources in the network diagram above, specify one possible risk. Also, use a ranking system of 1 to 5, where “5” is the most critical for the likelihood of occurrence and degree of impact. Based on any tool or formula you would like to implement, list and prioritize the risks to start with.arrow_forward
- In 2018, the credit rating agency Equifax disclosed a major data breach involving the personal information of nearly 150 million people. Although Equifax's internal policy required patching critical vulnerabilities within 48 hours, a vulnerability was left unpatched for about 2 months. This was the vulnerability that was exploited by hackers to gain access to the system and obtain the personal information. In this exercise, you will analyze the Equifax incident and consider how the RMF could have helped Equifax prevent the incident. Carefully review this report and identify two vulnerabilities from different organizational levels, such as one vulnerability from Level 3 and one vulnerability from Level 1 or 2. Now think about the seven steps of the RMF. Summarize how these steps could have helped Equifax prevent or mitigate the vulnerabilities you identified. Identify at least one step for each vulnerability.arrow_forwardConsider the importance of having a set of guidelines, a set of procedures, and a backup plan for the smooth running of your business with your coworkers. Provide a scenario in which the lack of a disaster recovery or policy framework resulted in an unpleasant outcome.arrow_forwardprepare the Quality Management Plan, Risk Management Plan, (in details)of Screening and triage at health-care facilities during the COVID-19 pandemicarrow_forward
- To keep the firm running smoothly, discuss with your employees the significance of rules and processes. As an example, a disaster recovery plan or policy framework may be used to show how a problem might be avoided.arrow_forwardsearch the web for an organization (i.e., company, government, university, etc.) that uses a computer incident response plan (CIRP). Discuss the scope, roles and responsibilities, escalation levels, and computer incident response team (CIRT). Feel free to modify these points based on what is available in the CIRP.arrow_forwardTake the most recent instance of a security flaw involving authentication or access control that was reported in the media. If that is the case, how did it influence the day-to-day operations? Is there a list anywhere that details the specific losses that have been suffered by the company?arrow_forward
- a.what is roc in it audit? b.what is a cold site in it audit?arrow_forwardState the details of an incident that you have read about (Example: breach due to attack, employee theft of data, etc.) and then use the incident response steps to analyze how you would handle the incident. Be certain to clearly name and define each step (Step 1: Identifying the Incident, etc.).arrow_forwardIs it possible that the recent security incident involving access control or authentication that made news was the product of an inside job, according to your opinion? In what ways did it have an impact on the day-to-day operations of the company? What kind of financial losses did the firm suffer?arrow_forward
arrow_back_ios
SEE MORE QUESTIONS
arrow_forward_ios
Recommended textbooks for you
- Management Of Information SecurityComputer ScienceISBN:9781337405713Author:WHITMAN, Michael.Publisher:Cengage Learning,Principles of Information Security (MindTap Cours...Computer ScienceISBN:9781337102063Author:Michael E. Whitman, Herbert J. MattordPublisher:Cengage LearningPrinciples of Information Systems (MindTap Course...Computer ScienceISBN:9781285867168Author:Ralph Stair, George ReynoldsPublisher:Cengage Learning
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning