Management Of Information Security
6th Edition
ISBN: 9781337671545
Author: WHITMAN
Publisher: Cengage
expand_more
expand_more
format_list_bulleted
Question
Chapter 7, Problem 4E
Program Plan Intro
Single loss expectancy:
- The expected monetary loss every time a risk occurs is called the Single Loss Expectancy.
- The Single Loss Expectancy (SLE), Exposure Factor (EF) and Asset Value (AV) are related by the formula:
- SLE = EF * AV
- Introducing this conceptual breakdown of Single Loss Expectancy into Exposure Factor and Asset Value allows us to adjust the two terms independently and is related to risk management and risk assessment.
- Asset Value may vary with market changes, inflation while Exposure Factor can be reduced by enabling preventive measures.
Annualized loss expectancy:
- The product of the single loss expectancy (SLE) and the annual rate of occurrence (ARO) give annualized loss expectancy (ALE).
- It is mathematically expressed as:
- ALE = SLE * ARO
- The important feature of Annualized Loss Expectancy is that it can be used directly in a cost- benefit analysis.
Expert Solution & Answer
Trending nowThis is a popular solution!
Students have asked these similar questions
How do you decide which vulnerabilities are most critical?
Instructions: Each student shall provide his own answers to the following questions. Similarity in the
students' answers will be classified as CHEATING cases.
The Operations Security Process consists of the following steps:
Step 1: Identification of Critical Information
Step 2: Analysis of Threats
Step 3: Analysis of Vulnerabilities
Step 4: Assessment of Risks
Step 5: Application of Countermeasures
If you were the information security manager of University of Hafr AIBatin, and you were asked to apply
the five steps of Operations Security Process to the university. Explain how should you apply these steps
and what are your expected outcomes for each step?
Assume a year has passed and XYZ has improved its security. Using the following table, calculate the SLE, ARO, and ALE for each threat category listed.
YXZ Software Company (Asset Value: $1,200,000
Threat Category
Cost per Incident
Frequency of Occurrence
Cost of Controls
Type of Control
Programmer mistakes
$5,000
1 per month
$20,000
Training
Loss of intellectual property
$75,000
1 per 2 years
$15,000
Firewall/IDS
Software piracy
$500
1 per month
$30,000
Firewall/IDS
Theft of information (hacker)
$2,500
1 per 6 months
$15,000
Firewall/IDS
Threat of information (employees)
$5,00
1 per year
$15,000
Physical security
Web defacement
$500
1 per quarter
$10,000
Firewall
Theft of equipment
$5,000
1 per 2 years
$15,000
Physical security
Viruses, worms, Trojan horses
$1,500
1 per month
$15,000
Antivirus
Denial-of-service attack
$2,500
1 per 6 months
$10,000
Firewall…
Chapter 7 Solutions
Management Of Information Security
Ch. 7 - Prob. 1RQCh. 7 - Prob. 2RQCh. 7 - Prob. 3RQCh. 7 - Prob. 4RQCh. 7 - Prob. 5RQCh. 7 - Prob. 6RQCh. 7 - Prob. 7RQCh. 7 - Prob. 8RQCh. 7 - Prob. 9RQCh. 7 - Prob. 10RQ
Ch. 7 - Prob. 11RQCh. 7 - Prob. 12RQCh. 7 - Prob. 13RQCh. 7 - Prob. 14RQCh. 7 - Prob. 15RQCh. 7 - Prob. 16RQCh. 7 - Prob. 17RQCh. 7 - Prob. 18RQCh. 7 - Prob. 19RQCh. 7 - Prob. 20RQCh. 7 - Prob. 1ECh. 7 - Prob. 2ECh. 7 - Prob. 3ECh. 7 - Prob. 4ECh. 7 - Prob. 5ECh. 7 - Prob. 6ECh. 7 - Prob. 7ECh. 7 - Prob. 1DQCh. 7 - Prob. 2DQCh. 7 - Prob. 1EDM
Knowledge Booster
Similar questions
- List the top 5 security architectural and design risks at the moment. Then: a) Explain each risk.arrow_forwardA company interacts with the customers and is highly based on customer data. It has a weak policy which lets it update it's software only once every two years. Due to this policy a hacker could interact with the software and if there's a critical security issue, it wouldn't be addressed and patched until its updated. The long period between the software updates is a threat. Describe in details what are some policy solutions to overcome this vulnerability. (Please make sure they are specifically policy related, Thank you).( Do fast i have 1 hourarrow_forwardThere are two graphs presented from the CERT on reported incidents and vulnerabilities. Keep in mind the difference between an incident and vulnerability. While these charts are dated they still provide valuable trend information that continues to rise. Today, both security incidents and security vulnerabilities continue to rise for a variety of reasons. What reasons can you provide for the continuing upwards trend in the number of incidents reported? You should provide at least four (4) reasons with supporting data and reasoned arguments to support your answer. Good answers will provide facts, reasoned arguments and references that go beyond anecdotal information. Explain using facts, reasoned arguments and references that go beyond anecdotal information and link sources.arrow_forward
- There are two graphs presented from the CERT on reported incidents and vulnerabilities. Keep in mind the difference between an incident and vulnerability. While these charts are dated they still provide valuable trend information that continues to rise. Today, both security incidents and security vulnerabilities continue to rise for a variety of reasons. What reasons can you provide for the continuing upwards trend in the number of incidents reported? You should provide at least four (4) reasons with supporting data and reasoned arguments to support your answer. Good answers will provide facts, reasoned arguments and references that go beyond anecdotal information. Explain using facts, reasoned arguments and references that go beyond anecdotal information and link to sources. PLEASE ADD YOUR SOURCES! Please have clear writing as well! Thank you!arrow_forwardWhat do you think is the best tool or method for finding vulnerabilities? Why?arrow_forwardIn this section, you will prepare a risk mitigation plan using SimpleRisk. Before using SimpleRisk, you will create a paper-based plan. You will need to create three security controls in your risk mitigation plan: one control that reduces the asset value, one that reduces the vulnerability severity, and one that reduces the threat impact. Your security controls should also include examples of both strategic and tactical controls. You can refer to the following table for a clearer picture of the requirements. Security Control Reduces Level (strategic/tactical) Asset value Vulnerability severity Threat Impact Define three security controls designed to mitigate the risk associated with a recent leak of sensitive information that was stored in cleartext files. Once you have identified your security controls, use SimpleRisk to create a Risk Mitigation plan. You do not need to perform a management review in this section.arrow_forward
- research traditional to more conventional recommended models for security. no similarity no minimum word countarrow_forwardQ1: Enlist and discuss all the factors affecting infiltration rate.arrow_forwardWhich of the following is true regarding vulnerability appraisal? a. Vulnerability appraisal is always the easiest and quickest step. b. Every asset must be viewed in light of each threat. c. Each threat could reveal multiple vulnerabilities. d. Each vulnerability should be cataloged.arrow_forward
- The Operations Security Process consists of the following steps: Step 1: Identification of Critical InformationStep 2: Analysis of ThreatsStep 3: Analysis of VulnerabilitiesStep 4: Assessment of RisksStep 5: Application of Countermeasures If you were the information security manager of university and you were asked to applythe five steps of Operations Security Process to the university. Explain how should you apply these stepsand what are your expected outcomes for each step?arrow_forwardA list of procedures and utilities that will determine how vulnerable the areas identified in “b)” are (= the vulnerability assessment)arrow_forwardThe Operations Security Process consists of the following steps: Step 1: Identification of Critical Information Step 2: Analysis of Threats Step 3: Analysis of Vulnerabilities Step 4: Assessment of Risks Step 5: Application of Countermeasures If you were the information security manager of University of Hafr AIBatin, and you were asked to apply the five steps of Operations Security Process to the university. Explain how should you apply these steps and what are your expected outcomes for each step?arrow_forward
arrow_back_ios
SEE MORE QUESTIONS
arrow_forward_ios
Recommended textbooks for you
Management Of Information SecurityComputer ScienceISBN:9781337405713Author:WHITMAN, Michael.Publisher:Cengage Learning,
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,