Bundle: Management Of Information Security, Loose-leaf Version, 6th + Mindtap Information Security, 1 Term (6 Months) Printed Access Card
6th Edition
ISBN: 9781337750790
Author: Michael E. Whitman, Herbert J. Mattord
Publisher: Cengage Learning
expand_more
expand_more
format_list_bulleted
Question
Chapter 7, Problem 4E
Program Plan Intro
Single loss expectancy:
- The expected monetary loss every time a risk occurs is called the Single Loss Expectancy.
- The Single Loss Expectancy (SLE), Exposure Factor (EF) and Asset Value (AV) are related by the formula:
- SLE = EF * AV
- Introducing this conceptual breakdown of Single Loss Expectancy into Exposure Factor and Asset Value allows us to adjust the two terms independently and is related to risk management and risk assessment.
- Asset Value may vary with market changes, inflation while Exposure Factor can be reduced by enabling preventive measures.
Annualized loss expectancy:
- The product of the single loss expectancy (SLE) and the annual rate of occurrence (ARO) give annualized loss expectancy (ALE).
- It is mathematically expressed as:
- ALE = SLE * ARO
- The important feature of Annualized Loss Expectancy is that it can be used directly in a cost- benefit analysis.
Expert Solution & Answer
Trending nowThis is a popular solution!
Students have asked these similar questions
Assume a year has passed and XYZ has improved its security. Using the following table, calculate the SLE, ARO, and ALE for each threat category listed.
YXZ Software Company (Asset Value: $1,200,000
Threat Category
Cost per Incident
Frequency of Occurrence
Cost of Controls
Type of Control
Programmer mistakes
$5,000
1 per month
$20,000
Training
Loss of intellectual property
$75,000
1 per 2 years
$15,000
Firewall/IDS
Software piracy
$500
1 per month
$30,000
Firewall/IDS
Theft of information (hacker)
$2,500
1 per 6 months
$15,000
Firewall/IDS
Threat of information (employees)
$5,00
1 per year
$15,000
Physical security
Web defacement
$500
1 per quarter
$10,000
Firewall
Theft of equipment
$5,000
1 per 2 years
$15,000
Physical security
Viruses, worms, Trojan horses
$1,500
1 per month
$15,000
Antivirus
Denial-of-service attack
$2,500
1 per 6 months
$10,000
Firewall…
How do you decide which vulnerabilities are most critical?
In this section, you will prepare a risk mitigation plan using SimpleRisk. Before using SimpleRisk, you
will create a paper-based plan.
You will need to create three security controls in your risk mitigation plan: one control that reduces the
asset value, one that reduces the vulnerability severity, and one that reduces the threat impact. Your
security controls should also include examples of both strategic and tactical controls. You can refer to
the following table for a clearer picture of the requirements.
Security Control
Reduces
Level (strategic/tactical)
Asset value
Vulnerability severity
Threat Impact
Define three security controls designed to mitigate the risk associated with a recent leak of sensitive
information that was stored in cleartext files.
Once you have identified your security controls, use SimpleRisk to create a Risk Mitigation plan. You
do not need to perform a management review in this section.
Chapter 7 Solutions
Bundle: Management Of Information Security, Loose-leaf Version, 6th + Mindtap Information Security, 1 Term (6 Months) Printed Access Card
Ch. 7 - Prob. 1RQCh. 7 - Prob. 2RQCh. 7 - Prob. 3RQCh. 7 - Prob. 4RQCh. 7 - Prob. 5RQCh. 7 - Prob. 6RQCh. 7 - Prob. 7RQCh. 7 - Prob. 8RQCh. 7 - Prob. 9RQCh. 7 - Prob. 10RQ
Ch. 7 - Prob. 11RQCh. 7 - Prob. 12RQCh. 7 - Prob. 13RQCh. 7 - Prob. 14RQCh. 7 - Prob. 15RQCh. 7 - Prob. 16RQCh. 7 - Prob. 17RQCh. 7 - Prob. 18RQCh. 7 - Prob. 19RQCh. 7 - Prob. 20RQCh. 7 - Prob. 1ECh. 7 - Prob. 2ECh. 7 - Prob. 3ECh. 7 - Prob. 4ECh. 7 - Prob. 5ECh. 7 - Prob. 6ECh. 7 - Prob. 7ECh. 7 - Prob. 1DQCh. 7 - Prob. 2DQCh. 7 - Prob. 1EDM
Knowledge Booster
Similar questions
- There are two graphs presented from the CERT on reported incidents and vulnerabilities. Keep in mind the difference between an incident and vulnerability. While these charts are dated they still provide valuable trend information that continues to rise. Today, both security incidents and security vulnerabilities continue to rise for a variety of reasons. What reasons can you provide for the continuing upwards trend in the number of incidents reported? You should provide at least four (4) reasons with supporting data and reasoned arguments to support your answer. Good answers will provide facts, reasoned arguments and references that go beyond anecdotal information. Explain using facts, reasoned arguments and references that go beyond anecdotal information and link to sources. PLEASE ADD YOUR SOURCES! Please have clear writing as well! Thank you!arrow_forwardWhich of the following is true regarding vulnerability appraisal? a. Vulnerability appraisal is always the easiest and quickest step. b. Every asset must be viewed in light of each threat. c. Each threat could reveal multiple vulnerabilities. d. Each vulnerability should be cataloged.arrow_forwardThe Operations Security Process consists of the following steps: Step 1: Identification of Critical InformationStep 2: Analysis of ThreatsStep 3: Analysis of VulnerabilitiesStep 4: Assessment of RisksStep 5: Application of Countermeasures If you were the information security manager of university and you were asked to applythe five steps of Operations Security Process to the university. Explain how should you apply these stepsand what are your expected outcomes for each step?arrow_forward
- No written by hand solution For each of the following scenarios, determine the asset involved, the vulnerability that exists for that asset, and a possible attack with risk level. 1- An online bookstore allows users to sign up using a username and password to create a profile containing their name, address, and Civil ID. The password is stored in a database in unencrypted form. Asset: Vulnerability: Attack: Risk: 2- An Internet Service Provider (ISP) provides its customers with access to the Internet. The ISP has a single main router where all traffic must pass through. If this router would fail, all access to the Internet would be denied. Asset: Vulnerability: Attack: Risk:arrow_forwardThe recommended practices for screening and evaluating vulnerabilities are covered in this article.arrow_forwardThere are four places to look for information about vulnerabilities, and each one should be recorded. Which tactic do you think is most likely to succeed? Why?arrow_forward
- In your opinion, what is the best method or instrument for locating vulnerabilities? Why?arrow_forwardState the difference between threats and attacks.arrow_forwardYou are hired as a security expert for an online retailer. Currently, the company makes an annual revenue of $10,000,000. A security-risk analysis has shown that in the case of a ransomware attack on this company, the company would see an immediate loss of $1000,000. In addition, due to degraded reputation, the company's revenue would experience a drop of 10% over the next year. It is estimated that online retailers, similar to the one in question, experience 1 ransomware infection every 2 years. The company is considering the purchase of a set of security safeguards that would reduce the probability of successful ransomware infection in half. The annual cost of this set of safeguards is $200,000. It should also be noted that if implemented, the safeguards would slow down the retailer's site, and cause a revenue loss of about $50,000 a month (relative to the current revenue). Using the cost-benefit analysis approach, determine whether the company should purchase this solution. Provide…arrow_forward
- elucidate on the types of intruders.arrow_forwardAssume you are working at Yanbu Indutrial College as an IT Security Internee. Please list security risk for their IT resources and list appropriate mitigations. No handwritten answers and please put the answers on a table. Sample is given on the image. Threat Resources Risk Level (High/Medium/Low) Mitigation Methodarrow_forwardHave you experienced scope creep in your development of a Risk Management Plan (or other policy)? If so, how did you handle it? If not, what actions would you have taken to control scope creep? (Remember, if you have not personally experienced this situation, please research a company or individual who has dealt with scope creep and provide a brief overview of their situation. Be sure to copy/paste the link from which you retrieved the information)arrow_forward
arrow_back_ios
SEE MORE QUESTIONS
arrow_forward_ios
Recommended textbooks for you
- Management Of Information SecurityComputer ScienceISBN:9781337405713Author:WHITMAN, Michael.Publisher:Cengage Learning,
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,