Question

Risk analysis is one way to monitor security in an organization. Risk analysis can be a time- consuming process; it involves a number
of steps, some of which require “educated guessing.” Nevertheless, the process alone raises awareness of security issues even if no immediate actions are taken as a result. The steps are:

i. Identify assets (infrastructure, people, hardware, software, reputation, etc.).

For the rest of this list, we’ll concentrate on a single asset.

ii. Determine vulnerability (what event or events might happen to the asset. For example, the building could catch fire, the website could be hacked, etc.).

For the rest of this list, we’ll concentrate on a single asset vulnerable to a single event.

ii. Estimate the probability per year of this event (based on past data, expert estimates, etc.). Take current security measures into account.

iv. Estimate the expected cost if this event occurs (cost to repair or replace, cost of lost business, etc.).

v. Compute risk exposure 5 cost estimate 3 probability estimate.

vi. Identify any additional security measure X that would help protect against this event, determine what it would cost, and do a calculation of the risk exposure with the additional security measure X in place.

vii. Do a cost-benefit analysis:
(Risk exposure without X – Risk exposure with X) − Cost of X

You have a small web-based business that uses a single server to manage your webpage and your customer information. Over the past four years, your website has been hacked and taken down twice. You estimate that the cost of this event is $600 to clean the server and reload the webpage and $12,000 in lost business while the server is down.

1. You could purchase a backup server for a cost of $3,000, which you estimate would reduce the probability per year of losing your website to 0.2. Would this be a cost- effective security measure?

2. What if you reevaluate the probability per year with the backup server to be 0.3. Does this change your answer?

Answer 1

Solution:-