Question

Create a cost and benefit analysis.

A company has a Ecommerce website that generates $500,000 per year.

Calculate the annualized rate of occurrence (ARO) and annualized loss expectancy (ALE) for each risk:

Category	Cost per incident	Frequency of occurrence
Programming errors	$1,000	2 per week
Information theft(hacker)	$2,000	1 per quarter
Information theft(employee)	$5,000	1 per year
Viruses	$1,000	1 per year
Denial of service attacks	$3,500	1 per 6 month
Natural diaster	$100,000	1 per 20 years

-Make sure to convert frequency of occurrence to yearly base.-

One year past, calculate the cost and benefit of controls that have been in place.

Category	Cost per incident	Frequency of occurrence	Cost of control	Type of control
Programming errors	$1,000	2 per week	$2500	Training
Information theft(hacker)	$2,000	1 per quarter	$10,000	Firewall
Information theft(employee)	$5,000	1 per year	$10,000	Physical security
Viruses	$1,000	1 per year	$10,000	Anti-virus
Denial of service attacks	$3,500	1 per 6 month	$10,000	Firewall
Natural diaster	$100,000	1 per 20 years	$15,000	Insurance

Answer 1

Annualized rate of occurrence refers to the probability that a risk will occur in a specific year. For instance, if a statistic indicate that a serious accident is likely to occur once in 20 years, then the ARO is 1/20 = 0.05. This implies that we have to convert the frequency of occurrence to the yearly base for each category.

In case of Programming errors which has a frequency of occurrence of 2 per week implies that there will be two Programming errors each week and there are 52 weeks in a year, therefore, the annualized rate of occurrence (ARO) for Programming errors of 2 per week will become 2*52 = 104 Programming errors per year.

In case of Information theft (hacker) which has a frequency of occurrence of 1 per quarter implies that there will be one Information theft (hacker) every quarter and there are four quarters in a year, therefore, the annualized rate of occurrence (ARO) for Information theft (hacker) of 1 Information theft (theft) per quarter will become 1*4 = 4 per year.

In case of Information theft (employee) and viruses which have a frequency of occurrence of 1 per year implies that there will be one Information theft (hacker) and viruses every year, therefore, the annualized rate of occurrence (ARO) for Information theft (employee) and viruses of 1 per year will become 1*1 = 1 Information theft (employee) and viruses per year.

In case of Denial of service attacks which has a frequency of occurrence of 1 per 6 month implies that there will be one Denial of service attacks every six months and there are two six months in a year, therefore, the annualized rate of occurrence (ARO) for Denial of service attacks of 1 per six months will become 1*2 = 2 Denial of service attacks per year.

Finally, in case of Natural disaster which has a frequency of occurrence of 1 per 20 years implies that there will be one Natural disaster every 20 years, therefore, the annualized rate of occurrence (ARO) for Natural disaster of 1 per 20 years will become 1/20 = 0.05 Natural disasters per year.

Therefore, the respective ARO will be

Category	Annualized rate of occurrence (ARO)
Programming errors	104
Information theft(hacker)	4
Information theft(employee)	1
Viruses	1
Denial of service attacks	2
Natural disaster	0.05

Annualized loss expectancy (ALE) = Single Loss expectancy (SLE) * Annualized Rate of Occurrence (ARO). Therefore, ALE = SLE × ARO

But SLE = Asset value × Exposure Factor (EF)

So for us to calculate the SLE we need to compute Exposure Factor (EF). Exposure Factor (EF) is defined as the subjective, potential percentage of loss to a particular asset in case the particular threat is realized. Exposure factor represents the value to which the asset value is reduced. Given that E-bidding Company has a ecommerce website generating $500,000 per year, the Asset Value is $500,000, therefore,

• EF for Programming errors with a cost per incident of $1,000 is $1,000/$500,000 = 0.002
• EF for Information theft (hacker) with a cost per incident of $2,000 is $2,000/$500,000 = 0.004
• EF for Information theft (employee) with a cost per incident of $5,000 is $5,000/$500,000 = 0.001
• EF for Viruses with a cost per incident of $1,000 is $1,000/$500,000 = 0.002
• EF for Denial of service attacks with a cost per incident of $3,500 is $3,500/$500,000 = 0.007
• EF for Natural disaster with a cost per incident of $100,000 is $100,000/$500,000 = 0.2

From the above EF, we can now calculate SLE = Asset value × Exposure Factor (EF)

Category	SLE= Asset value × Exposure Factor (EF)
Programming errors	0.002× 500,000 = $1,000
Information theft(hacker)	0.004× 500000= $ 2,000
Information theft(employee)	0.001×500000 = $5,000
Viruses	0.002× 500000 = $1,000
Denial of service attacks	0.007×500000 = $3,500
Natural disaster	0.2×500000 =$100,000

Finally, to arrive at ALE we multiply SLE by ARO

Category	ALE= ARO × SLE
Programming errors	104× $1,000 = $104,000
Information theft(hacker)	4× $ 2,000 = $8,000
Information theft(employee)	1×$5,000 = $5,000
Viruses	1× $1,000 = $1,000
Denial of service attacks	2×$3,500 = $7,000
Natural disaster	0.05×$100,000 = $5,000

One year past, calculate the cost and benefit of controls that have been in place.

Category	Cost per incident	Frequency of occurrence	Cost of control	Type of control
Programming errors	$1,000	2 per week	$2500	Training
Information theft(hacker)	$2,000	1 per quarter	$10,000	Firewall
Information theft(employee)	$5,000	1 per year	$10,000	Physical security
Viruses	$1,000	1 per year	$10,000	Anti-virus
Denial of service attacks	$3,500	1 per 6 month	$10,000	Firewall
Natural disaster	$100,000	1 per 20 years	$15,000	Insurance

Solution

In carrying out the Cost/benefit analysis, we need to find the annual cost of the countermeasure which is cost of control multiplied by Annualized Rate of Occurrence (ARO) which is shown in the table below.

Type of control	= ARO × cost of control
Training	104× $2,500 = $260,000
Firewall	4× $ 10,000 = $40,000
Physical security	1×$10,000 = $10,000
Anti-virus	1× $10,000 = $10,000
Firewall	2×$10,000 = $20,000
Insurance	0.05×$15,000 = $750

After calculating the annual cost of the countermeasure, we compare it with the Annualized loss expectancy (ALE) to see if there are net benefits or net losses.

Annualized loss expectancy-Annual cost of control = Net benefits (losses)

Type of control	Net benefits (losses)
Training	$104,000 – $260,000 = -$156,000
Firewall	$8,000- $40,000 = -$32,000
Physical security	$5,000 – $10,000 = -$5,000
Anti-virus	$1,000 – $10,000 = -$9,000
Firewall	$7,000 – $20,000 = -$13,000
Insurance	$5,000 – $750 = $4,250

From the table below, it is clear that all the types of control other than Insurance are not worthwhile as they have not losses rather than net benefits. It costs more money to protect against the risks. It costs more to protect against the potential loss and hence the risk is rather increased and not reduced. Therefore, it is not logical from a business point of view as the firm will spend more money that they can potentially lose