In: Computer Science
Why have some values changed in the Cost per Incident and Frequency of Occurrence columns? How could a control affect one but not the other? Assume that the values in the Cost of Control column are unique costs directly associated with protecting against the threat. In other words, don’t consider overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs.
Threat Category |
SLE |
Frequency of occurrence |
Cost of Control |
Type of Control |
Programmer mistakes |
$5,000 |
1 per week |
$20,000 |
Training |
Loss of intellectual property |
$75,000 |
1 per year |
$15,000 |
Firewall/IDS |
Software piracy |
$500 |
1 per week |
$30,000 |
Firewall/IDS |
Theft of information (hacker) |
$2,500 |
1 per quarter |
$15,000 |
Firewall/IDS |
Theft of information (employee) |
$5,000 |
1 per 6 months |
$15,000 |
Physical security |
Web defacement |
$500 |
1 per month |
$10,000 |
Firewall |
Theft of equipment |
$5,000 |
1 per year |
$15,000 |
Physical security |
Viruses, worm, trojan horses |
$1,500 |
1 per week |
$15,000 |
Antivirus |
Denial-of-service attack |
$2,500 |
1 per quarter |
$10,000 |
Insurance/backups |
Earthquake |
$250,000 |
1 per 20 years |
$5,000 |
Insurance/backups |
Flood |
$250,000 |
1 per 10 years |
$10,000 |
Insurance/backups |
The values have changed in the columns Cost per Incident and Frequency of Occurrence because controls have been put in place and this minimizes the risk and it will prevent occurrence.
A control could affect one factor and not the other as some controls can only reduce the frequency and not the cost. Let’s consider Software Piracy. After putting firewall/IDS in place, it can surely reduce the frequency of attacks, but in case an attack occurs, firewall cannot reduce the cost per incident.
CBA = ALE (prior) – ALE (post) – ACS (annualized cost of the safeguard)