Question

Why have some values changed in the Cost per Incident and Frequency of Occurrence columns? How could a control affect one but not the other? Assume that the values in the Cost of Control column are unique costs directly associated with protecting against the threat. In other words, don’t consider overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs.

Threat Category	SLE	Frequency of occurrence	Cost of Control	Type of Control
Programmer mistakes	$5,000	1 per week	$20,000	Training
Loss of intellectual property	$75,000	1 per year	$15,000	Firewall/IDS
Software piracy	$500	1 per week	$30,000	Firewall/IDS
Theft of information (hacker)	$2,500	1 per quarter	$15,000	Firewall/IDS
Theft of information (employee)	$5,000	1 per 6 months	$15,000	Physical security
Web defacement	$500	1 per month	$10,000	Firewall
Theft of equipment	$5,000	1 per year	$15,000	Physical security
Viruses, worm, trojan horses	$1,500	1 per week	$15,000	Antivirus
Denial-of-service attack	$2,500	1 per quarter	$10,000	Insurance/backups
Earthquake	$250,000	1 per 20 years	$5,000	Insurance/backups
Flood	$250,000	1 per 10 years	$10,000	Insurance/backups

Answer 1

 The values have changed in the columns Cost per Incident and Frequency of Occurrence because controls have been put in place and this minimizes the risk and it will prevent occurrence.

 A control could affect one factor and not the other as some controls can only reduce the frequency and not the cost. Let’s consider Software Piracy. After putting firewall/IDS in place, it can surely reduce the frequency of attacks, but in case an attack occurs, firewall cannot reduce the cost per incident.

CBA = ALE (prior) – ALE (post) – ACS (annualized cost of the safeguard)