3.
Using the following table, calculate the SLE, ARO, and ALE for each threat
category listed:
XYZ Software Company, major Cost per Frequency of
threat categories for new
Incident Occurrence
applications development
Programmer mistakes
Loss of intellectual property
Software piracy
SLE
ARO
ALE
$5,000
1 per week
5,000
52.0 $ 260,000
$75,000
1 per year
75,000
1.0 $
75,000
$500
1 per week
500
52.0 $
26,000
Theft of information (hacker)
$2,500 1 per quarter
2,500
4.0 $
10,000
Theft of information (employee)
$5,000 1 per 6 months
5,000
2.0 $
10,000
500
12.0 $
6,000
Web defacement
$500
1 per month
Theft of equipment
$5,000
1 per year
5,000
1.0 $
5,000
Virus, worms, Trojan horses
$1,500
1 per week
1,500
52.0 $
78,000
Denial-of-service attacks
$2,500 1 per quarter
2,500
4.0 $
10,000
Earthquake
$250,000 1 per 20 years 250,000
0.1 $
12,500
Flood
$250,000 1 per 10 years 250,000
0.1 $
25,000
Fire
$500,000 1 per 10 years 500,000
0.1 $
50,000
4.
How might XYZ Software Company arrive at the values in the above table? For each entry, describe
the process of determining the cost per incident and frequency of occurrence
a.
It is most likely that the XYZ Software Company employed an economic feasibility study or cost benefit analysis
to arrive at the values in their cost\incident table.
b.
For each of the entries in the chart, the cost per incident and the frequency of occurrence could have been reached
through several, varied methods. Businesses often use benchmarking, best practices, and baselining to determine
the values of cost per incident and frequency of occurrence. These techniques take in to account internal
investigation and asset valuation, along with information that has been gathered by other sources in the industry,
such as frequency of virus, worm, or Trojan attacks. All of these methods combined could provide the numbers for
the costs and frequency for the chart listed.
5.
Assume a year has passed and XYZ has improved security. Using the following table, calculate the
SLE, ARO, and ALE for each threat category listed:
SLE
ARO
ALE
CBA
Programmer mistakes
5,000
100%
60,000
180,000
Loss of intellectual property
75,000
50%
37,500
22,500
Software piracy
500
100%
6,000
-10,000
Theft of information (hacker)
2,500
100%
5,000
-10,000
Theft of information (employee)
5,000
100%
5,000
-10,000
Web defacement
500
100%
2,000
-14,000
Theft of equipment
5,000
50%
2,500
-12,500
Virus, worms, Trojan horses
1,500
100%
18,000
45,000
Denial-of-service attacks
2,500
100%
5,000
-12,500
Earthquake
250,000
5%
12,500
-5,000
Flood
50,000
10%
5,000
10,000
Fire
100,000
10%
10,000
30,000
Some of the values have changed due to the fact that controls were implemented and they had a positive impact on the
protection of the assets of the organization thus reducing the frequency of occurrences. However, the controls did not
reduce the cost of an incident to occur because the value of an asset will remain the same and cost the organization the
same amount of time and money to replace. The controls put into place are worth the costs listed.