Applied Sciences homework help. MIS 4850 Systems Security
Week3 Risk Analysis Exercises
- Edit this Word file and type in your answers to the questions for Exercise 1 and Exercise 2.
- When done, save the file to your flash disk and upload a copy to the Week3 Risk Analysis Exercises dropbox
As a junior Security Analyst at Zinder Inc., your boss asked you to perform a classic risk analysis in order to help the company make a decision about whether or not to investing in one of the countermeasures that the company is planning on implementing. The countermeasures are meant to help protect the company’s multifunction server (that has a value of $15,000) and all the software and databases it host against security attacks. The value of the software and the databases is estimated at $485,000. In case of a successful attack, it is expected that 80 percent of the asset’s value will be lost. An attack is expected to be successful once every five years. Countermeasure A will cut the amount lost per incident by 75 percent. Countermeasure B will cut the frequency of successful attack in half. Countermeasure A will cost $30,000 per year, while Countermeasure B will cost $5,000 per year.
Question 1: Conduct a classic risk analysis using the template below. Note: you need to calculate all the numbers and use them to complete this template (table).
|Single Loss Expectancy||SLE||$400,000||$100,000||$400,000|
|Annualized Rate of Occurrence||ARO||20%||20%||10%|
|Annualized Loss Expectancy||ALE||$80,000||$20,000||$40,000|
|ALE Reduction for Countermeasure||—||NA||$60,000||$40,000|
|Annualized Countermeasure Cost||—||NA||$30,000||$5,000|
|Annualized Net Countermeasure Value||—||NA||$30,000||$35,000|
Question 2: Based on the results of the risk analysis, which of the two countermeasures Zinder Inc. should implement (if any). Explain your choice of countermeasure by providing supporting evidence from the result the risk analysis you performed when answering Question 1.
Countermeasure B seems to be the best because:
- Its annualized cost is less costs ($5000 versus $30000)
- Its net annualized value is also higher than the net value of A ($35000 versus $30000)
- Finally, it cuts the ARO by half from 20% to 10
A company has a resource XYZ. If there is a single breach of security, the company may face a fine of $100,000 and pay another $20,000 to clean up the breach. Based on statistics gathered by the SANS Government agency, an attack targeting the company’s assets is likely to be successful about once in five years. A proposed countermeasure should cut the frequency of occurrence in half. How much should the company be willing to pay for the countermeasure
Question 1: Use you classic risk analysis skills to complete the template below based on the information provided in this case. Note: you need to calculate all the numbers.
|Base Case||With Countermeasure|
|Single Loss Expectancy||$120,000||$120,000|
|Annualized Rate of Occurrence||20% (1 in 5 years)||10% (1/2 of base frequency)|
|Annualized Loss Expectancy||$24,000||$12,000|
|ALE Reduction for Countermeasure||$12,000|
Question 2: Based on the results of the risk analysis, what is the maximum that the company should be willing to pay for the countermeasure? Explain.
The countermeasure’s annualized expected benefit is $12,000 per year. The company should be willing to pay up to $12,000 annually but no more. If the countermeasure’s cost is > $12,000 then, the Annualized net value for the countermeasure will be negative.