Security Controls

Suppose XYZ Software Company has a new application development project with projected
revenues of \$1.2 million. Using the following table, calculate the ARO and ALE for each threat
category the company faces for this project.
Threat category Cost per incident (SLE) Frequency of occurrence
Programmer mistakes \$5000 1 per week
Loss of intellectual property \$75,000 1 per year
Software piracy \$500 1 per week
Theft of information (hacker) \$2,500 1 per quarter
Theft of information (employee) \$5,000 1 per 6 months
Web defacement \$500 1 per month
Theft of equipment \$5,000 1 per year
Viruses, worms, Trojan horses \$1,500 1 per week
Denial-of-service attacks \$2,500 1 per quarter
Earthquake \$250,000 1 per 20 years
Flood \$250,000 1 per 10 years
Fire \$500,000 1 per 10 years
Assume that a year has passed and XYZ has improved security by applying several con- trols. Using
the information from Exercise 3 and the following table, calculate the post- control ARO and ALE for
each threat category list
Why have some values changed in the Cost per Incident and Frequency of Occurrence columns?
How could a control affect one but not the other? Assume that the values in the Cost of Control
column are unique costs directly associated with protecting against the threat. In other words, donâ€™t
consider overlapping costs between controls. Calculate the CBA for the planned risk control
approach in each threat category. For each threat category, determine whether the proposed
control is worth the costs.
Threat category Cost per
incident
Frequency of
occurrence
Cost of
control
Type of control
Programmer mistakes \$5,000 1 per month 20,000 Training
Loss of intellectual
property
\$75,000 1 per 2 years 15,000 Firewall/IDS
Software piracy \$500 1 per month 30,000 Firewall/IDS
Theft of information
(hacker)
\$2,500 1 per 6 months 15,000 Firewall/IDS
Theft of information
(employee)
\$5,000 1 per year 15,000 Physical Security
Web defacement \$500 1 per quarter 10,000 Firewall
Theft of equipment \$5,000 1 per 2 years 15,000 Physical Security
Viruses, worms, Trojan
horses
\$1,500 1 per month 15,000 Antivirus
Denial-of-service attacks \$2,500 1 per 6 months 10,000 Firewall
Earthquake \$250,000 1 per 20 years 5,000 Insurance/Backups
Flood \$50,000 1 per 10 years 10,000 Insurance/Backups
Fire \$100,000 1 per 10 years 10,000 Insurance/Backups

create a spreadsheet with your answers to compare the pre- and post-security control costs. Determine which individual controls were or were not cost-effective, and whether the total cost of the security controls meets the cost-benefit analysis criteria.