Security Controls

  Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE for each threat category the company faces for this project. Threat category Cost per incident (SLE) Frequency of occurrence Programmer mistakes $5000 1 per week Loss of intellectual property $75,000 1 per year Software piracy $500 1 per week Theft of information (hacker) $2,500 1 per quarter Theft of information (employee) $5,000 1 per 6 months Web defacement $500 1 per month Theft of equipment $5,000 1 per year Viruses, worms, Trojan horses $1,500 1 per week Denial-of-service attacks $2,500 1 per quarter Earthquake $250,000 1 per 20 years Flood $250,000 1 per 10 years Fire $500,000 1 per 10 years Assume that a year has passed and XYZ has improved security by applying several con- trols. Using the information from Exercise 3 and the following table, calculate the post- control ARO and ALE for each threat category list Why have some values changed in the Cost per Incident and Frequency of Occurrence columns? How could a control affect one but not the other? Assume that the values in the Cost of Control column are unique costs directly associated with protecting against the threat. In other words, don’t consider overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs. Threat category Cost per incident Frequency of occurrence Cost of control Type of control Programmer mistakes $5,000 1 per month 20,000 Training Loss of intellectual property $75,000 1 per 2 years 15,000 Firewall/IDS Software piracy $500 1 per month 30,000 Firewall/IDS Theft of information (hacker) $2,500 1 per 6 months 15,000 Firewall/IDS Theft of information (employee) $5,000 1 per year 15,000 Physical Security Web defacement $500 1 per quarter 10,000 Firewall Theft of equipment $5,000 1 per 2 years 15,000 Physical Security Viruses, worms, Trojan horses $1,500 1 per month 15,000 Antivirus Denial-of-service attacks $2,500 1 per 6 months 10,000 Firewall Earthquake $250,000 1 per 20 years 5,000 Insurance/Backups Flood $50,000 1 per 10 years 10,000 Insurance/Backups Fire $100,000 1 per 10 years 10,000 Insurance/Backups       create a spreadsheet with your answers to compare the pre- and post-security control costs. Determine which individual controls were or were not cost-effective, and whether the total cost of the security controls meets the cost-benefit analysis criteria.