Annualized Rate Occurrence (ARO):
Annualized Rate Occurrence is the estimated frequency at which a given threat is expected to happen.
ARO can be calculated by using the following formula:
Annualized Loss Expectancy (ALE):
Annualized loss expectancy is the loss expected from the attack of a specific information asset which has been carried over for a year. It is a product of single loss expectancy and the annualized rate of occurrence.
ALE can be calculated by using the following formula:
Explanation of Solution
Calculate ARO for Programmer mistakes:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per week)” as “7” in the equation (1).
Hence, the ARO for programmer mistakes is “52 (approximately)”.
Calculate ARO for Loss if intellectual property:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per year)” as “365” in the equation (1).
Hence, the ARO for Loss if intellectual property is “1 (approximately)”.
Calculate ARO for Software Piracy:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per week)” as “7” in the equation (1).
Hence, the ARO for Software Piracy is “52 (approximately)”.
Calculate ARO for Theft of information (hacker):
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per quarter)” as “
Hence, the ARO for Theft of information (hacker) is “4 (approximately)”.
Calculate ARO for Theft of information (employee):
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “
Hence, the ARO for Theft of Theft of information (employee) is “2 (approximately)”.
Calculate ARO for Web defacement:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “
Hence, the ARO for Web defacement is “12 (approximately)”.
Calculate ARO for Theft of equipment:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per year)” as “365” in the equation (1).
Hence, the ARO for Theft of equipment is “1 (approximately)”.
Calculate ARO for Viruses, worms, Trojan Horses:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per week)” as “7” in the equation (1).
Hence, the ARO for Viruses, worms, Trojan Horses is “52 (approximately)”.
Calculate ARO for Denial-of-service attacks:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per quarter)” as “
Hence, the ARO for Denial-of-service attacks is “4 (approximately)”.
Calculate ARO for Earthquake:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 20 years)” as “
Hence, the ARO for Earthquake is “0.05 (approximately)”.
Calculate ARO for Food:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Food is “0.1 (approximately)”.
Calculate ARO for Fire:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Fire is “0.1 (approximately)”.
Calculate ALE for Programmer mistakes:
Substitute the value of “SLE” as “5000” and “ARO” as “52” in the equation (2).
Hence, the ALE for programmer mistakes is “260000”.
Calculate ALE for Loss if intellectual property:
Substitute the value of “SLE” as “75000” and “ARO” as “1” in the equation (2).
Hence, the ALE for Loss if intellectual property is “75000”.
Calculate ALE for Software Piracy:
Substitute the value of “SLE” as “500” and “ARO” as “52” in the equation (2).
Hence, the ALE for Software Piracy is “26000”.
Calculate ALE for Theft of information(hacker):
Substitute the value of “SLE” as “2500” and “ARO” as “4” in the equation (2).
Hence, the ALE for Theft of information (hacker)is “10000”.
Calculate ALE for Theft of information (employee)
Substitute the value of “SLE” as “5000” and “ARO” as “2” in the equation (2).
Hence, the ALE for Theft of information (employee) is “10000”.
Calculate ALE for Web defacement:
Substitute the value of “SLE” as “500” and “ARO” as “12” in the equation (2).
Hence, the ALE for Web defacement is “6000”.
Calculate ALE for Theft of equipment:
Substitute the value of “SLE” as “5000” and “ARO” as “1” in the equation (2).
Hence, the ALE for Theft of equipment is “6000”.
Calculate ALE for Viruses, worms, Trojan Horses:
Substitute the value of “SLE” as “1500” and “ARO” as “52” in the equation (2).
Hence, the ALE for Viruses, worms, Trojan Horses is “78000”.
Calculate ALE for Denial-of-service attacks:
Substitute the value of “SLE” as “2500” and “ARO” as “4” in the equation (2).
Hence, the ALE for Denial-of-service attacks is “10000”.
Calculate ALE for Earthquake:
Substitute the value of “SLE” as “250000” and “ARO” as “0.05” in the equation (2).
Hence, the ALE for Earthquake is “12500”.
Calculate ALE for Food:
Substitute the value of “SLE” as “250000” and “ARO” as “0.1” in the equation (2).
Hence, the ALE for Food is “25000”.
Calculate ALE for Fire:
Substitute the value of “SLE” as “500000” and “ARO” as “0.1” in the equation (2).
Hence, the ALE for Fire is “50000”.
ARO and ALE table for all the threat cost is given below:
ARO and ALE threat cost | ARO | ALE |
Programmer mistakes | 52 | $260,000 |
Loss if intellectual property | 1 | $75,000 |
Software Piracy | 52 | $26,000 |
Theft of information(hacker) | 4 | $10,000 |
Theft of information (employee) | 2 | $10,000 |
Web defacement | 12 | $6,000 |
Theft of equipment | 1 | $5,000 |
Viruses, worms, Trojan Horses | 52 | $78,000 |
Denial-of-service attacks | 4 | $10,000 |
Earthquake | 0.05 | $12,500 |
Food | 0.1 | $25,000 |
Fire | 0.1 | $50,000 |
Want to see more full solutions like this?
Chapter 5 Solutions
Principles of Information Security (MindTap Course List)
- Suppose you are working as a lead developer for a software house (This software house is a new startup so the developers are not well trained) and you are asked to deliver the project before the estimated time with the same available resources (i.e. neither the salary nor the practitioners are added).In this kind of situation: Which type of risks are identified? Discuss how would you plan the situation being a team leader (hint: Contingency plan)?arrow_forwardPlot the six risks on a probability/impact matrix. Also assign a numeric value for the probability and impact of each risk on meeting the main project objective. Use a scale of 1 to 10 in assigning the values, with 1 representing the lowest values. For a simple risk factor calculation, multiply the probability score and the impact score. Add a column called Risk Score to your risk register to the right of the impact column. Enter the new data in the risk register. Write your rationale for how you determined the scores for one of the negative risks and one of the positive risks.arrow_forwardThen, suppose you get a position as an IT architect at a new organization. The company's CEO instructed your team to develop a contingency plan in the case of a calamity. They have adequate resources to complete the task, but they do not want to exceed their budget, thus they are unwilling to do so. What would your department say about the CEO's safety net?arrow_forward
- Please use this project link below to answer the questions above thoroughly Software Development Risk Management Model- a goal-driven approachhttps://www.google.com/url?sa=t&source=web&rct=j&url=https://d-nb.info/1011414708/34&ved=2ahUKEwin18bR6Lb9AhWrUjABHQHiDtIQFnoECBAQAQ&usg=AOvVaw0vmiH-3fSabjozkKO5TIajarrow_forwardWhen you create a new job category – Select one: a. all employees are assigned to the new category initially b. no employees are assigned to new category initially c. all employees in this category are not salespersons initially d. you cannot assign an employee from another category to the new category at the same time.arrow_forwardFin-Click Solutions is a software development company. It is specialized in developing software for financial institutions. Fin-Click is running an online banking mobile application project for AtoZ bank. The followings are the activities for implementing the project which is named iMoney. Salem Ali, the project manager, is a professional project manager and has over 20 years of experience in his field. The following table presents a proposed set of activities with their estimated durations based on his previous experience with another similar project. Activity Code Activity Name Activity Duration (in days) Dependency A Define New Business Rules 14 - B Define Specific UI Requirements 9 A C Define Functional Specifications 20 A D Create Code Design Document 14 B E Implement Code Control System 20 D,F F Setup Development Environment 10 A G UI…arrow_forward
- The output of Risk decomposition is: Select one: a. Risk description b. Root cause analysis c. Dependibility requirements d. Risk assessmentarrow_forwardAn internal auditor at the ACME Corporation recently performed a PCI DSS compliance audit on the company’s production systems and identified three instances of non-compliance. As the risk owner, you were assigned all three risks in the SimpleRisk application. You have already completed a risk mitigation plan for one of the risks, but in your haste to address the issue, you neglected to complete the risk mitigation form in SimpleRisk for the other two. In this section of the lab, you will review and complete the risk mitigation form for each of the remaining risks. Your security recommendations should include both technical and procedural mitigation actions. If necessary, use the Internet to research best practices for managing user accounts on a Windows Server 2019 domain controller.arrow_forwardFollowing a tendering process your firm has recently been appointed external auditor of Dazzle Ltd (Dazzle) for the year ending 31 July 20X1. The audit engagement letter is still to be signed. The previous auditor did not seek reappointment. Your firm has also been invited to provide tax planning and compliance work for the company. All of the shares of Dazzle are owned by two sisters: Ruby and Amber Dazzle. They are the only directors and spend on average three days a week managing Dazzle as they have other business interests. The company employs a full-time qualified accountant but does not have a Finance Director. Dazzle manufactures and sells high quality mirrors and light fittings, which are produced in the company’s workshop, in the North East of England. At peak times the company uses subcontractors to help with the manufacture of light fittings as they lack sufficient staff in this area. Due to changes in working practices as a result of covid-19 fewer people are permitted in…arrow_forward
- What determines the amount of effort that goes into a feasibility study? Explain the statement above.arrow_forwardThe main idea and Purpose of MODAF Operational point of view? Answer:arrow_forwardGiven the following business scenario, create a Crow’s Foot ERD usinga specialization hierarchy if appropriate for this case study. Our website manages software projects for downloads to users. Eachsoftware project has a unique project id (8 characters long), can be assigned one ormore categories (the categories are A, B ,C and D), has a status (D or P), and has adescription (text of at most 256 characters). Some projects may depend on otherprojects and we keep track of the dependency. Each project is developed and owned bya single developer (who is our subscriber), and uploaded to our website in one or moretransactions.Our users are identified by name (at most 20 characters), email (at most 20 characters),and a unique user id (8 characters long). They can be either guest users or subscribedusers (subscribers for short). The subscribers have passwords (at most 8 characters) andwe keep the date of the subscription. They need the password to access our website tofile bug reports or…arrow_forward
- Management Of Information SecurityComputer ScienceISBN:9781337405713Author:WHITMAN, Michael.Publisher:Cengage Learning,Information Technology Project ManagementComputer ScienceISBN:9781337101356Author:Kathy SchwalbePublisher:Cengage LearningPrinciples of Information Systems (MindTap Course...Computer ScienceISBN:9781285867168Author:Ralph Stair, George ReynoldsPublisher:Cengage Learning