Chapter 5, Problem 5E

Program Plan Intro

Annualized Rate Occurrence (ARO):

Annualized Rate Occurrence is the estimated frequency at which a given threat is expected to happen.

ARO can be calculated by using the following formula:

$\text{ARO = }\frac{\text{One year}}{\text{Frequency of occurrence}}$ (1)

Annualized Loss Expectancy (ALE):

Annualized Loss Expectancy is the loss expected from the attack of a specific information asset which has been carried over for a year. It is a product of single loss expectancy and the annualized rate of occurrence.

ALE can be calculated by using the following formula:

$\text{ALE = SLE }\times \text{ ARO}$ (2)

Cost-Benefit Analysis (CBA):

• CBA is the study that determines the cost required for protecting an asset.
• It is a process of feasibility which is carried with a formal documentation process. It is also called as economic feasibility study.
• System value is an estimated total cost of the organization in terms of the cost of equipment, and more important, in terms of the cost of information stored in the system.

CBA can be calculated by using the following formula:

$\text{CBA = ALE(prior) - ALE(post) - ACS}$ (3)

Here, the term $ALE(prior)$ refers “Annualized Lost Expectancy for earlier assessment” and $\text{ALE(post)}$ refers “Annualized Lost Expectancy for revised assessment” and $\text{ACS}$ refers “Annualized Cost of a Safeguard”.

Explanation of Solution

Calculate ARO for Programmer mistakes:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “ $\frac{365}{12}$” in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{30.417}\\ =12\end{array}$

Hence, the ARO for programmer mistakes is “12 (approximately)”.

Calculate ARO for Loss if intellectual property:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “ $365\times 2$”  in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{365\times 2}\\ =0.5\end{array}$

Hence, the ARO for Loss if intellectual property is “0.5 (approximately)”.

Calculate ARO for Software Piracy:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “ $\frac{365}{12}$” in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{30.417}\\ =12\end{array}$

Hence, the ARO for Software Piracy is “12 (approximately)”.

Calculate ARO for Theft of information (hacker):

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “ $\frac{1}{2}$” (i.e $\frac{365}{2}$ ) in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{182.5}\\ =2\end{array}$

Hence, the ARO for Theft of information (hacker) is “2 (approximately)”.

Calculate ARO for Theft of information (employee):

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per year)” as “365” in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{365}\\ =1\end{array}$

Hence, the ARO for Theft of Theft of information (employee) is “1 (approximately)”.

Calculate ARO for Web defacement:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per quarter)” as “ $\frac{1}{4}$” (i.e $\frac{365}{4}$ ) in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{91.25}\\ =4\end{array}$

Hence, the ARO for Web defacement is “4 (approximately)”.

Calculate ARO for Theft of equipment:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “ $365\times 2$”  in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{365\times 2}\\ =0.5\end{array}$

Hence, the ARO for Theft of equipment is “0.5 (approximately)”.

Calculate ARO for Viruses, worms, Trojan Horses:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “ $\frac{365}{12}$” in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{30.417}\\ =12\end{array}$

Hence, the ARO for Viruses, worms, Trojan Horses is “12 (approximately)”.

Calculate ARO for Denial-of-service attacks:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “ $\frac{1}{2}$” (i.e $\frac{365}{2}$ ) in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{182.5}\\ =2\end{array}$

Hence, the ARO for Denial-of-service attacks is “2 (approximately)”.

Calculate ARO for Earthquake:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 20 years)” as “ $365\times 20$”  in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{7300}\\ =0.05\end{array}$

Hence, the ARO for Earthquake is “0.05 (approximately)”.

Calculate ARO for Food:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “ $365\times 10$”  in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{3600}\\ =0.1\end{array}$

Hence, the ARO for Food is “0.1 (approximately)”.

Calculate ARO for Fire:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “ $365\times 10$”  in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{3600}\\ =0.1\end{array}$

Hence, the ARO for Fire is “0.1 (approximately)”.

Calculate ALE for Programmer mistakes:

Substitute the value of “SLE” as “5000” and “ARO” as “12” in the equation (2).

$\begin{array}{l}\text{=5000}\times 12\\ \text{=60000}\end{array}$

Hence, the ALE for programmer mistakes is “60000”.

Calculate ALE for Loss if intellectual property:

Substitute the value of “SLE” as “75000” and “ARO” as “0.5” in the equation (2).

$\begin{array}{l}\text{ =75000}\times 0.5\\ \text{=37500}\end{array}$

Hence, the ALE for Loss if intellectual property is “37500”.

Calculate ALE for Software Piracy:

Substitute the value of “SLE” as “500” and “ARO” as “12” in the equation (2).

$\begin{array}{l}\text{ =500}\times 12\\ \text{=6000}\end{array}$

Hence, the ALE for Software Piracy is “6000”.

Calculate ALE for Theft of information(hacker):

Substitute the value of “SLE” as “2500” and “ARO” as “2” in the equation (2).

$\begin{array}{l}\text{ =2500}\times 2\\ \text{=5000}\end{array}$

Hence, the ALE for Theft of information (hacker)is “5000”.

Calculate ALE for Theft of information (employee)

Substitute the value of “SLE” as “5000” and “ARO” as “1” in the equation (2).

$\begin{array}{l}\text{ =5000}\times 1\\ \text{=5000}\end{array}$

Hence, the ALE for Theft of information (employee) is “5000”.

Calculate ALE for Web defacement:

Substitute the value of “SLE” as “500” and “ARO” as “4” in the equation (2).

$\begin{array}{l}\text{ =500}\times 4\\ \text{=2000}\end{array}$

Hence, the ALE for Web defacement is “2000”.

Calculate ALE for Theft of equipment:

Substitute the value of “SLE” as “5000” and “ARO” as “0.5” in the equation (2).

$\begin{array}{l}\text{ =5000}\times 0.5\\ \text{=2500}\end{array}$

Hence, the ALE for Theft of equipment is “2500”.

Calculate ALE for Viruses, worms, Trojan Horses:

Substitute the value of “SLE” as “1500” and “ARO” as “12” in the equation (2).

$\begin{array}{l}\text{ =1500}\times 12\\ \text{=18000}\end{array}$

Hence, the ALE for Viruses, worms, Trojan Horses is “18000”.

Calculate ALE for Denial-of-service attacks:

Substitute the value of “SLE” as “2500” and “ARO” as “2” in the equation (2).

$\begin{array}{l}\text{ =2500}\times 2\\ \text{=5000}\end{array}$

Hence, the ALE for Denial-of-service attacks is “5000”.

Calculate ALE for Earthquake:

Substitute the value of “SLE” as “250000” and “ARO” as “0.05” in the equation (2).

$\begin{array}{l}\text{ =250000}\times 0.05\\ \text{=12500}\end{array}$

Hence, the ALE for Earthquake is “12500”.

Calculate ALE for Food:

Substitute the value of “SLE” as “50000” and “ARO” as “0.1” in the equation (2).

$\begin{array}{l}\text{ =50000}\times 0.1\\ \text{=5000}\end{array}$

Hence, the ALE for Food is “5000”.

Calculate ALE for Fire:

Substitute the value of “SLE” as “100000” and “ARO” as “0.1” in the equation (2).

$\begin{array}{l}\text{ =100000}\times 0.1\\ \text{=10000}\end{array}$

Hence, the ALE for Fire is “10000”.

To calculate CBA for Programmer mistakes:

Substitute the value of “ALE (prior)” as “260000” and “ALE (post)” as “60000” and “ACS” as “20000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=260000-60000-20000\\ =180000\end{array}$

Hence, the CBA for programmer mistakes is “180000”.

To calculate CBA for Loss if intellectual property:

Substitute the value of “ALE (prior)” as “75000” and “ALE (post)” as “37500” and “ACS” as “15000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=75000-37500-15000\\ =22500\end{array}$

Hence, the CBA for Loss if intellectual property is “22500”.

To calculate CBA for Software Piracy:

Substitute the value of “ALE (prior)” as “26000” and “ALE (post)” as “6000” and “ACS” as “30000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=26000-6000-30000\\ =-10000\end{array}$

Hence, the CBA for Software Piracy is “-10000”.

To calculate CBA for Theft of information (hacker):

Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “15000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=10000-5000-15000\\ =-10000\end{array}$

Hence, the CBA for Theft of information (hacker) is “-10000”.

To calculate CBA for Theft of information (employee):

Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “15000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=10000-5000-15000\\ =-10000\end{array}$

Hence, the CBA for Theft of information (employee) is “-10000”.

To calculate CBA for Web defacement:

Substitute the value of “ALE (prior)” as “6000” and “ALE (post)” as “2000” and “ACS” as “10000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=6000-2000-10000\\ =-6000\end{array}$

Hence, the CBA for Web defacement is “-6000”.

To calculate CBA for Theft of equipment:

Substitute the value of “ALE (prior)” as “5000” and “ALE (post)” as “2500” and “ACS” as “15000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=5000-2500-15000\\ =-12500\end{array}$

Hence, the CBA for Theft of equipment is “-12500”.

To calculate CBA for Viruses, worms, Trojan Horses:

Substitute the value of “ALE (prior)” as “78000” and “ALE (post)” as “18000” and “ACS” as “15000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=78000-18000-15000\\ =45000\end{array}$

Hence, the CBA for Viruses, worms, Trojan Horses is “45000”.

To calculate CBA for Denial-of-service attacks:

Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “10000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=10000-5000-10000\\ =-5000\end{array}$

Hence, the CBA for Denial-of-service attacks is “-5000”.

To calculate CBA for Earthquake:

Substitute the value of “ALE (prior)” as “12500” and “ALE (post)” as “12500” and “ACS” as “5000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=12500-12500-5000\\ =-5000\end{array}$

Hence, the CBA for Earthquake is “-5000”.

To calculate CBA for Food:

Substitute the value of “ALE (prior)” as “25000” and “ALE (post)” as “5000” and “ACS” as “10000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=25000-5000-10000\\ =10000\end{array}$

Hence, the CBA for Food is “10000”.

To calculate CBA for Fire:

Substitute the value of “ALE (prior)” as “50000” and “ALE (post)” as “10000” and “ACS” as “10000” in the equation (3).

$\begin{array}{l}\text{CBA=ALE(prior)-ALE(post)-ACS}\\ \text{}\text{}\text{}=50000-10000-10000\\ =30000\end{array}$

Hence, the CBA for Fire is “30000”.

ARO and ALE table for all the threat cost is given below:

ARO and ALE threats	SLE	ARO	ALE	CBA
Programmer mistakes	5,000	12	60,000	180,000
Loss if intellectual property	75,000	0.5	37,500	22,500
Software Piracy	500	12	6,000	-10,000
Theft of information(hacker)	2,500	2	5,000	-10,000
Theft of information (employee)	5,000	1	5,000	-10,000
Web defacement	500	4	2,000	-6,000
Theft of equipment	5,000	0.5	2,500	-12,500
Viruses, worms, Trojan Horses	1,500	12	18,000	45,000
Denial-of-service attacks	2,500	2	5,000	-5000
Earthquake	250,000	0.05	12,500	-5,000
Food	50,000	0.1	5,000	10,000
Fire	100,000	0.1	10,000	30,000

Reason for changes in values:

Some values have been changed because of the implementation controls which had a positive impact on protection of XYZ’s assets. Thus, reducing the frequency of occurrences. However, the controls did not decrease cost for a single incident because the importance of an asset will stay the same and cost XYZ the same amount of time and money to replace. The costs that are listed are worth when the controls are in their place.