# Computer Sciences and Information Technology

ITM438 SLP1

This assignment requires you to do a cost and benefit analysis for the following company. You will need to study carefully the cost and benefit calculation section at “Home” of module 1.

E-bidding Company has a ecommerce website that generate $500,000 per year. Calculate the annualized rate of occurrence (ARO) and annualized loss expectancy (ALE) for each risk:

Category Cost per incident Frequency of occurrence

Programming errors $1,000 2 per week

Information theft(hacker) $2,000 1 per quarter

Information theft(employee) $5,000 1 per year

Viruses $1,000 1 per year

Denial of service attacks $3,500 1 per 6 month

Natural disaster $100,000 1 per 20 years

Solution

Annualized rate of occurrence refers to the probability that a risk will occur in a specific year. For instance, if a statistic indicate that a serious accident is likely to occur once in 20 years, then the ARO is 1/20 = 0.05. This implies that we have to convert the frequency of occurrence to the yearly base for each category.

In case of Programming errors which has a frequency of occurrence of 2 per week implies that there will be two Programming errors each week and there are 52 weeks in a year, therefore, the annualized rate of occurrence (ARO) for Programming errors of 2 per week will become 2*52 = 104 Programming errors per year.

In case of Information theft (hacker) which has a frequency of occurrence of 1 per quarter implies that there will be one Information theft (hacker) every quarter and there are four quarters in a year, therefore, the annualized rate of occurrence (ARO) for Information theft (hacker) of 1 Information theft (theft) per quarter will become 1*4 = 4 per year.

In case of Information theft (employee) and viruses which have a frequency of occurrence of 1 per year implies that there will be one Information theft (hacker) and viruses every year, therefore, the annualized rate of occurrence (ARO) for Information theft (employee) and viruses of 1 per year will become 1*1 = 1 Information theft (employee) and viruses per year.

In case of Denial of service attacks which has a frequency of occurrence of 1 per 6 month implies that there will be one Denial of service attacks every six months and there are two six months in a year, therefore, the annualized rate of occurrence (ARO) for Denial of service attacks of 1 per six months will become 1*2 = 2 Denial of service attacks per year.

Finally, in case of Natural disaster which has a frequency of occurrence of 1 per 20 years implies that there will be one Natural disaster every 20 years, therefore, the annualized rate of occurrence (ARO) for Natural disaster of 1 per 20 years will become 1/20 = 0.05 Natural disasters per year.

Therefore, the respective ARO will be

Category Annualized rate of occurrence (ARO)

Programming errors 104

Information theft(hacker) 4

Information theft(employee) 1

Viruses 1

Denial of service attacks 2

Natural disaster 0.05

Annualized loss expectancy (ALE) = Single Loss expectancy (SLE) * Annualized Rate of Occurrence (ARO). Therefore, ALE = SLE × ARO

But SLE = Asset value × Exposure Factor (EF)

So for us to calculate the SLE we need to compute Exposure Factor (EF). Exposure Factor (EF) is defined as the subjective, potential percentage of loss to a particular asset in case the particular threat is realized. Exposure factor represents the value to which the asset value is reduced. Given that E-bidding Company has a ecommerce website generating $500,000 per year, the Asset Value is $500,000, therefore,

• EF for Programming errors with a cost per incident of $1,000 is $1,000/$500,000 = 0.002

• EF for Information theft (hacker) with a cost per incident of $2,000 is $2,000/$500,000 = 0.004

• EF for Information theft (employee) with a cost per incident of $5,000 is $5,000/$500,000 = 0.001

• EF for Viruses with a cost per incident of $1,000 is $1,000/$500,000 = 0.002

• EF for Denial of service attacks with a cost per incident of $3,500 is $3,500/$500,000 = 0.007

• EF for Natural disaster with a cost per incident of $100,000 is $100,000/$500,000 = 0.2

From the above EF, we can now calculate SLE = Asset value × Exposure Factor (EF)

Category SLE= Asset value × Exposure Factor (EF)

Programming errors 0.002× 500,000 = $1,000

Information theft(hacker) 0.004× 500000= $ 2,000

Information theft(employee) 0.001×500000 = $5,000

Viruses 0.002× 500000 = $1,000

Denial of service attacks 0.007×500000 = $3,500

Natural disaster 0.2×500000 =$100,000

Finally, to arrive at ALE we multiply SLE by ARO

Category ALE= ARO × SLE

Programming errors 104× $1,000 = $104,000

Information theft(hacker) 4× $ 2,000 = $8,000

Information theft(employee) 1×$5,000 = $5,000

Viruses 1× $1,000 = $1,000

Denial of service attacks 2×$3,500 = $7,000

Natural disaster 0.05×$100,000 = $5,000

One year past, calculate the cost and benefit of controls that have been in place.

Category Cost per incident Frequency of occurrence Cost of control Type of control

Programming errors $1,000 2 per week $2500 Training

Information theft(hacker) $2,000 1 per quarter $10,000 Firewall

Information theft(employee) $5,000 1 per year $10,000 Physical security

Viruses $1,000 1 per year $10,000 Anti-virus

Denial of service attacks $3,500 1 per 6 month $10,000 Firewall

Natural disaster $100,000 1 per 20 years $15,000 Insurance

Solution

In carrying out the Cost/benefit analysis, we need to find the annual cost of the countermeasure which is cost of control multiplied by Annualized Rate of Occurrence (ARO) which is shown in the table below.

Type of control = ARO × cost of control

Training 104× $2,500 = $260,000

Firewall 4× $ 10,000 = $40,000

Physical security 1×$10,000 = $10,000

Anti-virus 1× $10,000 = $10,000

Firewall 2×$10,000 = $20,000

Insurance 0.05×$15,000 = $750

After calculating the annual cost of the countermeasure, we compare it with the Annualized loss expectancy (ALE) to see if there are net benefits or net losses.

Annualized loss expectancy-Annual cost of control = Net benefits (losses)

Type of control Net benefits (losses)

Training $104,000 – $260,000 = -$156,000

Firewall $8,000- $40,000 = -$32,000

Physical security $5,000 – $10,000 = -$5,000

Anti-virus $1,000 – $10,000 = -$9,000

Firewall $7,000 – $20,000 = -$13,000

Insurance $5,000 – $750 = $4,250

From the table below, it is clear that all the types of control other than Insurance are not worthwhile as they have not losses rather than net benefits. It costs more money to protect against the risks. It costs more to protect against the potential loss and hence the risk is rather increased and not reduced. Therefore, it is not logical from a business point of view as the firm will spend more money that they can potentially lose.

**10 %**discount on an order above

**$ 100**

Use the following coupon code :

SKYSAVE