# ITM438 SLP1

ITM438 SLP1

This assignment requires you to do a cost and benefit analysis for the following company. You will need to study carefully the cost and benefit calculation section at “Home” of module 1.

E-bidding Company has a ecommerce website that generate \$500,000 per year. Calculate the annualized rate of occurrence (ARO) and annualized loss expectancy (ALE) for each risk:

 Category Cost per incident Frequency of occurrence Programming errors \$1,000 2 per week Information theft(hacker) \$2,000 1 per quarter Information theft(employee) \$5,000 1 per year Viruses \$1,000 1 per year Denial of service attacks \$3,500 1 per 6 month Natural disaster \$100,000 1 per 20 years

Solution

Annualized rate of occurrence refers to the probability that a risk will occur in a specific year. For instance, if a statistic indicate that a serious accident is likely to occur once in 20 years, then the ARO is 1/20 = 0.05. This implies that we have to convert the frequency of occurrence to the yearly base for each category.

In case of Programming errors which has a frequency of occurrence of 2 per week implies that there will be two Programming errors each week and there are 52 weeks in a year, therefore, the annualized rate of occurrence (ARO) for Programming errors of 2 per week will become 2*52 = 104 Programming errors per year.

In case of Information theft (hacker) which has a frequency of occurrence of 1 per quarter implies that there will be one Information theft (hacker) every quarter and there are four quarters in a year, therefore, the annualized rate of occurrence (ARO) for Information theft (hacker) of 1 Information theft (theft) per quarter will become 1*4 = 4 per year.

In case of Information theft (employee) and viruses which have a frequency of occurrence of 1 per year implies that there will be one Information theft (hacker) and viruses every year, therefore, the annualized rate of occurrence (ARO) for Information theft (employee) and viruses of 1 per year will become 1*1 = 1 Information theft (employee) and viruses per year.

In case of Denial of service attacks which has a frequency of occurrence of 1 per 6 month implies that there will be one Denial of service attacks every six months and there are two six months in a year, therefore, the annualized rate of occurrence (ARO) for Denial of service attacks of 1 per six months will become 1*2 = 2 Denial of service attacks per year.

Finally, in case of Natural disaster which has a frequency of occurrence of 1 per 20 years implies that there will be one Natural disaster every 20 years, therefore, the annualized rate of occurrence (ARO) for Natural disaster of 1 per 20 years will become 1/20 = 0.05 Natural disasters per year.

Therefore, the respective ARO will be

 Category Annualized rate of occurrence (ARO) Programming errors 104 Information theft(hacker) 4 Information theft(employee) 1 Viruses 1 Denial of service attacks 2 Natural disaster 0.05

Annualized loss expectancy (ALE) = Single Loss expectancy (SLE) * Annualized Rate of Occurrence (ARO). Therefore, ALE = SLE × ARO

But SLE = Asset value × Exposure Factor (EF)

So for us to calculate the SLE we need to compute Exposure Factor (EF). Exposure Factor (EF) is defined as the subjective, potential percentage of loss to a particular asset in case the particular threat is realized. Exposure factor represents the value to which the asset value is reduced. Given that E-bidding Company has a ecommerce website generating \$500,000 per year, the Asset Value is \$500,000, therefore,

• EF for Programming errors with a cost per incident of \$1,000 is \$1,000/\$500,000 = 0.002
• EF for Information theft (hacker) with a cost per incident of \$2,000 is \$2,000/\$500,000 = 0.004
• EF for Information theft (employee) with a cost per incident of \$5,000 is \$5,000/\$500,000 = 0.001
• EF for Viruses with a cost per incident of \$1,000 is \$1,000/\$500,000 = 0.002
• EF for Denial of service attacks with a cost per incident of \$3,500 is \$3,500/\$500,000 = 0.007
• EF for Natural disaster with a cost per incident of \$100,000 is \$100,000/\$500,000 = 0.2

From the above EF, we can now calculate SLE = Asset value × Exposure Factor (EF)

 Category SLE= Asset value × Exposure Factor (EF) Programming errors 0.002× 500,000 = \$1,000 Information theft(hacker) 0.004× 500000= \$ 2,000 Information theft(employee) 0.001×500000 = \$5,000 Viruses 0.002× 500000 = \$1,000 Denial of service attacks 0.007×500000 = \$3,500 Natural disaster 0.2×500000 =\$100,000

Finally, to arrive at ALE we multiply SLE by ARO

 Category ALE= ARO × SLE Programming errors 104× \$1,000 = \$104,000 Information theft(hacker) 4× \$ 2,000 = \$8,000 Information theft(employee) 1×\$5,000 = \$5,000 Viruses 1× \$1,000 = \$1,000 Denial of service attacks 2×\$3,500 = \$7,000 Natural disaster 0.05×\$100,000 = \$5,000

One year past, calculate the cost and benefit of controls that have been in place.

 Category Cost per incident Frequency of occurrence Cost of control Type of control Programming errors \$1,000 2 per week \$2500 Training Information theft(hacker) \$2,000 1 per quarter \$10,000 Firewall Information theft(employee) \$5,000 1 per year \$10,000 Physical security Viruses \$1,000 1 per year \$10,000 Anti-virus Denial of service attacks \$3,500 1 per 6 month \$10,000 Firewall Natural disaster \$100,000 1 per 20 years \$15,000 Insurance

Solution

In carrying out the Cost/benefit analysis, we need to find the annual cost of the countermeasure which is cost of control multiplied by Annualized Rate of Occurrence (ARO) which is shown in the table below.

 Type of control = ARO × cost of control Training 104× \$2,500 = \$260,000 Firewall 4× \$ 10,000 = \$40,000 Physical security 1×\$10,000 = \$10,000 Anti-virus 1× \$10,000 = \$10,000 Firewall 2×\$10,000 = \$20,000 Insurance 0.05×\$15,000 = \$750

After calculating the annual cost of the countermeasure, we compare it with the Annualized loss expectancy (ALE) to see if there are net benefits or net losses.

Annualized loss expectancy-Annual cost of control = Net benefits (losses)

 Type of control Net benefits (losses) Training \$104,000 – \$260,000 = -\$156,000 Firewall \$8,000- \$40,000 = -\$32,000 Physical security \$5,000 – \$10,000 = -\$5,000 Anti-virus \$1,000 – \$10,000 = -\$9,000 Firewall \$7,000 – \$20,000 = -\$13,000 Insurance \$5,000 – \$750 = \$4,250

From the table below, it is clear that all the types of control other than Insurance are not worthwhile as they have not losses rather than net benefits. It costs more money to protect against the risks. It costs more to protect against the potential loss and hence the risk is rather increased and not reduced. Therefore, it is not logical from a business point of view as the firm will spend more money that they can potentially lose.

Get a 10 % discount on an order above \$ 100
Use the following coupon code :
SKYSAVE