1. Conduct a quantitative risk analysis and provide all values used and how they were calculated using information below:

Risk analysis will contain:

-Loss Event Frequency

-Primary Loss

-Secondary Loss event frequency

-Secondary loss magnitude

Maine Healthcare Associates is a moderate-sized organization with 75,000 individual customer records including sensitive health information and payment (credit card information), and 6,000 employees. The organization has fallen victim to attempts by cyber criminals eight times in the past five years, usually via employees clicking on phishing attempts. However, little or no data was lost in each of these events, with the exception of one where 100 complete records were lost. On average, employees are paid $42 per hour. There are approximately 26 individuals who participate in various response types (incident response, legal, hr, etc.). From previous incidents, it is known that response for a cyber criminal incident can take anywhere between 40 hours and 250 hours depending on the amount of cleanup and response types. It is also known from past historical data from the organization that, on average, customer notification costs are $4.50. Customer support reports that during an incident, generally 18% of customers will call, at the average cost of $8.50 per call. The organization must offer credit monitoring in the event of disclosure of sensitive healthcare data; the organization knows from market research and experience that 14% of customers will take advantage of a credit monitoring offer, and that it will cost the organization $20 per customer to offer monitoring. Based on previous events as well as other related events the organization has had that involve customer information disclosures, response meetings with between executives and stockholders, customers, etc. usually fall between 30 and 350 hours. Because these meetings often involve largely executives, the time cost associated with these meetings is approximately $110 per hour. The legal department has indicated that legal costs tend to vary depending on the number of compromised records. Based on past experiences, the organization has broken this down to a per record cost of $1. The organization contracts out a public relations company that is only used in the case of lost or compromised records. Costs associated with public relations also vary widely with the number of records compromised. The public relations organization will only cover up to $5,000,000 of costs associated with public relations; this cost has been determined by Maine Healthcare Associates to be the worst-case scenario associated with the cost to public relations. Since the organization has been required to reimburse credit cards in the past, the company knows that it will cost $4 per credit card to replace. Since the company has regulations from both HIPAA and PCI-DSS, there are potential punitive fines associated with the loss of data. In this case, since encryption of data traversing a network is required for both HIPAA and PCI-DSS requirements, the potential fines are as follows: HIPAA Willful Neglect Not Corrected: 50,000 per violation (this can also be levied per record if desired), up to a maximum of $1.5 million annually. PCI-DSS $5,000 per month in the first three months of discovery, and $25,000 monthly if the issue has not been remediated after 3 months. Finally, the organization fears that customers will leave, and market share will be lost in the event of an incident resulting in loss of customer data. Based on customer and industry data, Maine Healthcare Associates knows the following information: approximately 10% of customers will leave a company, and the average profit per customer over the lifetime of the relationship is $500. Maine Healthcare Associates is interested in finding out the level of risk associated with unencrypted sensitive information flowing across the companys internal network. Maine Healthcare Associates is currently entertaining deploying an encryption system across the organizations internal network, and needs data to inform this decision. Specifically, they would like to know the level of risk associated with the following scenario: Asset at risk Customer Information Threat Community Cyber Criminals Threat Type Malicious Effect Confidentiality