Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3(information is below ) and the following table, calculate the post-control ARO and ALE for each threat category listed.

Threat Category	Cost per Incident	Frequency of Occurrence	Cost of Control	Type of Control
Programmer mistakes	$5,000	3 per month	$20,000	Training
Loss of intellectual property	$25,000	1 per 2 years	$20,000	Firewall/IDS
Software piracy	$500	1 per 2 months	$9,000	Firewall/IDS
Theft of information (hacker)	$1,500	2 per 6 months	$20,000	Firewall/IDS

Why have some values changed in the Cost per Incident and Frequency of Occurrence columns? How could a control affect one but not the other? Assume that the values in the Cost of Control column are unique costs directly associated with protecting against the threat. In other words, dont consider overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs.

The inforamtion from section 3:

Programming mistakes: ARO= 2*52=104; ALE= 5,000* 104=520,000

Loss of Intellectual property: ARO= 1; ALE= 1*25,000= 25,000;

Software piracy

ARO= 26; ALE= 26*500=13,000;

Theft of Information ARO= 16; ALE= 16*1500= 24,000;

Threat Category	Cost per Incident (SLE)	Frequency of Occurrence
Programmer mistakes	$5,000	2 per weeks
Loss of intellectual property	$25,000	1 per year
Software piracy	$500	1 per 2 weeks
Theft of information (hacker)	$1,500	4 per quarter