1. Calculate ARO, ALE, and CBA

   Do not overthink the assignment this week.

   ALE is a common quantitative method for assessing risk.

   The first step in calculating ALE is to calculate Single Loss Expectancy (SLE). --> SLE = asset value * exposure factor

   ALE is then calculated by multiplying SLE by Annualized Rate of Occurrence (ARO). --> ALE = SLE * ARO

   For example, to calculate the exposure factor, assume the asset value of a small office building and its contents is $2 million. Also assume that this building houses the call center for a business, and the complete loss of the center would take away about half of the capability of the company. Therefore, the exposure factor is 50 percent. The SLE is $2 million * 0.5 = $1 million.

   The ALE is then calculated simply by multiplying the SLE by the number of times the event is expected to occur in a year, which is called the annualized rate of occurrence (ARO): --> ALE = SLE * ARO.

   If the event is expected to occur once in 20 years, then the ARO is 1/20. Typically the ARO is defined by historical data, either from a companys own experience or from industry surveys. Continuing our example, assume that a fire at this businesss location is expected to occur about once in 20 years. Given this information, the ALE is: $1 million * 1/20 = $50,000.

   Therefore, in order to protect the office building the company should spend no more than $50,000 on countermeasures protecting the building from complete loss.

   • Office building and contents = $2 million
   • Exposure factor 50%
   • SLE = $2 million * 0.5 = $1 million
   • ALE = SLE * ARO ARO = 1/20 (One occurrence every 20 years)
   • ALE = $1 million * 1/20 = $50,000

   ARO = Annual Rate of Occurrence. Do NOT get bogged down in the equation. Annual Rate of Occurrence is simply how many times this occurs in a year. If the spreadsheet says weekly and there are 52 weeks in a year, ARO = 52. The only time folks get in trouble with this assignment is by trying to go too deep. This should be your easiest assignment of the course.

2. Assignment Requirements

   One year ago, the Mesusa Corporation conducted a threat evaluation and created a list of threats, the cost per incident and the projected frequency of occurrence. During the year, Mesusa decided to implement controls designed to reduce the cost per incidence and the number of threats.

   Please include your name on your spreadsheet before submission.

C3 fx 1 per week A B D E F G H K L 1 NAME: ALE ARO (Pre) (Pre) SLE (Post) 2 3 Programmer Mistakes 4 Loss of Intellectual Property 5 Software Piracy 6 Theft of Information (External) 7 Theft of Information Internal) 8 Web Defacement 9 Theft of Equipment 10 Viruses, Worm, Trojan Horses 11 DOS Attack 12 Earthquake 13 Flood 14 Fire 15 16 17 Frequency SLE (Pre) (Pre) $2,5001 per week $51,000 2 per year $1,500 2 per month $1,200 1 per quarter $6,500 3 per year $500 1 per week $5,000 1 per year $1,000 1 per week $4,000 2 per year $300,000 1 per 20 years $300,000 1 per 10 years $550,0001 per 10 years (Post) Frequency (Post) ARO (Post) ALE $2,5001 per month $51,000 1 per 2 year $1,5001 per month $1.2002 per year $6,500 1 per year $5001 per year $5,000 1 per 2 year $1,000 1 per month $4,000 1 per year $30,000 1 per 20 year $30,000 1 per 10 year $55,0001 per 10 year CBA 18 19 Programmer Mistakes 20 Loss of Intellectual Property 21 Software Piracy 22 Theft of Information (External) 23 Theft of Information Internal) 24 Web Defacement 25 Theft of Equipment 26 Viruses, Worm, Trojan Horses 27 DOS Attack 28 Earthquake 29 Flood B0 Fire 31 32 33 Sheet1 Cost of Control Type of Control $20,000 Training $17,000 Firewall/IDS $15,000 Firewall/IDS $7,000 Firewall/IDS $7,000 Phys. Security $5,000 Firewall $7,000 Phys. Security $9.000 Antivirus $5,000 Firewall $5,000 Insurance/Backup $12,000 Insurance/Backup $5,000 Insurance/Backup