Can anyone please help me with solving this Quantitative risk assessment?

Risk assessment scenario:

• Over the 5 years that you have been in business, your organization has accumulated 10,000 customer records that form the basis of your ongoing sales and service business. Repeat business through customer loyalty accounts for 10% of your current annual revenue of $2million. Your sales staff of 8 representatives spends most of the time on the road, following up new leads or attending to repeat orders from existing customers.
• Your industry body has determined that the threats to businesses in your sector are currently those shown in the table below. Your network of industry acquaintances has expressed surprise that you still allow your sales staff to carry around your client list on unprotected laptops that are taken to restaurants, left in cars or dumped on the living room table at home. CyGuard software (or similar) to encrypt the client contact list and any other sensitive data on a laptop is used by many companies in your industry. A guard 10 license pack costs $8,000 per annum, which seems a bit expensive, but it includes automatic updates and other features that dont concern us here.
• The chance that you will lose at least one laptop from your organization in any one year is estimated by your industry body at 0.47, or nearly 1 chance in 2. The fact that you have not lost any yet is probably due more to good luck than good management.
• Your accountant, on the other hand, has advised you that the chance, in the long run, of fraud being conducted by one or more of your employees is real, and has recommended that you put in place some background auditing software that can alert you to narrow or negative margins in some of you key financial indicators. This add-on to your office financial system costs an initial $2,200 in the first year and an ongoing annual support and upgrade fee of the same amount.
• The average loss in your industry from fraud, when it occurs, is reported to be on average $14,000 per $1m of revenue. The probability that it will happen to you in any given year is about 0.09 or slightly less than 1 in 10.
• For the purpose of this exercise, you may assume that due to the covid crisis and its aftermath, there is no growth occurring in your revenue at this time, and that this has been an unfortunate ongoing trend for some time. Also, assume that there is no annual growth in your customer base. Assume also that if your customer records get out, your competitors will swoop and you will lose all repeat business.

Q1.1 Your task is to determine, by performing the appropriate calculations, the cost-benefit of following the advice of your industry colleagues and your accountant by installing protection on the laptops and your office financial system as suggested. Assume that the controls are 100% effective in reducing the risk if they are installed.

Be quite clear in your recommendation as to whether the expense should be incurred or not in each case.

Q1.2 If the residual risk in both instances after the control was installed was 25% of the initial exposure, would it still be worthwhile installing the controls? Show your workings.

Type of Misuse or Attack	Year:2009 % occurrence
Virus	65%
Laptop theft	47%
Insider abuse of Net access	42%
Unauthorised access to info	32%
Denial of service	25%
System penetration	15%
Abuse of Wireless connection	14%
Theft of IP	9%
Financial fraud	9%
Telecommunications fraud	8%
Misuse of public Web applications	6%
Web site defacement	6%
Sabotage	3%

Some formulae

SLE single loss expectancy

ARO annualised rate of occurrence

ALE annualised loss expectancy

CC cost of controls

ROSI return on security investment

ALE = SLE x ARO

ROSI = (ALE_before ALE_after) CC