Answered step by step
Verified Expert Solution
Question
1 Approved Answer
Q 1 Quantitative risk assessment exercise A quantitative risk assessment exercise is included below. Your submission should include the calculations of the ROSI for the
Q Quantitative risk assessment exercise
A quantitative risk assessment exercise is included below. Your submission should include the calculations of the ROSI for the two scenarios. In the tutorial, we will quickly work through these calculations, but then focus the discussions on the limitations of making these calculations in such situations like this. Aspects of this exercise are perhaps a little dated, but it is still useful for the purposes of this discussion.Quantitative risk assessment exercise
Risk assessment scenario:
Over the years that you have been in business, your organisation has accumulated customer records that form the basis of your ongoing sales and service business. Repeat business through customer loyalty accounts for of your current annual revenue of $million. Your sales staff of representatives spends most of the time on the road, following up new leads or attending to repeat orders from existing customers.
Your industry body has determined that the threats to businesses in your sector are currently those shown in the table below. Your network of industry acquaintances have expressed surprise that you still allow your sales staff to carry around your client list on unprotected laptops that are taken to restaurants, left in cars or dumped on the living room table at home. CyGuard software or similar to encrypt the client contact list and any other sensitive data on a laptop is used by many companies in your industry. A CyGuard licence pack costs $ per annum, which seems a bit expensive, but it includes automatic updates and other features that dont concern us here.
The chance that you will lose at least one laptop from your organisation in any one year is estimated by your industry body at or nearly chance in The fact that you have not lost any yet is probably due more to good luck than good management.
Your accountant, on the other hand, has advised you that the chance, in the long run, of fraud being conducted by one or more of your employees is real, and has recommended that you put in place some background auditing software that can alert you to narrow or negative margins in some of you key financial indicators. This addon to your office financial system costs an initial $ in the first year and an ongoing annual support and upgrade fee of the same amount.
The average loss in your industry from fraud, when it occurs, is reported to be on average $ per $m of revenue. The probability that it will happen to you in any given year is about or slightly less than in
For the purpose of this exercise you may assume that due to the covid crisis and its aftermath, there is no growth occurring in your revenue at this time, and that this has been an unfortunate ongoing trend for some time. Also assume that there is no annual growth in your customer base. Assume also that if your customer records get out, your competitors will swoop and you will lose all repeat business.
Q Your task is to determine, by performing the appropriate calculations, the cost benefit of following the advice of your industry colleagues and your accountant by installing protection on the laptops and your office financial system as suggested. Assume that the controls are effective in reducing the risk if they are installed.
Be quite clear in your recommendation as to whether the expense should be incurred or not in each case.
Q If the residual risk in both instances after the control was installed was of the initial exposure, would it still be worthwhile installing the controls? Show your workings.
Type of Misuse or Attack
Year: occurrence
Virus
Laptop theft
Insider abuse of Net access
Unauthorised access to info
Denial of service
System penetration
Abuse of Wireless connection
Theft of IP
Financial fraud
Telecommunications fraud
Misuse of public Web applications
Web site defacement
Sabotage
Some formulae
SLE single loss expectancy
ARO annualised rate of occurrence
ALE annualised loss expectancy
CC cost of controls
ROSI return on security investment
ALE SLE x ARO
ROSI ALEbefore ALEafter CC
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started