Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

Q 1 Quantitative risk assessment exercise A quantitative risk assessment exercise is included below. Your submission should include the calculations of the ROSI for the

Q1 Quantitative risk assessment exercise
A quantitative risk assessment exercise is included below. Your submission should include the calculations of the ROSI for the two scenarios. In the tutorial, we will quickly work through these calculations, but then focus the discussions on the limitations of making these calculations in such situations like this. Aspects of this exercise are perhaps a little dated, but it is still useful for the purposes of this discussion.Quantitative risk assessment exercise
Risk assessment scenario:
Over the 5 years that you have been in business, your organisation has accumulated 10,000 customer records that form the basis of your ongoing sales and service business. Repeat business through customer loyalty accounts for 10% of your current annual revenue of $2million. Your sales staff of 8 representatives spends most of the time on the road, following up new leads or attending to repeat orders from existing customers.
Your industry body has determined that the threats to businesses in your sector are currently those shown in the table below. Your network of industry acquaintances have expressed surprise that you still allow your sales staff to carry around your client list on unprotected laptops that are taken to restaurants, left in cars or dumped on the living room table at home. CyGuard software (or similar) to encrypt the client contact list and any other sensitive data on a laptop is used by many companies in your industry. A CyGuard 10 licence pack costs $8,000 per annum, which seems a bit expensive, but it includes automatic updates and other features that dont concern us here.
The chance that you will lose at least one laptop from your organisation in any one year is estimated by your industry body at 0.47, or nearly 1 chance in 2. The fact that you have not lost any yet is probably due more to good luck than good management.
Your accountant, on the other hand, has advised you that the chance, in the long run, of fraud being conducted by one or more of your employees is real, and has recommended that you put in place some background auditing software that can alert you to narrow or negative margins in some of you key financial indicators. This add-on to your office financial system costs an initial $2,200 in the first year and an ongoing annual support and upgrade fee of the same amount.
The average loss in your industry from fraud, when it occurs, is reported to be on average $14,000 per $1m of revenue. The probability that it will happen to you in any given year is about 0.09 or slightly less than 1 in 10.
For the purpose of this exercise you may assume that due to the covid crisis and its aftermath, there is no growth occurring in your revenue at this time, and that this has been an unfortunate ongoing trend for some time. Also assume that there is no annual growth in your customer base. Assume also that if your customer records get out, your competitors will swoop and you will lose all repeat business.
Q1.1 Your task is to determine, by performing the appropriate calculations, the cost benefit of following the advice of your industry colleagues and your accountant by installing protection on the laptops and your office financial system as suggested. Assume that the controls are 100% effective in reducing the risk if they are installed.
Be quite clear in your recommendation as to whether the expense should be incurred or not in each case.
Q1.2 If the residual risk in both instances after the control was installed was 25% of the initial exposure, would it still be worthwhile installing the controls? Show your workings.
Type of Misuse or Attack
Year:2009% occurrence
Virus
65%
Laptop theft
47%
Insider abuse of Net access
42%
Unauthorised access to info
32%
Denial of service
25%
System penetration
15%
Abuse of Wireless connection
14%
Theft of IP
9%
Financial fraud
9%
Telecommunications fraud
8%
Misuse of public Web applications
6%
Web site defacement
6%
Sabotage
3%
Some formulae
SLE single loss expectancy
ARO annualised rate of occurrence
ALE annualised loss expectancy
CC cost of controls
ROSI return on security investment
ALE = SLE x ARO
ROSI =(ALEbefore ALEafter) CC

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image_2

Step: 3

blur-text-image_3

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Database Concepts

Authors: David M. Kroenke, David J. Auer

7th edition

133544621, 133544626, 0-13-354462-1, 978-0133544626

More Books

Students also viewed these Databases questions