Read the case study and conduct the risk analysis tasks listed at the end of the case study. The case study is presented in two parts: Problem definition and collecting data & estimates.

Note that not all data points are relevant to your analysis. As in the real world, you have to determine what information applies to your scenario and to what variable of the FAIR model the information corresponds.

Part I: Problem definition

Innova Tech is an enterprise software vendor located in Riyadh, Saudi Arabia. The company provides services and software solutions to satisfy the needs of organizations. Innova Tech provides its customers with business-oriented tools such as online shopping, online payment, and automated billing systems.

Ahmad, the CRO, chief risk officer, decided to update and improve reporting on the top risks facing the company. Through a series of risk identification activities, Ahmad and his cyber risk team have concluded that one of the external threats with potential high concern to the company is email phishing attacks. Through email phishing, threat actors could gain access to the companys network and possibly breach sensitive data.

Ahmad and his team considered the various systems in the company and resolved that the largest risk exposure is associated with the Customer database (C-DB). The C-DB stores sensitive information about customers information, purchased products, time of purchase, etc.

The CRO asked the cyber risk team to investigate and conduct a risk analysis.

Part II: Collecting Data & Estimates

The cyber risk team held meetings with teams from across the company and obtained the following information.

• In the company archive, there are no documents about this type of breach occurring within the last 10 years.
• There is limited knowledge of past security events and their causes because the Incident Response Team does not often perform root cause analysis on incidents.
• The Network Security Team reports that they detect malicious activity on the network on average 10 times a day. They estimate that the customer website is being scanned remotely between 1 and 7 times per day.

• The Application Security Team estimates that 850 connections are made to the C-DB each day, and the site has not experienced an unplanned outage in the last 5 years.
• The Security Team discussed the phishing simulation security control, which is part of regular penetration testing services provided by a third party. The simulation is usually combined with a security training and awareness program based on the result of the simulation. They reported that, while there hasnt been a successful malicious activity against the company yet, based on the increasing sophistication of malicious attacks, they believe that in every 40 attacks, one will be successful. It means that 2.5% of the email phishing attacks are likely to overcome the current security controls.

• The team has found out that the company email has received phishing attacks on weekly bases, and sometimes it received more than 3 phishing emails per week.

Next, the risk team moves on to gathering data about loss magnitude in the event of a breach.

Sales Management

• Approximately 2 million customers data are stored in C-DB; about 500.000 of them are expected to be active.
• The C-DB website generates roughly $12.5M in revenue each year, with an average customer value of $400.

Incident Response

• In the event of a breach, a team of 4-7 people would be deployed for 8-15 hours at a loaded hourly wage of $100/hr.
• Industry data shows that companies typically do not discover data breaches for months after the event. Given this, Innova Tech would likely continue to operate the website during the investigation.
• In the event of a data breach, a third-party forensic team would be hired to investigate how much data was stolen and how it was taken. Investigations of this scale cost an average of $200,000.
• After the breach, a training and awareness session has to be sent to employees who are victims of the email phishing attack. Usually, an external security consultant provides a one-day session that cost about 1500$.
• After the incident, notifying impacted customers will cost around $5 per customer. Notified customers are expected to contact the call center to demand more information about the breach, and each call cost about 2$.
• After the incident, notifying the regulator will cost around 1000$ for the whole incident.

• Regulatory Compliance

• Industry data shows that over the past 3 years, fines related to a breach of over 500,000 customer records have ranged from $150,000 to $500,000.
• Industry data shows that courts and regulators have rarely held companies accountable for fraudulent credit card charges that occur after a data breach.

Analysis Tasks:

Q1: Write a properly scoped scenario statement for the analysis Innovas risk team will conduct.

Q2: Write context-specific questions for Threat Event Frequency, Secondary Loss Event Frequency, and vulnerability.

Q3: What is a reasonable estimate for Threat Event Frequency given the information in the case study? Please provide minimum, maximum, most likely, and level of confidence in the most likely. Justify your estimates. (10 Pts)

Q4: What is a reasonable estimate for Vulnerability given the information in the case study? Please provide a minimum, maximum, most likely, and level of confidence in the most likely. (10 Pts)

Q5: What types of loss should Innova Tech consider? Circle all that apply.

Primary Productivity	Secondary Productivity
Primary Response	Secondary Response
Primary Competitive Advantage	Secondary Competitive Advantage
Primary Replacement	Secondary Replacement
Primary Fines/Judgments	Secondary Fines/Judgments
Primary Reputation	Secondary Reputation

Q6: Use the table format below to record the calculations used to arrive at calibrated estimates ($) for each relevant type of loss. Use as many tables as you need. (15 Pts)

Loss type	min	Ml	max	Confidence
[add rows as necessary]
Total [if needed]

Q7: If there is a Secondary Loss, please use the table below to record the secondary loss event frequency?

Secondary Loss event frequency	min	Ml	max	Confidence

Q8: Insert your calibrated estimates to the FAIR-U tool and include the snapshots of the results.

• Insert a snapshot of the FAIR ontology after inserting the relevant estimations.
• Insert a snapshot of primary, secondary, and total loss exposure results
• Insert the loss Exceedance Curve and provide informed analysis of the results