Suppose ABC Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE for each threat category the company faces for this project:

How might ABC Software Company arrive at the values in the previous table? For each entry, describe the process of determining the cost per incident and frequency of occurrence.

Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 1 and the table below, calculate the post-control ARO and ALE for each threat category listed.

Why have some values changed in the Cost per Incident and Frequency of Occurrence columns? How could a control affect one but not the other? Assume that the values in the Cost of Control column are unique costs directly associated with protecting against the threat. In other words, don't consider overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs.

Threat Category Programmer mistakes Loss of intellectual property Software piracy Theft of information (hacker) Theft of information (employee) Web defacement Theft of equipment Viruses, worms, Trojan horses Denial-of-service attacks Earthquake Flood Fire Cost per Incident (SLE) Frequency of Occurrence $5,000 $75,000 $500 $2,500 $5,000 $500 $5,000 $1,500 $2,500 $250,000 $250,000 $500,000 1 per week 1 per year 1 per weelk 1 per quarter 1 per 6 months 1 per month 1 per year 1 per week 1 per quarter 1 per 20 years 1 per 10 years 1 per 10 years