The internal auditor for ELC Consulting Inc., a company specializing in online consulting services, noticed that the estimated time for an eventual attack to their systems is only about 30 minutes. In addition, it takes between 8 to 18 minutes to detect the attack and notify appropriate security staff. However, the problem can be fixed, and corrective actions could be implemented within a short time, between 6 to 15 minutes depending on the attack and time of the day.

Does the company satisfy the requirements of the time-based model of security? Why or why not? )

Suppose the company decides to invest $10 K to minimize eventual attacks and threats, and will have the three options. Which one would you recommend and why?

Increase the estimated time to penetrate the system by 2 minutes.

Reduce the time to detect an attack to between 5 minutes (best case) and 12 minutes (worst case).

Reduce the time required to implement corrective actions to between 4 minutes (best case) and 13 minutes (worst case).