Use the table format below to record the calculations used to arrive at calibrated estimates ($) for each relevant type of loss. Use as many tables as you need.

Type if Loss	min	Ml	max	Confidence
[add rows as necessary]
Total

Part I: Problem definition

IntelligentSolutions is an engineering company located in Jeddah, Saudi Arabia. The company provides engineering services to satisfy the needs of organizations. IntelligentSolutions provides its customers with environment friendly solutions such as green buildings, smart offices, etc.

Khaled, the CRO, chief risk officer, decided to update and improve reporting on the top risks facing the company. Through a series of risk identification activities, Khaled and his cyber risk team have concluded that one of the internal threats with potential high concern to the company are malicious attacks through authorised access privileges. Through malicious activities, threat actors could misuse their access to the companys information systems which contain sensitive data.

Khaled and his team considered the various systems in the company and resolved that the largest risk exposure is associated with the Client database (C-DB). The C-DB stores sensitive information about their clients: contracts, and sensitive data about client organizations, etc.

The CRO asked the cyber risk team to investigate and conduct a risk analysis.

Part II: Data Collection

The cyber risk team held meetings with teams from across the company and obtained the following information.

• In the company archive, there are no documents about this type of breach occurring within the last 20 years.
• There is limited knowledge of past security events and their causes because the Incident Response Team does not often perform root cause analysis on incidents.
• The Application Security Team estimates that 300 connections are made to the C-DB each day, and the site has not experienced an unplanned outage in the last 5 years.
• The company uses an intelligent session management tool BeyondTrust to monitor and record all users actions in real time to prevent, detect, and terminate any suspicious activities. The companys security team reported that BeyondTrust predicts from 80-100 malicious access activities per year.

• Although the Security Team reported that there hasnt been a successful malicious authorized access activity against the company yet, but the internal security control evaluation tool reported that in every 50 malicious access attempts, one will be successful. It means that 2% of the malicious access attempts are likely to overcome BeyondTrust security controls.

Next, the risk team moves on to gathering data about loss magnitude in the event of a breach.

Sales Management

• Approximately 300 clients data are stored in C-DB.; about 150 of them are expected to be active.
• The company generates roughly $850.000 in revenue each year, with an average customer value of $8000.

Incident Response

• In the event of a breach, a team of 6-9 people would be deployed for 6-12 hours at an hourly wage of $200/hr.
• Industry data shows that companies typically do not discover data breaches for months after the event. Given this, IntelligentSolutions would likely continue to operate the business during the investigation.
• In the event of a data breach, a third-party forensic team would be hired to investigate how much data was stolen and how it was taken. Investigations of this scale cost an average of $400,000.

• After the breach, a training and awareness session has to be given to employees. Usually, an external security consultant provides a one-day session that cost about 1500$.
• After the incident, notifying impacted clients will cost around $50 per customer. Notified customers are expected to contact the call center to demand more information about the breach, and each call cost about 3$.
• After the incident, notifying the regulator will cost around 5000$ for the whole incident.

Regulatory Compliance

• Industry data shows that over the past 5 years, fines related to a breach of this kind have ranged from $300,000 to $700,000.

Industry data shows that courts and regulators have rarely held companies accountable for fraudulent credit card charges that occur after a data breach.