Using the formula on page 163, calculate the post-ARO, post -ALE, and CBA using the table found in exercise 5 at the end of Module 4. The pre-control numbers are from exercise 2 above. Assume the Cost per Incident is the SLE. I suggest you use an excel spreadsheet. Please note that Exercise 5 continues on page 174 where you are asked to determine if based on the CBA, the cost of the control was worth the expense.

Formula on page 163: CBA = ALE(pre-control) - ALE(post-control) - ACS

The table found in exercise 5 is attached below.

Pre-control numbers from exercise 2: Programmer mistakes: ARO: 52, ALE = 5,000*52 = 260,000 Loss of Intellectual Property: ARO = 1, ALE = 75,000 * 1 = 75,000 Software Piracy: ARO = 52, ALE = 500 * 52 = 26,000 Theft of information (hacker): ARO = 4, ALE = 2500 * 4 = 10,000 Theft of information (employee): ARO: 2, ALE = 5000* 2 = 10,000 Web defacement: ARO = 12, ALE = 500 * 12 = 6,000 Theft of equipment: ARO = 1, ALE = 5000 * 1 = 5,000 Viruses, worms, Trojan horses: ARO = 52, ALE = 1500 * 52 = 78,000 Denial-of-service attacks: ARO = 4, ALE = 2500 * 4 = 10,000 Earthquake: ARO = 0.05, ALE: 250,000 * 0.05 = 12,500 Flood: ARO = 0.1, ALE = 250,000 * 0.1 = 25,000 Fire: ARO = 0.1, ALE: 500,000 * 0.1 = 50,000

XYZ Software Company (Asset value: $1,200,000 in projected revenues) \begin{tabular}{l|l|l|l|l} \hline Threat Category & CostperIncident & FrequencyofOccurrence & CostofControls & TypeofControlTraining \\ \hline Programmer mistakes & $5,000 & 1 per month & $20,000 & Firewall/IDS \\ \hline Loss of intellectual property & $75,000 & 1 per 2 years & $15,000 & Firewall/IDS \\ \hline Software piracy & $500 & 1 per month & $30,000 & Firewall/IDS \\ \hline Theft of information (hacker) & $2,500 & 1 per 6 months & $15,000 & Physical security \\ \hline Theft of information (employee) & $5,000 & 1 per year & $15,000 & Firewall \\ \hline Web defacement & $500 & 1 per quarter & $10,000 & Physical security \\ \hline Theft of equipment & $5,000 & 1 per 2 years & $15,000 & Antivirus \\ \hline Viruses, worms, Trojan horses & $1,500 & 1 per month & $15,000 & Firewall \\ \hline Denial-of-service attack & $2,500 & 1 per 6 months & $10,000 & Insurance/backups \\ \hline Earthquake & $250,000 & 1 per 20 years & $5,000 & Insurance/backups \\ \hline Flood & $50,000 & 1 per 10 years & $10,000 & Insurance/backups \end{tabular} XYZ Software Company (Asset value: $1,200,000 in projected revenues) \begin{tabular}{l|l|l|l|l} \hline Threat Category & CostperIncident & FrequencyofOccurrence & CostofControls & TypeofControlTraining \\ \hline Programmer mistakes & $5,000 & 1 per month & $20,000 & Firewall/IDS \\ \hline Loss of intellectual property & $75,000 & 1 per 2 years & $15,000 & Firewall/IDS \\ \hline Software piracy & $500 & 1 per month & $30,000 & Firewall/IDS \\ \hline Theft of information (hacker) & $2,500 & 1 per 6 months & $15,000 & Physical security \\ \hline Theft of information (employee) & $5,000 & 1 per year & $15,000 & Firewall \\ \hline Web defacement & $500 & 1 per quarter & $10,000 & Physical security \\ \hline Theft of equipment & $5,000 & 1 per 2 years & $15,000 & Antivirus \\ \hline Viruses, worms, Trojan horses & $1,500 & 1 per month & $15,000 & Firewall \\ \hline Denial-of-service attack & $2,500 & 1 per 6 months & $10,000 & Insurance/backups \\ \hline Earthquake & $250,000 & 1 per 20 years & $5,000 & Insurance/backups \\ \hline Flood & $50,000 & 1 per 10 years & $10,000 & Insurance/backups \end{tabular}