XYZ organization has three information assets to evaluate for risk management purposes as provided below$).$

$1.$

I. Switch L$47$ connects a network to the Internet. It has an impact rating of $90$ and has no current controls in place. There is a $75$ percent certainty of the assumptions and data. This switch has two vulnerabilities:

A$.$ Susceptibility to hardware failure, with a likelihood of $0\mathrm{.}2,$

B$.$ Susceptibility to an SNMP buffer overflow attack, with a likelihood of $0\mathrm{.}1.$

II$.$ Server WebSrv$6$ hosts a company Web site and performs e$-$commerce transactions. It has Web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such an attack is estimated at $0\mathrm{.}1.$ The server has been assigned an impact value of $100,$ and a control has been implemented that reduces the impact of the vulnerability by $75$ percent. There is an $80$ percent certainty of the assumptions and data.

III. Operators use MGMT$45$ control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is $0\mathrm{.}1.$ There are no controls in place on this asset, which has an impact rating of $5.$ There is a $90$ percent certainty of the assumptions and data.

Question $1.$A: Which vulnerability should be evaluated for additional controls first? $[2\mathrm{.}5$ points$]$

Question $1.$B: Which vulnerability should be evaluated last? $[2\mathrm{.}5$ points$]$

Question $2(5$ points$)$:

ABC software company has asset value of $$1,2000,000$ in projected revenues. The major threat categories faced by it for new applications development in $2020$ are provided in Table $1.$ Calculate the ALE for each threat category listed.

Table $1$

Question # Threat categories Cost per Incident Frequency of Occurrence ALE

$2.$a Programmer Mistakes $$50001$ per week $?$

$2.$Table $2$

Question #

Threat categories

Cost per Incident

Frequency of Occurrence

Cost of controls

Type of control

CBA

Are controls worth the cost?

$3.$a

Programmer Mistakes

$$5000$

$1$ per month

$$20,000$

Training

$?$

Yes or No$?$

$3.$b

Loss of Intellectual Property

$$75,000$

$1$ per $2$ years

$$15,000$

Firewall$/$IDS

$?$

Yes or No$?$

$3.$c

Theft of Information $($Employee$)$

$$5000$

$1$ per year

$$15,000$

Physical Security

$?$

Yes or No$?$

$3.$d

Web Defacement

$$500$

$1$ per quarter

$$10,000$

Firewall

$?$

Yes or No$?$

$3.$e

Denial$-$of$-$Service Attack

$$2500$

$1$ per $6$ months

$$10,000$

Firewall

$?$

Yes or No$?$

$1$ point each for $3.$a$,3.$b$,3.$c$,3.$d and $3.$e$.$