You are a business analyst participating in the risk assessment processfor your business. Senior

management has devised the following Weighted Factor Analysis policy for the valuations of all

assets within the risk assessment process:

Additionally, your business uses a combination of quantitative and qualitative risk data points to

describe impact. The mappings between the qualitative labels and their quantitative settings are

as follows:

Information Asset Impact to Revenue Impact to Public Image 25 Weighted Score Criterion Weight 75 100 Very high 100% High 80% Moderate 65% Medium 50% Low 35% Very Low 20% As part of an overall risk assessment process, you are asked to assess risk in relation to two information assets. These assets have been identified by you as follows: An Electronic Data Interchange Logistics outbound (to supplier) data set. You have assessed that this document has a high impact on revenues earned by your business, and a medium business impact on the public image of your business. The most likely attack against this data set is insider abuse, and this is estimated to be 35% probable. The current controls in place to counter this attack are estimated to be 45% effective. You are 95% certain of your assumptions and data. A web server for the business organization is hosted by the organization's ISP. This server performs e-commerce transactions that have very high impact on revenues, and a very high impact on the public image of your business. The web server can be attacked by sending it invalid HTTP values. The likelihood of a single attack is estimated to be 0.25. A control has been implemented that reduces the impact of the vulnerability by 15%. You are 80% certain of your assumptions and data. a) Explain how you would calculate the asset valuations in the example above. Your answer should clearly explain all valuation criteria involved in the valuation. (4%) b) Calculate the relative risk for each of the two assets using the formula (3) from the presentation (Risk = likelihood * asset_value - % controlled + % uncertain). Which asset would you recommend for further security? You must show all working, and concisely list any assumptions you need to make. (6%)