Announcements!

In the News - from my science blog, tag list, or announcement blog

Where should you be?

• from the syllabus

Risk Analysis - 2

First some review:
Heuristics (based on metrics, benchmarks, industry statistics, etc.) are used to determine the annual cost of identified risks

This is called the Annualized Loss Expectancy

Following is the formula for ALE:

Calculating the expected Value of a loss:

ALE = (SLE) * ARO

ALE := Annualized Loss Expectancy SLE := Single Loss Expectancy SLE is the calculation of the value associated with the most likely loss from an attack SLE = AV * EF ARO := Annualized Rate of Occurrence annual probability of occurrance AV := Asset Value EF := exposure factor the percentage loss that would occur from a given vulnerability being exploited

A simple example:

The cost per incident of a flood at the data center is estimated at \$40,000 (downtime, recovery of systems, examination of info loss, sump pumps, etc.)

a major flood attack occurs once every five years on average

The ARO is 0.2 (0.2 times per year)

The ALE is \$8,000!

The Cost Benefit Analysis Formula:

CBA determines whether or not the control
alternative being evaluated is worth the associated cost.

CBA is calculated using the ALE

CBA = ALE(prior) – ALE(post) – ACS

ALE(prior) is the annualized loss expectancy of
the risk before the implementation of the control.

ALE(post) is the ALE examined after the control
has been in place for a period of time.

ACS is the annual cost of the safeguard.

A simple example:

Given the example above ...

Landscaping outside the Data Center will reduce the occurance of a major flood event to once every 10 years

The landscaping costs \$10,000 (but protects for 10 years!)

Is it worth it?

ARO (post) = 0.1

ALE (post) = \$4,000

CBA = \$8,000 - \$4,000 - \$1,000

CBA = \$3,000

YES = Control will save \$3,000!

Now for an exercise:

Please do this in PAIRS. This page is maintained and made available for educational use by Dr. Gerry Santoro,gms@psu.edu