Q. A per Exercise 5 on page 168: assume a year has passed and XYZ hs improved security by applying a number of controls. Using the information from Exercise 3 and the table on page 168, compute the post-control ARO and ALE for each threat category List outed.
Then answer the subsequent question: explain why have some values changed in the columns Cost per Incident and Frequency of Occurrence? Explain how could a control affect one, but not the other?
You need to assume that the values in the Cost of Control column presented in the table for Exercise 5 are those unique costs directly associated with protecting against that threat. In other words, don’t worry about overlapping costs among controls. Compute the CBA for the planned risk control for each threat category. For each threat category, find out of the proposed control is worth the costs.