Task

1. For this question you are required to make at least two forum postings, arguing either for or against the quantiative method of risk assessment. You will be assessed on what you contribute to the debate in terms of quality not quantity (though your posting should at a minimum be a few sentences long). You may either create new thread or reply to a previous posting. All new threads should contain the subject line "Quantitative Debate"

2. Study Exhibits 61.1 and 61.2 from Reading 3, and answer the following questions:

(a) Explain in your own words what is meant by the terms Sweet Spot and Discretionary Area (see Exhibit 61.1)

(b) Explain the significance of a security decision that is located to the right of the Sweet Spot but outside the Discretionary Area (see Exhibit 61.1).

(c) Explain the significance of a security decision that is located to the left of the Sweet Spot but still inside the Discretionary Area (see Exhibit 61.1).

(d) Explain why you think the Defined Highest Acceptable Risk is located on the Sweet Spot, but the Defined Lowest Acceptable Risk is located to the right of the Sweet Spot (see Exhibit 61.2).

3. In Reading 7 for this subject, Ozier states that ‘The [ALE] algorithm cannot distinguish effectively between low frequency/high-impact threats (such as ‘fire') and high-frequency/low impact threats (such as ‘misuse of resources').' Explain why this is the case. Give an appropriate example to illustrate your explanation.

4. (Note: Make sure you show ALL your working for this question)

The following threat statistics have been gathered by a risk manager. Based on these, calculate the ALE for each threat.

5. (Note: Make sure you show ALL your working for this question)

Using the figures you calculated above, determine the relative ROSI (return on security investment) for each of the same threats with the following controls in place. Remember that a single control may affect more than one threat, and you need to take this into account when calculating the ROSI. Based on your calculations, which controls should be purchased?

6. Consider the data in the two tables that appear in questions 4 and 5 above. Sometimes a control may affect the cost per incident and sometimes theoccurrence frequency, and sometimes both. Why is this the case? Illustrate your answer with an example drawn from the data provided.

7. The year is 1999 and you are the risk manager for a large financial institution. You apply the Jacobson's Window model (Reading 11) to determine your company's preferred response to the impending Y2K bug. According to the model, should you accept, mitigate, or transfer the Y2K risk? Why? Do you agree with the model's recommendations? Why or why not?

8. (Note: Make sure you show ALL your working for this question)

You want to persuade management to invest in an automated patching system. You estimate the costs and benefits over the next five years as follows:

Benefits: Year 1 Year 2 Year 3 Year 4 Year 5

$2,000 $2,500 $4,000 $4,000 $4,000

Costs: Year 1 Year 2 Year 3 Year 4 Year 5

$3000 $2000 $750 $250 $250

Calculate the Net Present Value (NPV) for this investment. Assuming that management has set the Required Rate of Return at 10%, should the investment be made? Why or why not?

9. There are a number of qualitative risk assessment models that are available for use, such as FRAAP, OCTAVE, OWASP and CRAMM. Choose one of these models and briefly describe how risk assessment is conducted under this model. Describe an example situation where you could use this selected model. Give your assessment of the validity, or otherwise, of this risk assessment model.

Rationale

To demonstrate your understanding of:

• the principles of security risk management; and

• the application of risk management principles to real-world examples.