Information assets are constantly being attacked, and information security has become a high priority for organizations. The big question that many organizations are asking is how much security do they need? In short, organizations are struggling to find the right financial resources to invest in cybersecurity. What is the right investment for cybersecurity? Is more necessarily better when it involves protecting digital assets? Overinvesting in cybersecurity will reduce revenue and create unhappy shareholders, and underinvesting can have negative effects on the organization. In this assignment, you will evaluate risk and use financial tools to invest in security solutions. You will use several financial formulas.
You will work through four mini-scenarios that consist of financial investing and risk identification.
Scenario 1: Return on Investment (ROI)
ROI is used to decide where to invest financial assets. The finance group of a company may use ROI to decide whether to fund project A or project B. The formula for calculating ROI is given below.
ArmCPU company manufactures memory chips. The company wants to expand production to a faster memory chip which will cost $2M. This new chip is expected to bring $6M over the next 3 years. What is the ROI? Use approximately 100 words to explain your answer.
Scenario 2: Return on Security Investment (ROSI)
Security investment is a little more complex. There are no tangible gains in investment directed at information security. The return is measured on risk avoidance. The formula for calculating ROSI is given below.
ArmCPU has been attacked by the BAD-VIRUS before. The damage resulting from the BAD-VIRUS in 2022 was $68,000 for all occurrences and all users. Implementing an anti-virus solution was $32,000 for all its users. The anti-virus solution worked 75% of the time on BAD-VIRUS.
Identify the following from the data given:
What is the risk exposure?
What is the percentage of risk mitigated?
How much did the solution cost?
Compute the ROSI.
Do you think that an anti-virus solution is worth the investment? Use approximately 150 words to explain your answer.
Scenario 3: Quantifying Risk Exposure
Before looking at an equation to calculate risk exposure (RE) on an annual basis (ALE), please note that the equation for risk exposure uses two variables: single lost exposure (SLE) and annual rate of occurrence (ARO). ALE is the product of these two variables. The equation for ALE is given below.
Suppose the ARO is 0.5 (once in 2 years), and the SLE is $12,500. Compute the ALE. Use approximately 50 words to explain what this value means.
Scenario 4: Complex Problem Using ALE
Definition of vulnerability, threat, and risk of problem 4:
Vulnerability: No backup
Threat: A server failure
Risk: Data Loss
What is the asset in this problem?
Suppose the asset is worth $48,000. The single lost expectancy (SLE) is computed by multiplying the actual value by the exposure factor.
In this case, the SLE = Actual Value (AV) X Exposure Factor (EF). The exposure factor is the loss that can occur as a result of the threat. For problem 4, you are going to assume that the SLE is $10,000.
What is EF?
You are going to keep the ARO (the frequency of the threat every year) as .5, assuming that the server crashes once every 2 years.
Compute the ALE. Remember
Generally, the equation below is used to decide whether to implement a particular mitigation strategy.
Mitigation investment (M1) = ALE1 (before the mitigation investment) – ALE2 (after the mitigation investment) – Total cost of implementing the mitigation strategy (TC).
Suppose the cost of completing and maintaining a backup for the server is $500, and the ALE2 is $1100. What should be the allowable investment for this security risk? Use approximately 200 words to explain your answer.