I. Scenario
Part 1: Risk Control and Cost Benefit Analysis (CLO2):
You are the new information security consultant company for the XYZ Group, a medium-sized software development company. Before hiring you, the company had been plagued with security incidents that are listed below. Management has asked you to help assess the risk and conduct a cost/benefit analysis of proposed solutions.
• Incident #1: Two years ago, plans for a new product were leaked onto the Internet, and as a result a competitor was able to produce a rival version of the software and get it to market first. XYZ estimates that sales of that software, which were expected to be at $1 million annually, were reduced by 50% due to the information leakage. Next year, the company is planning to introduce a new software that will be a major upgrade to the previous model. It should regain the company’s market share in that product line. The cost for averting a similar information leak for the new product is not yet known, but training the staff, which would cost about $50,000 per year, is expected to reduce the risk by half.
• Incident #2: This year, the company had a virus attack that took half of their customer support help desk offline for two days. Contracts fulfilled using the system are worth $10,000 every day. A similar virus attack is expected to happen every year. Upgrading the antivirus would cost $20,000 in licensing annually.
• Incident #3: Last year’s wildfire in the surrounding hills closed access to the business for two days. Wildfires happen every year. Additionally, the area is in an earthquake fault zone. An earthquake of enough magnitude to severely disrupt operations for several months happens about once every 10 years.
Answer the following questions as part of your analysis:
• With regards to Incident #1, the information leakage event, would training the staff be a cost-effective measure to mitigate future incidents?
• With regards to Incident #2, the virus attack, would purchasing the antivirus license be a cost-effective solution?
• With regards to Incident #3, which scenario (earthquakes or wildfires) should management devote more of its resources towards mitigating? What would be an appropriate risk response?
Part 2: Threat Assessment and Countermeasures (CLO1,3):
Management of the XYZ Group attended a seminar and came back with a list of threat agents who could possibly harm the network. These are:
• The inept user
• The malicious hacker
• The corporate spy
Management is wondering if any of these might have played a role in the previous information leakage incident that has so far cost the company $500,000 in lost sales annually.
Answer the following questions as part of your analysis:
• Which of the three threat agents might have played a role in the information leakage incident?
• What possible threat agent actions occurred during the information leakage incident?
• How do you think the product plans were stolen? What do you think were the possible avenues of attack?
• What recommendations would you make to mitigate this risk for the upcoming product?