Risk Assessment
Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE (In cost-benefit analysis, the product of the annualized rate of occurrence and a single loss expectancy.) for each threat category the company faces for this project. The first one is done for you.
Threat Category |
Cost per incident (SLE) |
Frequency of occurrence |
ARO |
ALE |
Programmer mistakes |
$5,000 |
1 per week |
52.0 |
$260,000 |
Loss of intellectual property |
$75,000 |
1 per year |
||
Software piracy |
$500 |
1 per week |
||
Theft of information (Hacker) |
$2,500 |
1 per quarter |
||
Theft of information (employee) |
$5,000 |
1 per 6 months |
||
Web defacement |
$500 |
1 per month |
||
Theft of equipment |
$5,000 |
1 per year |
||
Viruses, worms, Trojan horses |
$1,500 |
1 per week |
||
Denial-of-service attacks |
$2,500 |
1 per quarter |
||
Earthquake |
$250,000 |
1 per 20 years |
||
Flood |
$250,000 |
1 per 10 years |
||
Fire |
$500,000 |
1 per 10 years |
ARO – In cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis.
ALE – In cost-benefit analysis, the product of the annualized rate of occurrence and a single loss expectancy.