Professional Documents
Culture Documents
Security
Module 9
Introduction
Organizations must consider the economic feasibility of implementing
information security controls and safeguards. While a number of alternatives
for solving a problem may exist, they may not all have the same economic
COURSE MODULE
Topic
Cost benefit analysis or an economic feasibility study – refers to the formal
decision making process.
Some of the items that affect the cost of a control or safeguard include the
following:
Once an organization has estimated the worth of various assets, it can begin
to examine the potential loss that could occur from the exploitation of a
vulnerability or a threat occurrence. This process results in the estimate of
potential loss per risk. The questions that must be asked here include:
What damage could occur, and what financial impact would it
have?
What would it cost to recover from the attack, in addition to the
financial impact of damage?
What is the single loss expectancy for each risk?
A single loss expectancy (SLE) is the calculation of the value associated with the
most likely loss from an attack. It is a calculation based on the value of the asset
and the exposure factor (EF), which is the expected percentage of loss that would
occur from a particular attack, as
follows:
COURSE MODULE
where EF equals the percentage loss that would occur from a given vulnerability
being exploited.
For example, if a Web site has an estimated value of $1,000,000 (value determined
by asset valuation), and a deliberate act of sabotage or vandalism (hacker
defacement) scenario indicates that 10 percent of the Web site would be
damaged or destroyed after such an attack, then the SLE for this Web site would be
$1,000,000 x 0.10=$100,000. This estimate is then used to calculate another value,
annual loss expectance, which will be discussed shortly.
Once each asset’s worth is known, the next step is to ascertain how much loss is
expected from a single expected attack, and how often these attacks occur. Once
those values are established, the equation can be completed to determine the
overall lost potential per risk. This is usually determined through an annualized loss
expectancy (ALE), which is calculated from the ARO and SLE, as shown here:
The Cost Benefit Analysis (CBA) Formula In its simplest definition, CBA (or economic
feasibility) determines whether or not a particular control is worth its cost. CBAs may
be calculated before a control or safeguard is implemented to determine if the
control is worth implementing. CBAs can also be calculated after controls have
been functioning for a time. Observation over time adds precision to the evaluation
of the benefits of the safeguard and the determination of whether the safeguard is
COURSE MODULE
functioning as intended. While many techniques exist, the CBA is most easily
calculated using the ALE from earlier assessments before the implementation of the
proposed control, which is known as ALE (prior). Subtract the revised ALE, estimated
based on the control being in place, known as ALE (post). Complete the calculation
by subtracting the annualized cost of the safeguard (ACS).
CBA = ALE(prior) - ALE(post) - ACS
Once controls are implemented, it is crucial to continue to examine their benefits
to determine when they must be upgraded, supplemented, or replaced. As
Frederick Avolio states in his article “Best Practices in Network Security”:
TRY THIS!
Type your activity here
Reference
Prepared by:
JUDIELYN L. CUALBAR
Instructor