COURSE CODE: IT311 – Information Assurance and

Security
Module 9

Week 9: October 12-18 -14, 2020 | 1st Semester, S.Y. 2020-2021

Introduction
Organizations must consider the economic feasibility of implementing
information security controls and safeguards. While a number of alternatives
for solving a problem may exist, they may not all have the same economic
COURSE MODULE

feasibility. Most organizations can spend only a reasonable amount of time

and money on information security, and the definition of reasonable differs
from organization to organization and even from manager to manager.
Organizations are urged to begin the cost benefit analysis by evaluating the
worth of the information assets to be protected and the loss in value if those
information assets were compromised by the exploitation of a specific
vulnerability. It is only common sense that an organization should not spend
more to protect an asset than the asset is worth.

Intended Learning Outcomes

 Identify risks associated with disasters and disruptions and specify key
mitigation strategies.

Topic
Cost benefit analysis or an economic feasibility study – refers to the formal
decision making process.

Some of the items that affect the cost of a control or safeguard include the
following:

 Cost of development or acquisition (purchase cost) of hardware,

software, and services.
 Training fees (cost to train personnel)
 Cost of implementation (cost to install, configure, and test hardware,
software, and services)
 Service costs (vendor fees for maintenance and upgrades)
 Cost of maintenance (labor expense to verify and continually test,
maintain, and update)
Benefit is the value that an organization realizes by using controls to prevent
losses associated with a specific vulnerability.
Asset valuation is the process of assigning financial value or worth to each
information asset.

The valuation of assets involves estimation of real and perceived costs

associated with design, development, installation, maintenance,
protection, recovery, and defense against loss and litigation. The higher
acquired value is the more appropriate value in most cases.

Once an organization has estimated the worth of various assets, it can begin
to examine the potential loss that could occur from the exploitation of a
 vulnerability or a threat occurrence. This process results in the estimate of
potential loss per risk. The questions that must be asked here include:
 What damage could occur, and what financial impact would it
have?
 What would it cost to recover from the attack, in addition to the
financial impact of damage?
 What is the single loss expectancy for each risk?
A single loss expectancy (SLE) is the calculation of the value associated with the
most likely loss from an attack. It is a calculation based on the value of the asset
and the exposure factor (EF), which is the expected percentage of loss that would
occur from a particular attack, as
follows:
COURSE MODULE

SLE = asset value x exposure factor (EF)

where EF equals the percentage loss that would occur from a given vulnerability
being exploited.

For example, if a Web site has an estimated value of $1,000,000 (value determined
by asset valuation), and a deliberate act of sabotage or vandalism (hacker
defacement) scenario indicates that 10 percent of the Web site would be
damaged or destroyed after such an attack, then the SLE for this Web site would be
$1,000,000 x 0.10=$100,000. This estimate is then used to calculate another value,
annual loss expectance, which will be discussed shortly.

As difficult as it is to estimate the value of information, the estimation of the

probability of a threat occurrence or attack is even more difficult. There are not
always tables, books, or records that indicate the frequency or probability of any
given attack. There are sources available for some asset-threat pairs. For instance,
the likelihood of a tornado or thunderstorm destroying a building of a specific type
of construction within a specified region of the country is available to insurance
underwriters. In most cases, however, an organization can rely only on its internal
information to calculate the security of its information assets. Even if the network,
systems, and security administrators have been actively and accurately tracking
these occurrences, the organization’s information is sketchy at best. As a result, this
information is usually estimated. In most cases, the probability of a threat occurring
is usually a loosely derived table indicating the probability of an attack from each
threat type within a given time frame (for example, once every 10 years). This value
is commonly referred to as the annualized rate of occurrence (ARO). ARO is simply
how often you expect a specific type of attack to occur. As you learned earlier in
this chapter, many attacks occur much more frequently than every year or two. For
example, a successful deliberate act of sabotage or vandalism might occur about
once every two years, in which case the ARO would be 50 percent (0.50), whereas
some kinds of network attacks can occur multiple times per second. To standardize
calculations, you convert the rate to a yearly (annualized) value. This is expressed
as the probability of a threat occurrence.

Once each asset’s worth is known, the next step is to ascertain how much loss is
expected from a single expected attack, and how often these attacks occur. Once
those values are established, the equation can be completed to determine the
overall lost potential per risk. This is usually determined through an annualized loss
expectancy (ALE), which is calculated from the ARO and SLE, as shown here:

ALE = SLE x ARO

Using the example of the Web site that might suffer a deliberate act of sabotage or
vandalism
and thus has an SLE of $100,000 and an ARO of 0.50, the ALE would be calculated
as follows:
ALE = $100,000 x 0.50
ALE = $50,000
 This indicates that unless the organization increases the level of security on its Web
site, it can expect to lose $50,000 per year, every year. Armed with such a figure,
the organization’s information security design team can justify expenditure for
controls and safeguards and deliver a budgeted value for planning purposes. Note
that sometimes noneconomic factors are considered in this process, so that in some
cases even when ALE amounts are not huge, control budgets can be justified.

The Cost Benefit Analysis (CBA) Formula In its simplest definition, CBA (or economic
feasibility) determines whether or not a particular control is worth its cost. CBAs may
be calculated before a control or safeguard is implemented to determine if the
control is worth implementing. CBAs can also be calculated after controls have
been functioning for a time. Observation over time adds precision to the evaluation
of the benefits of the safeguard and the determination of whether the safeguard is
COURSE MODULE

functioning as intended. While many techniques exist, the CBA is most easily
calculated using the ALE from earlier assessments before the implementation of the
proposed control, which is known as ALE (prior). Subtract the revised ALE, estimated
based on the control being in place, known as ALE (post). Complete the calculation
by subtracting the annualized cost of the safeguard (ACS).
CBA = ALE(prior) - ALE(post) - ACS
Once controls are implemented, it is crucial to continue to examine their benefits
to determine when they must be upgraded, supplemented, or replaced. As
Frederick Avolio states in his article “Best Practices in Network Security”:

“Security is an investment, not an expense. Investing in computer and network

security measures that meet changing business requirements and risks makes it
possible to satisfy changing business requirements without hurting the business’
viability.”

TRY THIS!
Type your activity here

Reference


Prepared by:

JUDIELYN L. CUALBAR
Instructor