Risk Assessment

Suppose XYZ Software Company has a new application development project with projected revenues of
$1.2 million. Using the following table, calculate the ARO and ALE (In cost-benefit analysis, the product
of the annualized rate of occurrence and a single loss expectancy.) for each threat category the company
faces for this project. The first one is done for you.

Threat Category Cost per incident Frequency of ARO ALE

(SLE) occurrence
Programmer mistakes $5,000 1 per week 52.0 $260,000
Loss of intellectual $75,000 1 per year
property
Software piracy $500 1 per week
Theft of information $2,500 1 per quarter
(Hacker)
Theft of information $5,000 1 per 6 months
(employee)
Web defacement $500 1 per month
Theft of equipment $5,000 1 per year
Viruses, worms, $1,500 1 per week
Trojan horses
Denial-of-service $2,500 1 per quarter
attacks
Earthquake $250,000 1 per 20 years
Flood $250,000 1 per 10 years
Fire $500,000 1 per 10 years

ARO - In cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis.

ALE - In cost-benefit analysis, the product of the annualized rate of occurrence and a single loss
expectancy.