Explain in Your Own Words What is Meant by the Terms Sweet Spot and Discretionary Area

$10.00

Explain why you think the Defined Highest Acceptable Risk is located on the Sweet Spot

 

SKU: Repo520012

Task

1. For this question you are required to make at least two (2) forum postings, arguing either for or against the quantitative method of risk assessment. You will be assessed on what you contribute to the debate in terms of quality not quantity (though your posting should at a minimum be a few sentences long). You may either create new thread or reply to a previous posting. All new threads should contain the subject line “Quantitative Debate”

 

2.Study Exhibits 61.1 and 61.2 from Reading 3, and answer the following questions:

(a) Explain in your own words what is meant by the terms Sweet Spot and Discretionary Area (see Exhibit 61.1)

(b) Explain the significance of a security decision that is located to the right of the Sweet Spot but outside the Discretionary Area (see Exhibit 61.1).

(c) Explain the significance of a security decision that is located to the left of the Sweet Spot but still inside the Discretionary Area (see Exhibit 61.1).

(d) Explain why you think the Defined Highest Acceptable Risk is located on the Sweet Spot, but the Defined Lowest Acceptable Risk is located to the right of the Sweet Spot (see Exhibit 61.2).

 

3. In Reading 7 for this subject, Ozier states that ‘The [ALE] algorithm cannot distinguish effectively between low frequency/high-impact threats (such as ‘fire’) and high-frequency/low impact threats (such as ‘misuse of resources’).’ Explain why this is the case. Give an appropriate example to illustrate your explanation.

 

4.(Note: Make sure you show ALL your working for this question)
The following threat statistics have been gathered by a risk manager. Based on these, calculate the ALE for each threat.

[/su_table]
Threat Cost per incident Occurrence frequency
Software piracy $600 1 per month
Computer virus/wom $2000 1 per month
Information theft(hacker) $3500 1 per 3 months
Information theft(employee) $6000 1 per 4 months
Denial of service attack $11000 1 per 2 years
Laptop theft $4000 1 per 5 years
Web defacement $1500 1 per 2 years
Fire $500,000 1 per 10 years
Flood $300,000 1 per 15 years

 

5. (Note: Make sure you show ALL your working for this question)
Using the figures you calculated above, determine the relative ROSI (return on security investment) for each of the same threats with the following controls in place. Remember that a single control may affect more than one threat, and you need to take this into account when calculating the ROSI. Based on your calculations, which controls should be purchased? 

Threat Cost per incident Occurrence frequency Control Yearly cost of control
Software piracy $500 1 per 4 months Anti-piracy protection hardware $15,000
Computer virus/wom $1300 1 per 5 months Antivirus $5,000
Information theft(hacker) $2000 1 per 6 months IDS $30,000
Information theft(employee) $7000 1 per 18 months Access controls $10,000
Denial of service attack $4000 1 per 10 years Firewall $15,000
Laptop theft $5000 1 per 10 years Physical security $25,000
Web defacement $1500 1 per 5 years Firewall $15,000
Fire $75,000 1 per 10 years Insurance2 $15,000
Flood $50,000 1 per 15 years Insurance $30,000

 

6. Consider the data in the two tables that appear in questions 4 and 5 above. Sometimes a control may affect the cost per incident and sometimes the occurrence frequency, and sometimes both. Why is this the case? Illustrate your answer with an example drawn from the data provided.
7. The year is 1999 and you are the risk manager for a large financial institution. You apply the Jacobson’s Window model (Reading 11) to determine your company’s preferred response to the impending Y2K bug. According to the model, should you accept, mitigate, or transfer the Y2K risk? Why? Do you agree with the model’s recommendations? Why or why not?

 

8. (Note: Make sure you show ALL your working for this question)
You want to persuade management to invest in an automated patching system. You estimate the costs and benefits over the next five years as follows:

Benefits: Year 1 Year 2 Year 3 Year 4 Year 5
$2,000 $2,500 $4,000 $4,000 $4,000
Costs: Year 1 Year 2 Year 3 Year 4 Year 5
$3000 $2000 $750 $250 $250

Calculate the Net Present Value (NPV) for this investment. Assuming that management has set the Required Rate of Return at 10%, should the investment be made? Why or why not?

 

9. There are a number of qualitative risk assessment models that are available for use, such as FRAP, OCTAVE, OWASP and CRAMM.  Choose one of these models and briefly describe how risk assessment is conducted under this model. Describe an example situation where you could use this selected model. Give your assessment of the validity, or otherwise, of this risk assessment model

Reviews

There are no reviews yet.

Be the first to review “Explain in Your Own Words What is Meant by the Terms Sweet Spot and Discretionary Area”

Your email address will not be published. Required fields are marked *

Sorry no more offers available