An investigation by the Information Security department has shown that the cost of rectifying a website damaged by a hacker is about Rs. 200k per incident. Available records (over the last ten years) show that such hacking activity has happened about five times during this period for comparable businesses. You have been asked to evaluate a security solution consisting of
• Two application-level firewalls (costing Rs. 20k each),
• One IPS/IDS appliance (costing Rs. 10k each).
The expected lifetime of the solution is 5 years - the cost is capitalised over 5 years. All security systems carry a simplified 20% (of total cost) charge for ‘installation, support, maintenance, and management’ per year.
Se la soluzione di sicurezza suggerita riduce il costo del danno del 70% per incidente, devo trovare il valore della salvaguardia per l'azienda. Quindi, calcolo come segue:
SLE('Single Loss Expectancy’) : 200K
ARO('Annualised Rate of Occurrence') : 0.5 per year
ALE('Annualised Loss Expectancy') : 100k (200k * 0.5)
ALE(Before) : 100k
ALE(After) : 30K
Controls cost : 2 firewalls + 1 IDS + maintenance = 50k + 50k = 100k (for five years)
Annualised cost : 100k / 5 = 20k
Value of safeguard to the company: 100 - 30 - 20 = 50K