COMP218 Security Implementation & Management 23 CBA: ALE & ARO Quiz

Questions and Answers

What is the formula for calculating Annualized Loss Expectancy (ALE)?

ALE = SLE x ARO

Define Single Loss Expectancy (SLE) in the context of risk assessment.

SLE = asset value x exposure factor (EF)

Explain the concept of Due Care and Due Diligence in security.

Due Care is adopting security levels for a legal defense, while Due Diligence is ensuring that implemented standards provide the required protection.

What is meant by Best Business Practices (BSPs) in the context of security?

BSPs are security efforts that provide a superior level of information protection.

How can Control Benefit Analysis (CBA) be calculated using ALE?

CBA = ALE(prior) - ALE(post) - ACS

What is Benchmarking in information security?

Benchmarking involves reviewing peer institutions to determine how they protect their assets.

According to Microsoft's Ten Immutable Laws of Security, what happens if a bad guy can persuade you to run his program on your computer?

It's not your computer anymore

What is the significance of having weak passwords according to Microsoft's Ten Immutable Laws of Security?

Weak passwords trump strong security

In the context of security, what does Microsoft's law 'A machine is only as secure as the administrator is trustworthy' imply?

Security of a machine relies on the trustworthiness of the administrator

Why is an out-of-date virus scanner only marginally better than having no virus scanner at all?

An out-of-date virus scanner may not detect new threats

What does Microsoft's law 'Encrypted data is only as secure as the decryption key' emphasize?

The security of encrypted data is dependent on the security of the decryption key

What is the biggest problem with benchmarking in information security?

Organizations don't talk to each other

What does baselining in information security involve?

Comparing security activities and events against the organization's future performance

What is the purpose of organizational feasibility in information security?

To examine how proposed security alternatives contribute to the efficiency and operation of an organization

What does operational feasibility in information security address?

User acceptance and support, management acceptance and support, and overall stakeholder requirements

Why is obtaining user buy-in important in systems development?

To ensure user acceptance and support for the project

What does technical feasibility in information security assess?

Whether the organization has or can acquire the technology necessary to implement and support control alternatives

What is political feasibility in information security?

The evaluation of what can and cannot occur based on consensus and relationships within an organization

What does risk appetite define in the context of information security?

The quantity and nature of risk organizations are willing to accept as they evaluate tradeoffs between perfect security and unlimited accessibility

What is residual risk in information security?

Risk that remains after controlling vulnerabilities to the best extent possible

Why is documenting results important in information security?

To identify any residual risk and document control strategies for information asset-vulnerability pairs

Study Notes

Annualized Loss Expectancy (ALE)

• ALE = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO).
• Determines the expected annual loss from a specific risk.

Single Loss Expectancy (SLE)

• Represents the monetary value expected from a single occurrence of a risk.
• Calculated as Asset Value (AV) x Exposure Factor (EF).

Due Care and Due Diligence

• Due Care: The effort made by an organization to protect its information assets.
• Due Diligence: The ongoing process of assessing and mitigating risk in security practices.

Best Business Practices (BSPs)

• BSPs refer to recognized methods and strategies that enhance security and compliance within an organization.
• Aim to streamline processes and improve overall security posture.

Control Benefit Analysis (CBA)

• CBA can be calculated by evaluating the ALE before and after implementing controls.
• Compares costs of security measures against potential losses mitigated.

Benchmarking in Information Security

• Involves comparing security practices and policies against industry standards or peer organizations.
• Helps identify strengths, weaknesses, and gaps in security measures.

Microsoft's Ten Immutable Laws of Security

• If a malicious actor persuades a user to run their program, it can lead to unauthorized access or damage.
• Trust is crucial; user actions directly impact system security.

Weak Passwords

• Weak passwords significantly increase vulnerability to attacks, making systems easier targets.
• Strong password policies are essential for maintaining security.

Trustworthiness of Administrators

• A machine’s security level is directly linked to the reliability of its administrators.
• Untrustworthy administrators can compromise systems through negligence or malicious actions.

Out-of-Date Virus Scanners

• An outdated virus scanner will likely miss new threats, offering minimal protection against modern malware.
• Regular updates are crucial for effective threat defense.

Encryption and Decryption Keys

• Encrypted data remains vulnerable if the decryption key is not secure.
• Emphasizes the importance of protecting keys as part of overall data security strategy.

Challenges with Benchmarking

• Benchmarking can oversimplify complex security issues and may not account for unique organizational risks.
• Results may lead to false confidence or misaligned priorities.

Baselining in Information Security

• Involves establishing a norm for security controls and system performance.
• Helps in monitoring changes and ensuring compliance with security policies.

Organizational Feasibility

• Assesses whether security initiatives align with organizational goals and culture.
• Ensures that projects have executive support and resources for implementation.

Operational Feasibility

• Addresses the practical implementation of security measures in day-to-day operations.
• Considers user training, process changes, and technology adoption.

User Buy-In Importance

• Securing user buy-in is vital for the success of new systems or security measures.
• User support enhances compliance and reduces resistance to change.

Technical Feasibility

• Evaluates the technical resources and expertise available to implement security measures.
• Determines if existing infrastructure can support new security solutions.

Political Feasibility

• Involves understanding the organizational landscape and stakeholder support for security initiatives.
• Political backing can significantly influence project success and resource allocation.

Risk Appetite

• Defines the level and type of risk that an organization is willing to accept in pursuit of its objectives.
• Influences decision-making and resource prioritization in risk management.

Residual Risk

• Refers to the amount of risk that remains after protective measures have been implemented.
• Important for continuous risk assessment and management strategies.

Importance of Documenting Results

• Documentation of results provides transparency and accountability in risk management processes.
• Enables tracking progress, supports decision-making, and improves future responses.

Description

Test your knowledge on calculating the Annualized Loss Expectancy (ALE) in the context of security risks. Understand how to determine Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO) for each risk.