Chapter 5, Problem 3E

Program Plan Intro

Annualized Rate Occurrence (ARO):

Annualized Rate Occurrence is the estimated frequency at which a given threat is expected to happen.

ARO can be calculated by using the following formula:

$\text{ARO}\text{=}\frac{\text{One year}}{\text{Frequency of occurrence}}$(1)

Annualized Loss Expectancy (ALE):

Annualized loss expectancy is the loss expected from the attack of a specific information asset which has been carried over for a year. It is a product of single loss expectancy and the annualized rate of occurrence.

ALE can be calculated by using the following formula:

$\text{ALE}\text{=}\text{SLE }\times \text{ ARO}$ (2)

Explanation of Solution

Calculate ARO for Programmer mistakes:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per week)” as “7” in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{7}\\ =52\end{array}$

Hence, the ARO for programmer mistakes is “52 (approximately)”.

Calculate ARO for Loss if intellectual property:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per year)” as “365” in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{365}\\ =1\end{array}$

Hence, the ARO for Loss if intellectual property is “1 (approximately)”.

Calculate ARO for Software Piracy:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per week)” as “7” in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{7}\\ =52\end{array}$

Hence, the ARO for Software Piracy is “52 (approximately)”.

Calculate ARO for Theft of information (hacker):

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per quarter)” as “ $\frac{1}{4}$” (i.e $\frac{365}{4}$ ) in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{91.25}\\ =4\end{array}$

Hence, the ARO for Theft of information (hacker) is “4 (approximately)”.

Calculate ARO for Theft of information (employee):

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “ $\frac{1}{2}$” (i.e $\frac{365}{2}$ ) in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{182.5}\\ =2\end{array}$

Hence, the ARO for Theft of Theft of information (employee) is “2 (approximately)”.

Calculate ARO for Web defacement:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “ $\frac{365}{12}$” in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{30.417}\\ =12\end{array}$

Hence, the ARO for Web defacement is “12 (approximately)”.

Calculate ARO for Theft of equipment:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per year)” as “365” in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{365}\\ =1\end{array}$

Hence, the ARO for Theft of equipment is “1 (approximately)”.

Calculate ARO for Viruses, worms, Trojan Horses:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per week)” as “7” in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{7}\\ =52\end{array}$

Hence, the ARO for Viruses, worms, Trojan Horses is “52 (approximately)”.

Calculate ARO for Denial-of-service attacks:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per quarter)” as “ $\frac{1}{4}$” (i.e $\frac{365}{4}$ ) in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{91.25}\\ =4\end{array}$

Hence, the ARO for Denial-of-service attacks is “4 (approximately)”.

Calculate ARO for Earthquake:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 20 years)” as “ $365\times 20$”  in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{7300}\\ =0.05\end{array}$

Hence, the ARO for Earthquake is “0.05 (approximately)”.

Calculate ARO for Food:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “ $365\times 10$”  in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{3600}\\ =0.1\end{array}$

Hence, the ARO for Food is “0.1 (approximately)”.

Calculate ARO for Fire:

Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “ $365\times 10$”  in the equation (1).

$\begin{array}{l}=\frac{\text{365}}{3600}\\ =0.1\end{array}$

Hence, the ARO for Fire is “0.1 (approximately)”.

Calculate ALE for Programmer mistakes:

Substitute the value of “SLE” as “5000” and “ARO” as “52” in the equation (2).

$\begin{array}{l}\text{ =5000}\times \text{52}\\ \text{=260000}\end{array}$

Hence, the ALE for programmer mistakes is “260000”.

Calculate ALE for Loss if intellectual property:

Substitute the value of “SLE” as “75000” and “ARO” as “1” in the equation (2).

$\begin{array}{l}\text{ =75000}\times 1\\ \text{=75000}\end{array}$

Hence, the ALE for Loss if intellectual property is “75000”.

Calculate ALE for Software Piracy:

Substitute the value of “SLE” as “500” and “ARO” as “52” in the equation (2).

$\begin{array}{l}\text{ =500}\times 52\\ \text{=26000}\end{array}$

Hence, the ALE for Software Piracy is “26000”.

Calculate ALE for Theft of information(hacker):

Substitute the value of “SLE” as “2500” and “ARO” as “4” in the equation (2).

$\begin{array}{l}\text{ =2500}\times 4\\ \text{=10000}\end{array}$

Hence, the ALE for Theft of information (hacker)is “10000”.

Calculate ALE for Theft of information (employee)

Substitute the value of “SLE” as “5000” and “ARO” as “2” in the equation (2).

$\begin{array}{l}\text{ =5000}\times 2\\ \text{=10000}\end{array}$

Hence, the ALE for Theft of information (employee) is “10000”.

Calculate ALE for Web defacement:

Substitute the value of “SLE” as “500” and “ARO” as “12” in the equation (2).

$\begin{array}{l}\text{ =500}\times 12\\ \text{=6000}\end{array}$

Hence, the ALE for Web defacement is “6000”.

Calculate ALE for Theft of equipment:

Substitute the value of “SLE” as “5000” and “ARO” as “1” in the equation (2).

$\begin{array}{l}\text{ =5000}\times 1\\ \text{=5000}\end{array}$

Hence, the ALE for Theft of equipment is “6000”.

Calculate ALE for Viruses, worms, Trojan Horses:

Substitute the value of “SLE” as “1500” and “ARO” as “52” in the equation (2).

$\begin{array}{l}\text{ =1500}\times 52\\ \text{=78000}\end{array}$

Hence, the ALE for Viruses, worms, Trojan Horses is “78000”.

Calculate ALE for Denial-of-service attacks:

Substitute the value of “SLE” as “2500” and “ARO” as “4” in the equation (2).

$\begin{array}{l}\text{ =2500}\times 4\\ \text{=10000}\end{array}$

Hence, the ALE for Denial-of-service attacks is “10000”.

Calculate ALE for Earthquake:

Substitute the value of “SLE” as “250000” and “ARO” as “0.05” in the equation (2).

$\begin{array}{l}\text{ =250000}\times 0.05\\ \text{=12500}\end{array}$

Hence, the ALE for Earthquake is “12500”.

Calculate ALE for Food:

Substitute the value of “SLE” as “250000” and “ARO” as “0.1” in the equation (2).

$\begin{array}{l}\text{ =250000}\times 0.1\\ \text{=25000}\end{array}$

Hence, the ALE for Food is “25000”.

Calculate ALE for Fire:

Substitute the value of “SLE” as “500000” and “ARO” as “0.1” in the equation (2).

$\begin{array}{l}\text{ =500000}\times 0.1\\ \text{=50000}\end{array}$

Hence, the ALE for Fire is “50000”.

ARO and ALE table for all the threat cost is given below:

ARO and ALE threat cost	ARO	ALE
Programmer mistakes	52	$260,000
Loss if intellectual property	1	$75,000
Software Piracy	52	$26,000
Theft of information(hacker)	4	$10,000
Theft of information (employee)	2	$10,000
Web defacement	12	$6,000
Theft of equipment	1	$5,000
Viruses, worms, Trojan Horses	52	$78,000
Denial-of-service attacks	4	$10,000
Earthquake	0.05	$12,500
Food	0.1	$25,000
Fire	0.1	$50,000