
Annualized Rate Occurrence (ARO):
Annualized Rate Occurrence is the estimated frequency at which a given threat is expected to happen.
ARO can be calculated by using the following formula:
Annualized Loss Expectancy (ALE):
Annualized Loss Expectancy is the loss expected from the attack of a specific information asset which has been carried over for a year. It is a product of single loss expectancy and the annualized rate of occurrence.
ALE can be calculated by using the following formula:
Cost-Benefit Analysis (CBA):
- CBA is the study that determines the cost required for protecting an asset.
- It is a process of feasibility which is carried with a formal documentation process. It is also called as economic feasibility study.
- System value is an estimated total cost of the organization in terms of the cost of equipment, and more important, in terms of the cost of information stored in the system.
CBA can be calculated by using the following formula:
Here, the term

Explanation of Solution
Calculate ARO for Programmer mistakes:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “
Hence, the ARO for programmer mistakes is “12 (approximately)”.
Calculate ARO for Loss if intellectual property:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Loss if intellectual property is “0.5 (approximately)”.
Calculate ARO for Software Piracy:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “
Hence, the ARO for Software Piracy is “12 (approximately)”.
Calculate ARO for Theft of information (hacker):
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “
Hence, the ARO for Theft of information (hacker) is “2 (approximately)”.
Calculate ARO for Theft of information (employee):
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per year)” as “365” in the equation (1).
Hence, the ARO for Theft of Theft of information (employee) is “1 (approximately)”.
Calculate ARO for Web defacement:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per quarter)” as “
Hence, the ARO for Web defacement is “4 (approximately)”.
Calculate ARO for Theft of equipment:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Theft of equipment is “0.5 (approximately)”.
Calculate ARO for Viruses, worms, Trojan Horses:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per months)” as “
Hence, the ARO for Viruses, worms, Trojan Horses is “12 (approximately)”.
Calculate ARO for Denial-of-service attacks:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 6 months)” as “
Hence, the ARO for Denial-of-service attacks is “2 (approximately)”.
Calculate ARO for Earthquake:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 20 years)” as “
Hence, the ARO for Earthquake is “0.05 (approximately)”.
Calculate ARO for Food:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Food is “0.1 (approximately)”.
Calculate ARO for Fire:
Substitute the value of “One year” as “365” and “Frequency of occurrence (One per 10 years)” as “
Hence, the ARO for Fire is “0.1 (approximately)”.
Calculate ALE for Programmer mistakes:
Substitute the value of “SLE” as “5000” and “ARO” as “12” in the equation (2).
Hence, the ALE for programmer mistakes is “60000”.
Calculate ALE for Loss if intellectual property:
Substitute the value of “SLE” as “75000” and “ARO” as “0.5” in the equation (2).
Hence, the ALE for Loss if intellectual property is “37500”.
Calculate ALE for Software Piracy:
Substitute the value of “SLE” as “500” and “ARO” as “12” in the equation (2).
Hence, the ALE for Software Piracy is “6000”.
Calculate ALE for Theft of information(hacker):
Substitute the value of “SLE” as “2500” and “ARO” as “2” in the equation (2).
Hence, the ALE for Theft of information (hacker)is “5000”.
Calculate ALE for Theft of information (employee)
Substitute the value of “SLE” as “5000” and “ARO” as “1” in the equation (2).
Hence, the ALE for Theft of information (employee) is “5000”.
Calculate ALE for Web defacement:
Substitute the value of “SLE” as “500” and “ARO” as “4” in the equation (2).
Hence, the ALE for Web defacement is “2000”.
Calculate ALE for Theft of equipment:
Substitute the value of “SLE” as “5000” and “ARO” as “0.5” in the equation (2).
Hence, the ALE for Theft of equipment is “2500”.
Calculate ALE for Viruses, worms, Trojan Horses:
Substitute the value of “SLE” as “1500” and “ARO” as “12” in the equation (2).
Hence, the ALE for Viruses, worms, Trojan Horses is “18000”.
Calculate ALE for Denial-of-service attacks:
Substitute the value of “SLE” as “2500” and “ARO” as “2” in the equation (2).
Hence, the ALE for Denial-of-service attacks is “5000”.
Calculate ALE for Earthquake:
Substitute the value of “SLE” as “250000” and “ARO” as “0.05” in the equation (2).
Hence, the ALE for Earthquake is “12500”.
Calculate ALE for Food:
Substitute the value of “SLE” as “50000” and “ARO” as “0.1” in the equation (2).
Hence, the ALE for Food is “5000”.
Calculate ALE for Fire:
Substitute the value of “SLE” as “100000” and “ARO” as “0.1” in the equation (2).
Hence, the ALE for Fire is “10000”.
To calculate CBA for Programmer mistakes:
Substitute the value of “ALE (prior)” as “260000” and “ALE (post)” as “60000” and “ACS” as “20000” in the equation (3).
Hence, the CBA for programmer mistakes is “180000”.
To calculate CBA for Loss if intellectual property:
Substitute the value of “ALE (prior)” as “75000” and “ALE (post)” as “37500” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Loss if intellectual property is “22500”.
To calculate CBA for Software Piracy:
Substitute the value of “ALE (prior)” as “26000” and “ALE (post)” as “6000” and “ACS” as “30000” in the equation (3).
Hence, the CBA for Software Piracy is “-10000”.
To calculate CBA for Theft of information (hacker):
Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Theft of information (hacker) is “-10000”.
To calculate CBA for Theft of information (employee):
Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Theft of information (employee) is “-10000”.
To calculate CBA for Web defacement:
Substitute the value of “ALE (prior)” as “6000” and “ALE (post)” as “2000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Web defacement is “-6000”.
To calculate CBA for Theft of equipment:
Substitute the value of “ALE (prior)” as “5000” and “ALE (post)” as “2500” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Theft of equipment is “-12500”.
To calculate CBA for Viruses, worms, Trojan Horses:
Substitute the value of “ALE (prior)” as “78000” and “ALE (post)” as “18000” and “ACS” as “15000” in the equation (3).
Hence, the CBA for Viruses, worms, Trojan Horses is “45000”.
To calculate CBA for Denial-of-service attacks:
Substitute the value of “ALE (prior)” as “10000” and “ALE (post)” as “5000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Denial-of-service attacks is “-5000”.
To calculate CBA for Earthquake:
Substitute the value of “ALE (prior)” as “12500” and “ALE (post)” as “12500” and “ACS” as “5000” in the equation (3).
Hence, the CBA for Earthquake is “-5000”.
To calculate CBA for Food:
Substitute the value of “ALE (prior)” as “25000” and “ALE (post)” as “5000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Food is “10000”.
To calculate CBA for Fire:
Substitute the value of “ALE (prior)” as “50000” and “ALE (post)” as “10000” and “ACS” as “10000” in the equation (3).
Hence, the CBA for Fire is “30000”.
ARO and ALE table for all the threat cost is given below:
ARO and ALE threats | SLE | ARO | ALE | CBA |
Programmer mistakes | 5,000 | 12 | 60,000 | 180,000 |
Loss if intellectual property | 75,000 | 0.5 | 37,500 | 22,500 |
Software Piracy | 500 | 12 | 6,000 | -10,000 |
Theft of information(hacker) | 2,500 | 2 | 5,000 | -10,000 |
Theft of information (employee) | 5,000 | 1 | 5,000 | -10,000 |
Web defacement | 500 | 4 | 2,000 | -6,000 |
Theft of equipment | 5,000 | 0.5 | 2,500 | -12,500 |
Viruses, worms, Trojan Horses | 1,500 | 12 | 18,000 | 45,000 |
Denial-of-service attacks | 2,500 | 2 | 5,000 | -5000 |
Earthquake | 250,000 | 0.05 | 12,500 | -5,000 |
Food | 50,000 | 0.1 | 5,000 | 10,000 |
Fire | 100,000 | 0.1 | 10,000 | 30,000 |
Reason for changes in values:
Some values have been changed because of the implementation controls which had a positive impact on protection of XYZ’s assets. Thus, reducing the frequency of occurrences. However, the controls did not decrease cost for a single incident because the importance of an asset will stay the same and cost XYZ the same amount of time and money to replace. The costs that are listed are worth when the controls are in their place.
Want to see more full solutions like this?
Chapter 5 Solutions
Principles of Information Security (MindTap Course List)
- Write the following in C# WinForms. Implement a function in the main menu that makes the poacher move to random directions. The movement should seem seamless. The poacher can be drew by the following in the main menu. e.Graphics.DrawImage(poacherImage, poacher.X, poacherY, tileSize, tileSize);arrow_forwardWrite the following in C# WinForms. Create a poacher class that has random x and y values when created, private set function for x and y values. Implement a function in the main menu that makes the poacher move into random direction. The movement should seem seamless. The poacher can be drew by the following in the main menu. e.Graphics.DrawImage(poacherImage, poacher.X, poacherY, tileSize, tileSize); Write the following in C# WinForms. Create a poacher class that has random x and y values when created, private set function for x and y values. Implement a function in the main menu that makes the poacher move into random direction. The movement should seem seamless. The poacher can be drew by the following in the main menu. e.Graphics.DrawImage(poacherImage, poacher.X, poacherY, tileSize, tileSize);arrow_forwardWrite the following in C# WinForms. Create a poacher class that has random x and y values when created, private set function for x and y values. Implement a function in the main menu that makes the poacher move into random direction. The movement should seem seamless. The poacher can be drew by the following in the main menu. e.Graphics.DrawImage(poacherImage, poacher.X, poacherY, tileSize, tileSize);arrow_forward
- Write the following in C# WinForms. Create a poacher class that has random x and y values when created, private set function for x and y values. Implement a function in the main menu that makes the poacher move into random direction. The movement should seem seamless. The picture of the poacher is drew by e.Graphics.DrawImage(poacherImage, poacher.X, poacher.Y, tileSize, tileSize);arrow_forwardCreate a poacher class that has random x and y values when created, private set function for x and y values, and implement a function in the main menu that makes the poacher move into random direction. The movement should seem seamless. Write it in C# WinFormsarrow_forwardHi, please solve this trying to follow this criteria. (use Keil) Abstract describing the requirements and goals of the assignment. List file with no errors or warnings. Brief description of your implementation design and code. Debugging screen shots for different scenarios with your reference and comments. Conclusionarrow_forward
- Compute a Monte Carlo estimate of 0.8 by sampling from Uniform(0,0.8) and estimate the variance of ⑦.arrow_forwardWrite a C program using embedded assembler with a function to convert a digit (0 – 15) to the corresponding ASCII character representing the value in hexadecimal. For numbers 0 – 9, the output will be the characters '0' – '9', for numbers 10 – 15 the characters 'A' – 'F'. The entire core of the program must be written in symbolic instruction language; arrays may not be used. You may only use C to print the result. Tip: This piece of C program will do the same thing: character = number < 10 ? number + '0' : number + 55; As a basis, you can use this program again , which increments a variable. Just replace the INC instruction with ADD and add a test (CMP) with some conditional jump.arrow_forwardAnswer the question fully and accurately by providing the required files(Java Code, Two output files and written answers to questions 1-3 in a word document)meaning question 1 to 3 also provide correct answers for those questions.(note: this quetion is not graded).arrow_forward
- Principles of Information Security (MindTap Cours...Computer ScienceISBN:9781337102063Author:Michael E. Whitman, Herbert J. MattordPublisher:Cengage LearningManagement Of Information SecurityComputer ScienceISBN:9781337405713Author:WHITMAN, Michael.Publisher:Cengage Learning,Principles of Information Systems (MindTap Course...Computer ScienceISBN:9781285867168Author:Ralph Stair, George ReynoldsPublisher:Cengage Learning
- Information Technology Project ManagementComputer ScienceISBN:9781337101356Author:Kathy SchwalbePublisher:Cengage LearningCOMPREHENSIVE MICROSOFT OFFICE 365 EXCEComputer ScienceISBN:9780357392676Author:FREUND, StevenPublisher:CENGAGE LPrinciples of Information Systems (MindTap Course...Computer ScienceISBN:9781305971776Author:Ralph Stair, George ReynoldsPublisher:Cengage Learning




