Recent Question/Assignment
Task
1. For this question you are required to make at least two (2) forum postings, arguing either for or against the quantiative method of risk assessment. You will be assessed on what you contribute to the debate in terms of quality not quantity (though your posting should at a minimum be a few sentences long). You may either create new thread or reply to a previous posting. All new threads should contain the subject line “Quantitative Debate”
2. Study Exhibits 61.1 and 61.2 from Reading 3, and answer the following questions:
(a) Explain in your own words what is meant by the terms Sweet Spot and Discretionary Area (see Exhibit 61.1)
(b) Explain the significance of a security decision that is located to the right of the Sweet Spot but outside the Discretionary Area (see Exhibit 61.1).
(c) Explain the significance of a security decision that is located to the left of the Sweet Spot but still inside the Discretionary Area (see Exhibit 61.1).
(d) Explain why you think the Defined Highest Acceptable Risk is located on the Sweet Spot, but the Defined Lowest Acceptable Risk is located to the right of the Sweet Spot (see Exhibit 61.2).
3. In Reading 7 for this subject, Ozier states that ‘The [ALE] algorithm cannot distinguish effectively between low frequency/high-impact threats (such as ‘fire’) and high-frequency/low impact threats (such as ‘misuse of resources’).’ Explain why this is the case. Give an appropriate example to illustrate your explanation.
4. (Note: Make sure you show ALL your working for this question)
The following threat statistics have been gathered by a risk manager. Based on these, calculate the ALE for each threat.
5. (Note: Make sure you show ALL your working for this question)
Using the figures you calculated above, determine the relative ROSI (return on security investment) for each of the same threats with the following controls in place. Remember that a single control may affect more than one threat, and you need to take this into account when calculating the ROSI. Based on your calculations, which controls should be purchased?
6. Consider the data in the two tables that appear in questions 4 and 5 above. Sometimes a control may affect the cost per incident and sometimes theoccurrence frequency, and sometimes both. Why is this the case? Illustrate your answer with an example drawn from the data provided.
7. The year is 1999 and you are the risk manager for a large financial institution. You apply the Jacobson’s Window model (Reading 11) to determine your company’s preferred response to the impending Y2K bug. According to the model, should you accept, mitigate, or transfer the Y2K risk? Why? Do you agree with the model’s recommendations? Why or why not?
8. (Note: Make sure you show ALL your working for this question)
You want to persuade management to invest in an automated patching system. You estimate the costs and benefits over the next five years as follows:
Benefits: Year 1 Year 2 Year 3 Year 4 Year 5
$2,000 $2,500 $4,000 $4,000 $4,000
Costs: Year 1 Year 2 Year 3 Year 4 Year 5
$3000 $2000 $750 $250 $250
Calculate the Net Present Value (NPV) for this investment. Assuming that management has set the Required Rate of Return at 10%, should the investment be made? Why or why not?
9. There are a number of qualitative risk assessment models that are available for use, such as FRAAP, OCTAVE, OWASP and CRAMM. Choose one of these models and briefly describe how risk assessment is conducted under this model. Describe an example situation where you could use this selected model. Give your assessment of the validity, or otherwise, of this risk assessment model.
Rationale
To demonstrate your understanding of:
• the principles of security risk management; and
• the application of risk management principles to real-world examples.
Marking criteria
General Criteria
Criteria HD DI CR PS
Correctness, explanation, figures, grammar Answer is correct, and complete. Comprehensive explanation is provided with appropriate example. Figures (if appropriate) were used and. Appropriate reference style is used. No grammatical or spelling mistake. Answer is correct and a detailed explanation is provided. References are used. No/only a few grammatical or spelling mistakes. The answer is correct, but the explanation is not complete. Very few references are used and not formatted appropriately. The answer is correct but not complete and only adequate explanation is provided. No references are used. There are grammatical errors and spelling mistakes.
Question 1
• Two forum postings on quantitative risk management (2 marks)
• Logical arguments for or against quantitative risk management (4 marks)
• Contributes to the overall debate on the forum (2 marks)
• Correct spelling and grammar (2 marks)
Question 2
• Discussion of each sub-question (2 marks)
• Use of at least two supporting references (2 marks)
Question 3
• Explanation of the statement by Ozier (6 marks)
• Appropriate example (3 marks)
• Use of at least one supporting reference (1 mark)
Question 4
• Table produced with ALE for each threat (8 marks)
• Working shown (2 marks)
Question 5
• Relative ROSI calculated based on the ALEs in questions 5 & 6 (6 marks)
• Correct recommendations on controls to purchase (2 marks)
• Working shown (2 marks)
Question 6
• Discussion on change in cost per incident values (4 marks)
• Discussion on change in occurrence frequency values (4 marks)
• Appropriate example to illustrate problem (2 marks)
Question 7
• Assumptions/problem background (2 marks)
• Application of the model to the problem (4 marks)
• Recommendations based on the application of the model (3 marks)
• Use of at least one supporting reference (1 mark)
Question 8
• Calculation of NPV (6 marks)
• Working shown (2 marks)
• Recommendation based on NPV calculation (2 marks)
Question 9
• Description of how risk assessment model works (2 marks)
• Example of the use of the model (3 marks)
• Assessment of validity of the model (4 marks)
• Use of at least one supporting reference (1 mark)
Presentation
• Note: Marks will be deducted for poor spelling and grammar or incorrect referencing style:
• Incorrect or poor spelling and grammar (up to -5 marks)
• Incorrect use of APA referencing style (up to -5 marks)
Presentation
• Assignments are required to be submitted in either Word format (.doc, or .docx), Open Office format (.odf), Rich Text File format (.rtf) or .pdf format. Each assignment must be submitted as a single document.
• Assignments should be typed using 10 or 12 point font. APA referencing style should be used. A reference list should be included with each assessment item.
• All diagrams that are required should be inserted into the document in the appropriate position. Diagrams that are submitted in addition to the assignment document will not be marked.