COURSE CODE: IT311 – Information Assurance and

Security
Module 9

Week 9: | 1st Semester, S.Y. 2020-2021

Introduction
Organizations must consider the economic feasibility of implementing information
security controls and safeguards. While a number of alternatives for solving a problem
COURSE MODULE
may exist, they may not all have the same economic feasibility. Most organizations can
spend only a reasonable amount of time and money on information security, and the
definition of reasonable differs from organization to organization and even from manager
to manager. Organizations are urged to begin the cost benefit analysis by evaluating the
worth of the information assets to be protected and the loss in value if those information
assets were compromised by the exploitation of a specific vulnerability. It is only common
sense that an organization should not spend more to protect an asset than the asset is
worth.

Intended Learning Outcomes

 Identify risks associated with disasters and disruptions and specify key mitigation
strategies.

Topic
Cost benefit analysis or an economic feasibility study – refers to the formal decision
making process.

Some of the items that affect the cost of a control or safeguard include the following:

 Cost of development or acquisition (purchase cost) of hardware, software, and

services.
 Training fees (cost to train personnel)
 Cost of implementation (cost to install, configure, and test hardware, software,
and services)
 Service costs (vendor fees for maintenance and upgrades)
 Cost of maintenance (labor expense to verify and continually test, maintain, and
update)
Benefit is the value that an organization realizes by using controls to prevent losses
associated with a specific vulnerability.
Asset valuation is the process of assigning financial value or worth to each information
asset.

The valuation of assets involves estimation of real and perceived costs associated with
design, development, installation, maintenance, protection, recovery, and defense against
loss and litigation. The higher acquired value is the more appropriate value in most cases.

Once an organization has estimated the worth of various assets, it can begin to examine
the potential loss that could occur from the exploitation of vulnerability or a threat
occurrence. This process results in the estimate of potential loss per risk. The questions
that must be asked here include:
 What damage could occur, and what financial impact would it have?
 What would it cost to recover from the attack, in addition to the financial impact
of damage?
 What is the single loss expectancy for each risk?
A single loss expectancy (SLE) is the calculation of the value associated with the most likely loss
 from an attack. It is a calculation based on the value of the asset and the exposure factor (EF),
which is the expected percentage of loss that would occur from a particular attack, as
follows:

SLE = asset value x exposure factor (EF)

where EF equals the percentage loss that would occur from a given vulnerability being exploited.

For example, if a Web site has an estimated value of $1,000,000 (value determined by asset
valuation), and a deliberate act of sabotage or vandalism (hacker defacement) scenario indicates
that 10 percent of the Web site would be damaged or destroyed after such an attack, then the SLE
for this Web site would be $1,000,000 x 0.10=$100,000. This estimate is then used to calculate
COURSE MODULE
another value, annual loss expectance, which will be discussed shortly.

As difficult as it is to estimate the value of information, the estimation of the probability of a threat
occurrence or attack is even more difficult. There are not always tables, books, or records that
indicate the frequency or probability of any given attack. There are sources available for some
asset-threat pairs. For instance, the likelihood of a tornado or thunderstorm destroying a building of
a specific type of construction within a specified region of the country is available to insurance
underwriters. In most cases, however, an organization can rely only on its internal information to
calculate the security of its information assets. Even if the network, systems, and security
administrators have been actively and accurately tracking these occurrences, the organization’s
information is sketchy at best. As a result, this information is usually estimated. In most cases, the
probability of a threat occurring is usually a loosely derived table indicating the probability of an
attack from each threat type within a given time frame (for example, once every 10 years). This
value is commonly referred to as the annualized rate of occurrence (ARO). ARO is simply how
often you expect a specific type of attack to occur. As you learned earlier in this chapter, many
attacks occur much more frequently than every year or two. For example, a successful deliberate
act of sabotage or vandalism might occur about once every two years, in which case the ARO
would be 50 percent (0.50), whereas some kinds of network attacks can occur multiple times per
second. To standardize calculations, you convert the rate to a yearly (annualized) value. This is
expressed as the probability of a threat occurrence.

Once each asset’s worth is known, the next step is to ascertain how much loss is expected from a
single expected attack, and how often these attacks occur. Once those values are established, the
equation can be completed to determine the overall lost potential per risk. This is usually
determined through an annualized loss expectancy (ALE), which is calculated from the ARO and
SLE, as shown here:

ALE = SLE x ARO

Using the example of the Web site that might suffer a deliberate act of sabotage or vandalism
and thus has an SLE of $100,000 and an ARO of 0.50, the ALE would be calculated as follows:
ALE = $100,000 x 0.50
ALE = $50,000

This indicates that unless the organization increases the level of security on its Web site, it can
expect to lose $50,000 per year, every year. Armed with such a figure, the organization’s
information security design team can justify expenditure for controls and safeguards and deliver a
budgeted value for planning purposes. Note that sometimes noneconomic factors are considered in
this process, so that in some cases even when ALE amounts are not huge, control budgets can be
justified.

The Cost Benefit Analysis (CBA) Formula In its simplest definition, CBA (or economic
feasibility) determines whether or not a particular control is worth its cost. CBAs may be calculated
before a control or safeguard is implemented to determine if the control is worth implementing.
CBAs can also be calculated after controls have been functioning for a time. Observation over time
adds precision to the evaluation of the benefits of the safeguard and the determination of whether
the safeguard is functioning as intended. While many techniques exist, the CBA is most easily
calculated using the ALE from earlier assessments before the implementation of the proposed
control, which is known as ALE (prior). Subtract the revised ALE, estimated based on the control
being in place, known as ALE (post). Complete the calculation by subtracting the annualized cost
of the safeguard (ACS).
CBA = ALE(prior) - ALE(post) - ACS
Once controls are implemented, it is crucial to continue to examine their benefits to determine
when they must be upgraded, supplemented, or replaced. As Frederick Avolio states in his article
 “Best Practices in Network Security”:

“Security is an investment, not an expense. Investing in computer and network security measures
that meet changing business requirements and risks makes it possible to satisfy changing business
requirements without hurting the business’ viability.”

Reference
 Whitman, M. E. et.al. (2012). Principles of Information Security. Cengage
Learning.
COURSE MODULE