Professional Documents
Culture Documents
MODULE 4 - IAS - CruzReykklan
MODULE 4 - IAS - CruzReykklan
MODULE 4 - IAS - CruzReykklan
III-BSIT-B
Learning Activity No. 1 (Module 4)
If an organization has three information assets to evaluate for risk management, as shown in the
accompanying data, which vulnerability should be evaluated for additional controls first? Which one
should be evaluated last?
Answer:
1. Set A
Value of the asset = 90
Vulnerability = 0.1
Current control = 0
Uncertainty = 25%
Formula:
Risk=(likelihood of occurrence of vulnerability * value of the information asset) –[(likelihood of
occurrence of vulnerability * value of the information asset)* (% of risk mitigated by
current controls)]+[(likelihood of occurrence of vulnerability * value of the information asset)
* (uncertainty of current knowledge of vulnerability)]
Solution:
Risk = (90 * 0.1) - [(90 * 0.1) * 0] + [(90 * 0.1) * 25%)]
= 9 - 0 + 2.25
= 11.25
Set B
Value of the asset = 90
Vulnerability = 0.2
Current control = 0
Uncertainty = 25%
Formula:
Risk=(likelihood of occurrence of vulnerability * value of the information asset) –[(likelihood of
occurrence of vulnerability * value of the information asset)* (% of risk mitigated by
current controls)]+[(likelihood of occurrence of vulnerability * value of the information asset)
* (uncertainty of current knowledge of vulnerability)]
Solution:
Risk = (90 * 0.2) - [(90 * 0.2) * 0] + [(90 * 0.2) * 25%)]
= 18 - 0 + 4.5
= 22.5
Formula:
Risk=(likelihood of occurrence of vulnerability * value of the information asset) –[(likelihood of
occurrence of vulnerability * value of the information asset)* (% of risk mitigated by
current controls)]+[(likelihood of occurrence of vulnerability * value of the information asset)
* (uncertainty of current knowledge of vulnerability)]
Solution:
Risk = (100 * 0.1) - [(100 * 0.1) * 75%] + [(100 * 0.1) * 20%)]
= 10 – 7.5 + 2
= 4.5
3. Value of the asset = 5
Vulnerability = 0.1
Current control = 0%
Uncertainty = 10
Formula:
Risk=(likelihood of occurrence of vulnerability * value of the information asset) –[(likelihood of
occurrence of vulnerability * value of the information asset)* (% of risk mitigated by
current controls)]+[(likelihood of occurrence of vulnerability * value of the information asset)
* (uncertainty of current knowledge of vulnerability)]
Solution:
Risk = (5 * 0.1) - [(5 * 0.1) * 0%] + [(5 * 0.1) * 0.1%)]
= 0.5 – 0 + 0.05
= 0.55