This week was fairly interesting to me. We read about controlling risk in the risk management process. Just as with last week, this is fairly new to me, so I try to relate the topics to layman's terms here at home to simplify it. This week, I wanted to do the same thing, so I am going to look at single loss expectancy (SLE), annualized rate of occurrence (ARO), annualized loss expectancy (ALE), and cost-benefit analysis (CBA). In my case, I am going to look at my home desktop computer...my lifeblood, really!
To get the SLE, you have to look at the value of the asset and the exposure it has to an exploited vulnerability. My desktop computer is valued at around $2,000 total. However, the value that I could lose would be closer to $500, which is the cost of my hard disks and memory. The vulnerability I want to look at is malicious software. For the purpose of this exercise, the malicious software will be considered a virus which would cause a total destruction and loss of all data on my computer. Therefore, it would be a 100% loss. So, my SLE would be $500 x 100% or $500. We will use this calculation a little later. First, we need to look at the ARO.
The ARO is the amount of times an exploited vulnerability is expected to occur. My wife and kids utilize my desktop and they are not very diligent, at times, about using the internet. As such, I could expect about four viruses per week, on average, to affect my computer. Of those four viruses, we will assume that two of them could cause catastrophic damage to my hard drive. Therfore, my ARO would be 2 x 52, or 104. There are 52 weeks in a year and I can expect two nasty viruses each of those weeks. That's significantly high, but you can see how it is calculated for this example. So, where does the ARO come into play?
The SLE and ARO combine to give me the ALE. ALE is found by taking the SLE and multiplying it by the ARO. In other words, my single loss value times the rate of occurrence. In this case, it is $500 x 104 or $52,000. What does that mean? Without any controls in place to reduce my catastrophic loss, it would cost me over $50,000 to keep my desktop computer functioning. Who on Earth would pay that kind of money to keep a computer functioning? I know I don't have that much money to replace my hard drive and memory every time. That is why I invest in anti-virus software, or my control. This will factor into my CBA.
A CBA is an analysis of how much you benefit from implementing a specific control to reduce your risk. To figure it, you need to figure out how much your ALE is after implementing the control. In my case, we will assume that my ALE after the control is $0. My anti-virus software is that effective, because I keep it updated regularly. I have Norton 360, which I paid $175 for three years of protection. Therefore, my annual cost of safeguard (ACS) is about $58. The CBA is the difference of the precontrol ALE, postcontrol ALE, and the ACS. Plugging in the numbers, we have $52,000 - $0 - $58, which equals $51,942. What does all of this mean?
Again, speaking in layman's terms, the $58 per year investment in Norton 360 saved me $51,942 annually. Over the course of three years, that $175 investment saved me $155,826. When you look at it that way, that $175 price tag seems pretty cheap, doesn't it? We sometimes look at the high cost of something to protect our valuable assets as too expensive. However, when you step back and look at the long-term, you can definitely see the benefit of paying such a small cost up front. In this case, considering the worst case scenario of a nasty virus outbreak, I have saved thousands of dollars for an investment of less than $200. Amazing when you look at it that way, right?
To get the SLE, you have to look at the value of the asset and the exposure it has to an exploited vulnerability. My desktop computer is valued at around $2,000 total. However, the value that I could lose would be closer to $500, which is the cost of my hard disks and memory. The vulnerability I want to look at is malicious software. For the purpose of this exercise, the malicious software will be considered a virus which would cause a total destruction and loss of all data on my computer. Therefore, it would be a 100% loss. So, my SLE would be $500 x 100% or $500. We will use this calculation a little later. First, we need to look at the ARO.
The ARO is the amount of times an exploited vulnerability is expected to occur. My wife and kids utilize my desktop and they are not very diligent, at times, about using the internet. As such, I could expect about four viruses per week, on average, to affect my computer. Of those four viruses, we will assume that two of them could cause catastrophic damage to my hard drive. Therfore, my ARO would be 2 x 52, or 104. There are 52 weeks in a year and I can expect two nasty viruses each of those weeks. That's significantly high, but you can see how it is calculated for this example. So, where does the ARO come into play?
The SLE and ARO combine to give me the ALE. ALE is found by taking the SLE and multiplying it by the ARO. In other words, my single loss value times the rate of occurrence. In this case, it is $500 x 104 or $52,000. What does that mean? Without any controls in place to reduce my catastrophic loss, it would cost me over $50,000 to keep my desktop computer functioning. Who on Earth would pay that kind of money to keep a computer functioning? I know I don't have that much money to replace my hard drive and memory every time. That is why I invest in anti-virus software, or my control. This will factor into my CBA.
A CBA is an analysis of how much you benefit from implementing a specific control to reduce your risk. To figure it, you need to figure out how much your ALE is after implementing the control. In my case, we will assume that my ALE after the control is $0. My anti-virus software is that effective, because I keep it updated regularly. I have Norton 360, which I paid $175 for three years of protection. Therefore, my annual cost of safeguard (ACS) is about $58. The CBA is the difference of the precontrol ALE, postcontrol ALE, and the ACS. Plugging in the numbers, we have $52,000 - $0 - $58, which equals $51,942. What does all of this mean?
Again, speaking in layman's terms, the $58 per year investment in Norton 360 saved me $51,942 annually. Over the course of three years, that $175 investment saved me $155,826. When you look at it that way, that $175 price tag seems pretty cheap, doesn't it? We sometimes look at the high cost of something to protect our valuable assets as too expensive. However, when you step back and look at the long-term, you can definitely see the benefit of paying such a small cost up front. In this case, considering the worst case scenario of a nasty virus outbreak, I have saved thousands of dollars for an investment of less than $200. Amazing when you look at it that way, right?
No comments:
Post a Comment