Page401

Use the following scenario to answer questions 6–8:
Your company sells Apple iPhones online and has suffered many denial of service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.

  1. What is the Annual Rate of Occurrence in the above scenario?
    A. $20,000
    B. 40%
    C. 7
    D. $10,000

Correct Answer and Explanation: C. Answer C is correct; the Annual Rate of Occurrence is the number of attacks in a year.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. $20,000 is the Asset value (AV). Forty percent is the Exposure Factor (EF). $10,000 is the monthly cost of the DoS service (used to calculate TCO).

  1. What is the annualized loss expectancy (ALE) of lost iPhone sales due to the DoS attacks?
    A. $20,000
    B. $8000
    C. $84,000
    D. $56,000

Correct Answer and Explanation: D. Answer D is correct; Annualized Loss Expectancy (ALE) is calculated by first calculating the Single Loss Expectancy (SLE), which is the Asset Value (AV, $20,000) times the Exposure Factor (EF, 40%). The SLE is $8000; multiply by the Annual Rate of Occurrence (ARO, 7) for an ALE of $56,000.

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are incorrect. $20,000 is the Asset Value. $8000 is the Single Loss Expectancy.

  1. Is the DoS mitigation service a good investment?
    A. Yes, it will pay for itself
    B. Yes, $10,000 is less than the $56,000 Annualized Loss Expectancy
    C. No, the annual Total Cost of Ownership is higher than the Annualized Loss Expectancy
    D. No, the annual Total Cost of Ownership is lower than the Annualized Loss Expectancy

Correct Answer and Explanation: C. Answer C is correct; the Total Cost of Ownership (TCO) of the DoS mitigation service is higher than Annualized Loss Expectancy (ALE) of lost sales due to DoS attacks. This means it’s less expensive to accept the risk of DoS attacks (or find a less expensive mitigation strategy).

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. A is incorrect: the TCO is higher, not lower. $10,000 is the monthly cost.

TCO; you must calculate yearly TCO to compare with the ALE. D is wrong: the annual TCO is higher, not lower.

  1. Which of the following steps would be taken while conducting a Qualitative Risk Analysis?
    A. Calculate the Asset Value
    B. Calculate the Return on Investment
    C. Complete the Risk Analysis Matrix
    D. Complete the Annualized Loss Expectancy

Correct Answer and Explanation: C. Answer C is correct; the Risk Analysis Matrix uses approximate values, from 1 through 5, to qualitatively analyze risks according to likelihood and consequences.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. All are quantitative Risk Analysis steps.

  1. What is the difference between a standard and a guideline?
    A. Standards are compulsory and guidelines are mandatory
    B. Standards are recommendations and guidelines are requirements
    C. Standards are requirements and guidelines are recommendations
    D. Standards are recommendations and guidelines are optional

Correct Answer and Explanation: C. Answer C is correct; standards are requirements (mandatory) and guidelines are recommendations.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. For A, guidelines are recommendations (compulsory and mandatory are synonyms). Answer B has the recommendations and requirements flipped. For D, standards are mandatory, not recommendations.