Given the following scenario, conduct a qualitative risk assessment on the situation and provide the answers to the following questions
Scenario: You are the CIO of a small Internet Service Provider. Your provide connections to customers consisting of the following 40 full T-1s, 20 sub-rate DS-3s and 8 full DS-3s. You're connection to the Internet from this location is through an OC-192 uplink to a larger provider. All of your traffic traverses the OC-192 to the larger provider. A backhoe working in the local area of your network operations center has just cut the OC-192 connection cutting off your Washington D.C. customers from the Internet. Your Service Level Agreement (SLA) with your customers requires you to provide credit to your customer's accounts on a 1 to 1 basis (i.e. 1 day of credit for every day of an outage) if an outage lasts more than 6 hours. The outage is expected to last 48 hours. The following table provides you with information regarding your income stream from your Washington, D.C. connections as well as other relevant information.
Asset Value
T-1 Connections $10/day
Sub-rate DS-3 Connections $17.50/day
DS-3 Connections $25/day
OC-192 Connection $250/day
a. Calculate the asset value of your Washington, D.C. connections based on revenue only.
b. If the exposure factor (EF) is .005, what is the single loss expectancy (SLE)?
c. If the annual risk of occurrence (ARO) is 0.25 (once in 4 years) what is the annual loss of expectancy (ALE)?
d. The control for this threat is to place signs nears the OC-192 connection to warn construction crews of the connection's existence. The cost for this control is $500. This will reduce the ARO to 0.1 (once in 10 years). Calculate the ALE after the controls.
e. If the annual cost of the control is $50 (permitting fee for the signs) calculate the Return on Security Investment (ROSI). (hint: ROSI is calculated by dividing your reduction in risk exposure due to the control divided by the cost of the countermeasures).
f. Calculate the risk leverage