You are a member of a problem solving group that is concerned with incidents involving losses with their information system (IS). Let us assume that IS loss events can be grouped into two types, low severity IS loss (LS) and high severity IS loss (HS). Your group is focused on preventing HS incidents and you are trying to decide whether you should spend the money to install a protection system designed to reduce the likelihood of high severity IS losses; the protection system involves an elaborate system for backing up current systems and the detail specifics are not important for this analysis. The group has never had a HS IS loss but a group member was able to access a national incident database, which indicates, that from a population of 1,000 academic institutions, there were a total of 10 HS IS losses reported over the last 10 years. The database shows that only 2 of the 10 HS losses occurred in academic institutions with a protection system; the remaining 8 had no protection system. After some discussion the group decided that the risk of a HS loss is probably similar to the institutions that reported into the national incident database.
Assume that the annual cost of a protection system is $20,000 in total and the average loss from a high severity IS loss is $2 million per incident. Assume that expected cost is your evaluation performance measure.
Q: Despite the above information that I’ve provided, in order to do a proper cost/benefit analysis, you still need information on the % of academic institutions which have protection. Please perform a threshold analysis on this parameter and for each side of the threshold value indicate your preferred action (i.e. spend the $ on protection or not).