INVITATION TO CYBERSECURITY 110 data, they determine that a DDoS attack happens to similar scale websites on average once every four years. This means the ARO is .25. ARO = .25 With these inputs, based on their assumptions, they can calculate the ALE and quantify the risk in dollars of a DDoS attack against their web server. ALE = $20,000 x .25 = $5,000 In this scenario, the ALE is $5,000, meaning, they can expect to lose $5,000 per year due to the risk of DDoS attacks on their ecommerce web server. This is an annual cybersecurity cost they are absorbing. Next, the organization evaluates potential controls, or safeguards, for DDoS attacks. Their ISP advertises DDoS protection services for $3,000 per year. Should they purchase this service? At first glance, it appears they should because the DDoS risk costs them an average of $5,000 per year but they can get the safeguard for $3,000 per year, so overall they would be saving $2,000 per year. This analysis is flawed, however, because it assumes that the safeguard lowers the risk to zero. This is not a valid assumption. The DDoS protection service does not completely eliminate the risk of the website going offline due to a DDoS attack—it only reduces the EF. Therefore, the organization needs to calculate the ALE with the safeguard in place. With the DDoS protection service in place, it is expected that a DDoS attack will take their website offline for one day a year, reducing it from one week per year. This means the EF is now 1/365 which, with a little rounding, is .2%. EFPOST = .002 None of the other factors have changed, so the SLEPOST and ALEPOST can be calculated. SLEPOST = $1,000,000 x .002 = $2,000 ALEPOST = $2,000 x .25 = $500 With this information compiled, the organization can determine the return on investment (ROI) for the safeguard. The ROI is the net savings that result from an investment. If the ROI is positive, then it makes financial sense to adopt the safeguard. ROI = ALEPRE - ALEPOST - Annualized Safeguard Costs The annualized safeguard costs (ASC) is the cost of a safeguard over the course of a year. Some safeguards have productivity and other costs in addition to out-of-pocket monetary costs. The ASC must include the cost to install and maintain the safeguard, plus other operational costs. For example, is it possible that the DDoS protection could occasionally block legitimate customers? If so, then that would need to be added to the
RkJQdWJsaXNoZXIy MTM4ODY=