CIS 401 – Cyber Risk Management

Homework Assignment #05

Your assignment: Answer Problem 6 in chapter 5 (Controls for Information Security) of the text.

Part A – Use the following facts to assess the time-based model of security for ABC Company.

How well does the existing system protect ABC? Assume that the best, average, and worst case estimates

are independent for each component of the model.

• Estimated time that existing controls will protect the system from attack 15 minutes (worst case),

20 minutes (average case), and 25 minutes (best case)

• Estimated time to detect that an attack is happening 5 minutes (best case), 8 minutes (average

case) and 10 minutes (worst case)

• Estimated time to respond to an attack once it has been detected 6 minutes (best case), 14 minutes

(average case), and 20 minutes (worst case)

Part B – ABC Company is considering investing up to an additional $100,000 to improve its security. Given

the following possibilities, which single investment (select an Option below) would you recommend? Which

combination of investments (select two (2) Options below) would you recommend? Explain your answer.

Option 1 An investment of $75,000 would change the estimates for protection time to 19 minutes

(worst case), 23 minutes (average case), and 30 minutes (best case).

Option 2 An investment of $75,000 would change the estimates for detection time to 2 minutes (best

case), 4 minutes (average case), and 7 minutes (worst case).

Option 3 An investment of $75,000 would change the estimates for response time to 3 minutes (best

case), 6 minutes (average case), and 10 minutes (worst case).

Option 4 An investment of $25,000 would change the estimates for protection time to 17 minutes

(worst case), 22 minutes (average case), and 28 minutes (best case).

Option 5 An investment of $25,000 would change the estimates of detection time to 4 minutes (best

case), 7 minutes (average case) and 9 minutes (worst case).

Option 6 An investment of $25,000 would change the estimates for response time to 4 minutes (best

case), 9 minutes (average case), and 12 minutes (worst case).

Utilize the attached section titled Hints for Solving this Assignment in this document to support your

answers.

Deliverable: Submit your answers with supporting materials to justify your recommendations.

IMPORTANT: To get full credit, you need to create formulas to fill in the cells using the methodology

provided in the Hints for Solving this Assignment section of this document.

Assignment Submission

1. Create a Word document, provide your Name, ASURITE #, Course Number & Title, & Class Section # at

the top of page, left justified.

2. Complete the assignment as outlined above.

3. Create a one (1) PDF document from the Word document using the file name format:

CIS401_HW05_yourlastname_firstinitial.pdf

4. Submit the PDF document on Canvas

See Canvas for the Due Date & Time.

Hints for Solving this Assignment

You need to consider all the possibilities simultaneously for each scenario. One way to do so is to create a

matrix that holds one of the variables constant and then shows the outcome for all combinations of the

other two variables.

Example: let’s hold P constant at the best case scenario (P = 25). Now let’s create a matrix of all the possible

combinations of D and R (best, average, and worst cases):

D=5 (best case) D=8 (average case) D=10 (worst case)

R=6 (best case)

R=14 (average case)

R=20 (worst case)

Then fill in the cells by plugging the values into the time-based model formula. For example, given that P =

25 (best case), then if both D and R are the best cases, too then the formula is:

25 > 5 + 6? ….. And the answer is YES.

We could rearrange the formula to calculate the score, as follows:

P > D + R P – (D+R) with positive scores being good, negative scores bad. Thus, in our example, we have

25 – (5+6) = 14, which is a positive score, so that combination is good.

If we did that for all combinations, we would get the following:

Scores for P = 25 (best case for P)

D=5 (best case) D=8 (average case) D=10 (worst case)

R=6 (best case) 14 11 9

R=14 (average case) 6 3 1

R=20 (worst case) 0 -3 -5

We could even color code the cells to show good (green), neutral (yellow) and bad (red):

Scores for P = 25 (best case for P)

D=5 (best case) D=8 (average case) D=10 (worst case)

R=6 (best case) 14 11 9

R=14 (average case) 6 3 1

R=20 (worst case) 0 -3 -5

You will need to repeat this for the average and worst case scenarios of P. Then look at the patterns to

make a general conclusion about:

• When (under what conditions) the ABC Company can consider itself secure

• If you have probability estimates for best, average and worse you can even calculate a more precise

answer