Over the last year, Acme has been the target of numerous phishing attempts and h

Question

Over the last year, Acme has been the target of numerous phishing attempts and has asked you to analyze the risks associated with their current email system, FreeMail. They currently employ 50 people and on average each employee receives approximately 5 phishing emails per month. The current system does not filter emails and an employee is tricked into clicking on the link and providing their credentials about 20% of the time. Each time an attacker compromises an employee’s credentials they potentially gain access to Acme’s network and proprietary information. It is estimated however, that an attacker only successfully gains access to the data about 1% of the time. Acme has estimated the value of their proprietary widget data at $10,000,000 and estimated that the loss of the data would cost about $1,000,000 for each instance. They are considering two possible countermeasures. Countermeasure A is an email filtering tool (annual cost: $500,000) which would reduce the average number of phishing emails each employee would receive by 60%. Countermeasure B is a training program (annual cost: $10,000) that would teach employees to better recognize phishing emails and reduce the frequency that employees click on an email to 10%.

Determine the Annualized Loss Expectancy for each risk factor (before any countermeasures are applied as well as adjusted with each countermeasure) and determine which countermeasure is the preferred option.

Explanation / Answer

Before any countermeasure are applied.

Total number of phishing emails received per year: 50*5*12 = 3000

Open frequecy = 20% => 0.2*3000 = 600 mails are opened and credentials entered

The success rate of hacker = 1% => 0.01*600 = 6, successful access gain by hacker.

=> 6*1,000,000 = 6,000,000 loss

=> Annual Loss Expectancy = $ 6,000,000

If countermeasure A is applied,

If email received reduced by 60% => they receive 5*(1-0.6) = 2 mails per month per employee

Total number of phishing emails received per year: 50*2*12 = 1200

Open frequecy = 20% => 0.2*1200 = 240 mails are opened and credentials entered

The success rate of hacker = 1% => 0.01*240 = 2.4, successful access gain by hacker.

=> 2.4*1,000,000 = 2,400,000 loss

=> Annual Loss Expectancy = $ 2,400,000 [by hacker], also the tool costs $ 500,000

=> Overall cost to company = $ 2,900,000

If countermeasure B is applied,

Total number of phishing emails received per year: 50*5*12 = 3000

Open frequecy = 10%[after the training program] => 0.1*3000 = 300 mails are opened and credentials entered

The success rate of hacker = 1% => 0.01*300 = 3, successful access gain by hacker.

=> 3*1,000,000 = 3,000,000 loss

=> Annual Loss Expectancy = $ 3,000,000 [by hacker], also training costs $ 10,000

=> Overall cost to company = $ 3,010,000

So the preferred option is counter measure A

Related Questions

Navigate

• Browse (All)
• Browse O
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.