Full Threat Report |
2 |
3.2.3Cold/Frost/Snow - AFE: 5.00
The various incident classes associated with this threat are shown in the following table:
Incident Class |
SLE |
ALE |
% of total ALE |
Disclosure, Databases |
$12,500. |
$62,500. |
100.0% |
Figure 13.3 |
|
|
|
62,500 Disclosure, Databases 
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 |
55 |
60 (x 1,000) |
Dollars
Figure 14.3 Cold/Frost/Snow - ALE's
12,500 Disclosure, Databases 
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 (x 1,000) |
Dollars
Figure 16.3 Cold/Frost/Snow - SLE's
3.2.4Data Destruction - AFE: 20.00
The various incident classes associated with this threat are shown in the following table:
Incident Class |
SLE |
ALE |
% of total ALE |
Disclosure, Databases |
$250,000. |
$5,000,000. |
98.9% |
Direct Loss, Databases |
$2,751. |
$55,027. |
1.1% |
Figure 13.4
5,000,000 Disclosure, Databases 
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 (x 100,000) |
Dollars
55,027 Direct, Dat abases 
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 |
55 (x1 ,000) |
Dollars
Figure 14.4 Data Destruction - ALE's
Full Threat Report |
3 |
Direct, Dat abases (1.1%)
Disclosure, Databases (98.9%)
Figure 15.4 Data Destruction - ALE's
250,000 Disclosure, Databases 
25 |
50 |
75 |
100 |
125 |
150 |
175 |
200 |
225 |
250 (x 1,000) |
Dollars
2,751 Direct, Dat abases 
25 |
50 |
75 |
100 |
125 |
150 |
175 |
200 |
225 |
250 |
275 (x 10 ) |
Dollars
Figure 16.4 Data Destruction - SLE's
3.2.5Data Disclosure - AFE: 3.00
The various incident classes associated with this threat are shown in the following table:
Incident Class |
SLE |
ALE |
% of total ALE |
Disclosure, Databases |
$1,938. |
$5,813. |
100.0% |
Figure 13.5 |
|
|
|
5,813 Disclosure, Databases 
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 |
55 (x 100 ) |
Dollars
Figure 14.5 Data Disclosure - ALE's
Full Threat Report |
4 |
1,938 Disclosure, Databases 
25 |
50 |
75 |
100 |
125 |
150 |
175 (x 10 ) |
Dollars
Figure 16.5 Data Disclosure - SLE's
3.2.6Data Integrity Loss - AFE: 3.00
The various incident classes associated with this threat are shown in the following table:
Incident Class |
SLE |
ALE |
% of total ALE |
Direct Loss, Accounts Receivable |
$5,526. |
$16,576. |
27.8% |
Direct Loss, Applications |
$5,507. |
$16,523. |
27.7% |
Disclosure, Personnel |
$4,500. |
$13,500. |
22.7% |
Direct Loss, Communications Software |
$2,723. |
$8,171. |
13.7% |
Direct Loss, System Software |
$817. |
$2,451. |
4.1% |
Direct Loss, Databases |
$640. |
$1,921. |
3.2% |
Direct Loss, Accounts Payable |
$147. |
$443. |
0.7% |
Disclosure, Databases |
$0. |
$0. |
0.0% |
Figure 13.6
16,576
Direct, Accts Rec
16,523
Direct, Applicatns
13,500
Disclosure, Personnel
8,171
Direct, Comms S/W
2,451
Direct, System S/W
1,921
Direct, Dat abases
25 |
50 |
75 |
100 |
125 |
150 (x 100) |
|
|
|
Dollars |
|
|
443
Direct, Accts Pay
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 (x10) |
Dollars
Figure 14.6 Data Integrity Loss - ALE's
Full Threat Report |
5 |
|
4 Ot hers (8.1%) |
Direct, Accts Rec (27.8%) |
Direct, Comms S/W (13.7%) |
|
Disclosure, Personnel (22.7%)
Direct, Applicatns (27.7%)
Figure 15.6 Data Integrity Loss - ALE's
5,526
Direct, Accts Rec
5,507
Direct, Applicatns
4,500
Disclosure, Personnel
2,723
Direct, Comms S/W
817
Direct, System S/W
640
Direct, Dat abases
147
Direct, Accts Pay
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 |
55 (x 100) |
|
|
|
|
|
Dollars |
|
|
|
|
|
Figure 16.6 Data Integrity Loss |
- |
SLE's |
|
|
|
|
|
|
|
|
3.2.7Flooding/Water Damage - AFE: 0.01
The various incident classes associated with this threat are shown in the following table:
Incident Class |
SLE |
ALE |
% of total ALE |
Direct Loss, Communications Hardware |
$10,001. |
$100. |
93.5% |
Direct Loss, Office Equipment |
$625. |
$6. |
5.8% |
Disclosure, Databases |
$250. |
$3. |
2.3% |
Figure 13.7
100 Direct, Comms H/W 
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 (x10) |
Dollars
Full Threat Report |
6 |
6
Direct, Off Equip
3
Disclosure, Databases
1 |
2 |
3 |
4 |
5 |
6 |
Dollars
Figure 14.7 Flooding/Water Damage - ALE's
Disclosure, Databases (2.8%)
Direct, Off Equip (5.5%)
Direct, Comms H/W (91.7%)
Figure 15.7 Flooding/Water Damage - ALE's
10,001 Direct, Comms H/W 
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 (x1 ,000) |
Dollars
625
Direct, Off Equip
250
Disclosure, Databases
5 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 |
55 |
60 (x 10) |
Dollars
Figure 16.7 Flooding/Water Damage - SLE's
3.2.8Hardware Failure - AFE: 70.00
The various incident classes associated with this threat are shown in the following table:
Incident Class |
SLE |
ALE |
% of total ALE |
Direct Loss, Hardware |
$375,000. |
$26,250,000. |
100.0% |
Disclosure, Databases |
$0. |
$0. |
0.0% |
Figure 13.8
Full Threat Report |
7 |
26,250,000 Direct, Hardware 
25 |
50 |
75 |
100 |
125 |
150 |
175 |
200 |
225 |
250 (x 100,000) |
Dollars
Figure 14.8 Hardware Failure - ALE's
375,000 Direct, Hardware 
5 |
10 |
15 |
20 |
25 |
30 |
35 (x10,000) |
Dollars
Figure 16.8 Hardware Failure - SLE's
3.2.9Pirating Key Personnel - AFE: 1.00
The various incident classes associated with this threat are shown in the following table:
There are no incidents associated with this threat.
Safeguard vs Threat Report |
1 |
The section below looks at each safeguard and indicates, for each threat, the ALE before and after the safeguard is implemented. The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. The percentage by which the ALE is reduced by the safeguard is also indicated.
The next section contains a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented.
Safeguard: Physical Access Control |
|
|
|
|
|
|
|
Threat |
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Destruction |
$5,055,028. |
$5,035,861. |
0.38% |
Data Disclosure |
$5,813. |
$4,915. |
15.45% |
Data Integrity Loss |
$59,584. |
$43,827. |
26.45% |
Safeguard: |
Application Controls |
|
|
|
Threat |
|
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Destruction |
$5,055,028. |
$4,549,525. |
10.00% |
|
Safeguard: |
Classification Markings |
|
|
|
Threat |
|
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Disclosure |
$5,813. |
$3,459. |
40.50% |
|
Safeguard: |
Contract Specifications |
|
|
|
Threat |
|
Original ALE |
ALE with Safeguard |
Percentage Drop |
Safeguard: |
Data Encryption |
|
|
|
Threat |
|
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Destruction |
$5,055,028. |
$2,527,514. |
50.00% |
|
Data Disclosure |
$5,813. |
$2,861. |
50.78% |
|
Data Integrity Loss |
$59,584. |
$44,688. |
25.00% |
|
Safeguard: |
Detection System |
|
|
|
Threat |
|
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Destruction |
$5,055,028. |
$5,047,361. |
0.15% |
|
Data Disclosure |
$5,813. |
$5,372. |
7.59% |
|
Data Integrity Loss |
$59,584. |
$53,251. |
10.63% |
|
Safeguard: |
Life Cycle Management |
|
|
|
Threat |
|
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Integrity Loss |
$59,584. |
$59,238. |
0.58% |
|
Safeguard: Passwords/Authenticaion |
|
|
|
|
Threat |
|
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Disclosure |
$5,813. |
$5,740. |
1.26% |
|
Safeguard: |
Personnel Clearances |
|
|
|
Threat |
|
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Destruction |
$5,055,028. |
$5,050,854. |
0.08% |
|
Data Disclosure |
$5,813. |
$4,337. |
25.39% |
|
Data Integrity Loss |
$59,584. |
$56,505. |
5.17% |
|
Safeguard: |
Personnel Control |
|
|
|
Threat |
|
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Disclosure |
$5,813. |
$5,749. |
1.10% |
|
Data Integrity Loss |
$59,584. |
$59,563. |
0.04% |
|
Safeguard: |
Quality Assurance |
|
|
|
Threat |
|
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Integrity Loss |
$59,584. |
$53,627. |
10.00% |
|
Safeguard: |
Risk Analysis |
|
|
|
Threat |
|
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Destruction |
$5,055,028. |
$5,049,525. |
0.11% |
|
Safeguard vs Threat Report |
|
|
2 |
Data Disclosure |
$5,813. |
$5,232. |
9.99% |
Data Integrity Loss |
$59,584. |
$54,977. |
7.73% |
Safeguard: Security Policy |
|
|
|
Threat |
Original ALE |
ALE with Safeguard |
Percentage Drop |
Data Destruction |
$5,055,028. |
$4,796,256. |
5.12% |
Data Disclosure |
$5,813. |
$4,703. |
19.10% |
Data Integrity Loss |
$59,584. |
$52,058. |
12.63% |
The following is a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented (ALE with Safeguard). This table also indicates the difference between the two ALE values.
Also shown is a barchart that provides a visual presentation of the difference in ALE for each safeguard.
Safeguard |
Original ALE |
ALE with Safeguard |
Difference |
Physical Access Control |
$31,445,536. |
$31,409,712. |
$35,824. |
Application Controls |
$31,445,536. |
$30,940,033. |
$505,503. |
Classification Markings |
$31,445,536. |
$31,443,182. |
$2,354. |
Contract Specifications |
$31,445,536. |
$31,445,536. |
$0. |
Data Encryption |
$31,445,536. |
$28,900,174. |
$2,545,362. |
Detection System |
$31,445,536. |
$31,431,094. |
$14,442. |
Life Cycle Management |
$31,445,536. |
$31,445,189. |
$347. |
Passwords/Authenticaion |
$31,445,536. |
$31,445,463. |
$73. |
Personnel Clearances |
$31,445,536. |
$31,436,806. |
$8,730. |
Personnel Control |
$31,445,536. |
$31,445,451. |
$85. |
Quality Assurance |
$31,445,536. |
$31,439,578. |
$5,958. |
Risk Analysis |
$31,445,536. |
$31,434,844. |
$10,692. |
Security Policy |
$31,445,536. |
$31,178,127. |
$267,409. |
2,545,362
Data Encryption
505,503
Application Cont rols
267,409
Security Policy
25 |
|
50 |
75 |
100 |
125 |
150 |
175 |
200 |
225 |
250 (x 10,000 ) |
|||||
|
|
|
|
|
|
|
|
|
|
Dollars |
|
|
|
|
|
Physical Access Control |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
35,824 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Detection Syst em |
|
|
|
|
|
|
|
|
|
|
|
|
|
14,442 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Risk Analysis |
|
|
|
|
|
|
|
|
|
|
|
|
|
10,692 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Personnel Clearances |
|
|
|
|
|
|
|
|
|
|
|
|
|
8,730 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Quality Assurance |
|
|
|
|
|
|
|
|
|
|
|
|
|
5,958 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Classification Markings |
|
|
|
|
|
|
|
|
|
|
|
2,354 |
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
25 |
50 |
75 |
100 125 |
150 |
175 200 |
225 |
250 |
275 300 |
325 350 (x 100) |
||||||
|
|
|
|
|
|
|
|
|
|
Dollars |
|
|
|
|
|
Safeguard vs Threat Report |
3 |
347
Life Cycle Management
85
Personnel Control
73
Passwords/Aut henticaion
25 |
50 |
75 |
100 |
125 |
150 |
175 |
200 |
225 |
250 |
275 |
300 |
325 |
Dollars
Instructions for preparing Final Reports.
In Phase 4, there are many different reports that can be generated. To facilitate the assembly of these smaller specialized reports into a single "Final Report" for submission to management, provision is made to attach the name of each selected report file (each is a .WRI file) to a list that is made available to the analyst at the end of the reporting phase, Phase 4.
A couple of points must be kept in mind when the final report is assembled; it is assumed that a word processor will be used to prepare the Final Report and the following are tasks and ideas that are within the purview of most word processors:
1. On the parameter screen in Phase 1, you indicated that the sensitivity level of the system being analyzed is 1. Because reports that deal with a system must bear markings that indicated that the report is of a similar level of sensitivity, you are warned that the word processor used in the assembly process must also be used to indicate, as both Headers and Footers, this level of sensitivity on EVERY page;
2.There is no provision in the RiskWatch system for the title page or pages that come before paragraphs, sections, or diagrams. The analyst wishing these must provide them himself using the facilities of the word processor employed;
3.The ordering of sections is left to the discretion of the analyst - some people prefer to have the Executive Summary as the very first section, even preceding the Table of Contents, while others may wish to
have their Table of Contents immediately following the Cover page;
4.Because of the strong possibility that different enterprises will opt to assemble different pieces (sub-reports) into their respective Final Reports, the Table of Contents for the Final Report is left to the analyst, using the power of a modern word processor.
5.In the text provided by RiskWatch as part of the reports that embody the results of the analysis and the initial data, there are several sections that are enclosed in triple square brackets (that is, [[[ and
]]] ). All text that is between these braces is given SOLELY as a guide to suggested text to surround the numbers that form the basis of the reports. The text serves no other purpose. Please replace this text with
other text that is more appropriate to your enterprise.