1. Summary of asset categories

The following table provides a summary of the total replacement costs for each of the asset categories considered in the analysis.

Asset Category	Replacement Cost	Percentage of Total
Accounts Receivable	$50,000.	20.8%
Applications	$50,000.	20.8%
Communications Hardware	$50,000.	20.8%
Communications Software	$25,000.	10.4%
Hardware	$25,000.	10.4%
Office Equipment	$12,500.	5.2%
Documentation	$10,000.	4.2%
Databases	$7,500.	3.1%
System Software	$7,500.	3.1%
Personnel	$2,000.	0.8%
Accounts Payable	$1,337.	0.6%
Utilities FIGURE 4	$0.	0.0%

This information is presented below as a barchart.

Acct s Rec Applicatns Comms H/W Comms S/W Hardware Off Equip Document'n Databases System S/W

Personnel Acct s Pay

5 10 15 20 25 30 35 40 45 50 (x1 ,000)

Dollars

FIGURE 5

The percentage of the total replacement cost for each category is indicated in the following diagram.

Acct s Rec (20.8%)

6 Others (11.8%)

Off Equip (5.2%)

Hardware (10.4%)

Applicatns (20.8%) _{Comms S/W (10.4%)}

Comms H/W (20.8%

FIGURE 6

VULNERABILITY AREA REPORT OVERALL COMPLIANCE:

Compliance (1.4%)

Non-Compliance (98.6%)

VULNERABILITY AREA: Access Control

Compliance (5.3%)

Non-Compliance (94.7%)

VULNERABILITY AREA: Accountability

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Administration

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Data Integrity

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Disclosure

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Documentation

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Evaluation

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Policy

There is 100% non-compliance in this area of vulnerability.

VULNERABILITY AREA: Privacy Act

There is 100% non-compliance in this area of vulnerability. VULNERABILITY AREA: Reliability

There is 100% non-compliance in this area of vulnerability.

2. Assets within category

Assets are identified, by category, by commonly used name; associated with each individual asset there is other related information. Depending on the asset category, other data is also provided for each asset. This will include the level of sensitivity for data, the quantity of a duplicated hardware item, etc.. When the information is available, an indication is included about the basic attribute(s) of each assets that states whether the asset is

critical (in the sense that the mission of the enterprise depends on the correct and timely functioning of this asset), or

financial (with respect to the need to control modification), or sensitive (with respect to disclosure), or

supportive (non of the above).

The definition of each asset category is also provided

The monetary values assigned represent the estimated replacement or purchase cost of the asset, not its current value. For example, the recruitment cost, the training cost, and the staff salaries and benefits were used to determine personnel costs. For leased equipment, replacement cost of obtaining a new lease is used since the organization is responsible for obtaining a replacement resource.

The value of sensitive resources could be greater than the replacement value to account for the loss of future opportunity and the extent of exposure that agencies have resulting from the disclosure of data subject to the Privacy Act; awards of $1,000 to $5,000 per individual record have been assessed by the courts based on the sanctions included in the Privacy Act of 1974.

The sections below deal, in turn, with each of the asset categories included in the analysis.

1. Accounts Payable

Asset Replacement Cost Percentage of Total RTG $1,337. 100.0%

Figure 7.1

This information about replacement costs is presented below as a barchart.

RTG

1 2 3 4 5 6 7 8 9 10 11 12 13 (x 100 )

Dollars

Figure 8.1

2. Accounts Receivable

Asset Replacement Cost Percentage of Total 321 $50,000. 100.0%

Figure 7.2

This information about replacement costs is presented below as a barchart.

321

5 10 15 20 25 30 35 40 45 50 (x 1,000)

Dollars

Figure 8.2

2.2.3 Applications

Asset Replacement Cost Percentage of Total 345 $50,000. 100.0%

Figure 7.3

This information about replacement costs is presented below as a barchart.

345

5 10 15 20 25 30 35 40 45 50 (x 1,000)

Dollars

Figure 8.3

4. Communications Hardware

Asset Replacement Cost Percentage of Total

$50,000. 100.0%

Figure 7.4

This information about replacement costs is presented below as a barchart.

5 10 15 20 25 30 35 40 45 50 (x1 ,000)

Dollars

Figure 8.4

4. Communications Software

Asset Replacement Cost Percentage of Total EWQ $25,000. 100.0%

Figure 7.5

This information about replacement costs is presented below as a barchart.

EWQ

25 50 75 100 125 150 175 200 225 250 (x 100)

Dollars

Figure 8.5

4. Databases

Asset Replacement Cost Percentage of Total 456 $7,500. 100.0%

Figure 7.6

This information about replacement costs is presented below as a barchart.

456

1 2 3 4 5 6 7 (x 1,000 )

Dollars

Figure 8.6

7. Documentation

Asset Replacement Cost Percentage of Total OI $10,000. 100.0%

Figure 7.7

This information about replacement costs is presented below as a barchart.

OI

1 2 3 4 5 6 7 8 9 10 (x1 ,000)

Dollars

Figure 8.7

7. Hardware

Asset Replacement Cost Percentage of Total HARD $25,000. 100.0%

Figure 7.8

This information about replacement costs is presented below as a barchart.

HARD

25 50 75 100 125 150 175 200 225 250 (x 100)

Dollars

Figure 8.8

7. Office Equipment

Asset Replacement Cost Percentage of Total QWE $7,500. 60.0%

QWE $5,000. 40.0%

Figure 7.9

This information about replacement costs is presented below as a barchart.

QWE QWE

1 2 3 4 5 6 7 (x 1,000 )

Dollars

Figure 8.9

The percentage of the total replacement cost for this category that is contributed by each asset is indicated in the following diagram.

QWE (40.0%)

QWE (60.0%)

Figure 9.9

7. Personnel

Asset	Replacement Cost	Percentage of Total
PERS	$2,000.	100.0%

Figure 7.10

This information about replacement costs is presented below as a barchart.

PERS

25 50 75 100 125 150 175 200 (x 10 )

Dollars

Figure 8.10

7. System Software

Asset Replacement Cost Percentage of Total HELPMEPLEASE $7,500. 100.0%

Figure 7.11

This information about replacement costs is presented below as a barchart.

LPMEPLEASE

1 2 3 4 5 6 7 (x 1 ,000 )

Dollars

Figure 8.11

7. Utilities

Asset Replacement Cost Percentage of Total 42 $0. 0.0%

42 $0. 0.0%

Figure 7.12

3.2 INCIDENTS INVOLVING EACH THREAT

Each Incident is defined as triple of the form <threat, loss category, asset category>. By doing things this way it is possible to separate the various forms of loss that a given threat may cause to the enterprise as the result of acting on the same asset category.

The sections below look at each threat and indicate the various incidents that were associated with it in the analysis. For each incident, a table is presented (FIGURES 13.1, 13.2, ...) indicating its SLE and ALE (where the ALE is generated by multiplying the SLE for the incident by the AFE of the threat). The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. This is shown as the total of the third column. The percentage of this total represented by the ALE for each incident is indicated in the fourth column.

Also shown for each threat is a barchart that provides a visual presentation of the relative magnitudes of the ALE for each incident. These are shown as FIGURES 14.1, 14.2, ....

Piecharts are then also provided that indicate the percentage of each threat ALE that is accounted for by each incident that is used in its calculation.

1. Blackmail - AFE: 0.05

The various incident classes associated with this threat are shown in the following table:

Incident Class	SLE ALE	% of total ALE
Direct Loss, Personnel Figure 13.1	$20. $1.	0.0%