2.1 Summary of asset categories
The following table provides a summary of the total replacement costs for each of the asset categories considered in the analysis.
Asset Category Replacement Cost Percentage of Total
Accounts Receivable $50,000. 20.8%
Applications $50,000. 20.8%
Communications Hardware $50,000. 20.8%
Communications Software $25,000. 10.4%
Hardware $25,000. 10.4%
Office Equipment $12,500. 5.2%
Documentation $10,000. 4.2%
Databases $7,500. 3.1%
System Software $7,500. 3.1%
Personnel $2,000. 0.8%
Accounts Payable $1,337. 0.6%
Utilities $0. 0.0%
FIGURE 4
This information is presented below as a barchart.
Dollars
FIGURE 5
The percentage of the total replacement cost for each category is indicated in the following diagram.
Asset Summary Report 2
FIGURE 6
Vulnerability Report VULNERABILITY AREA REPORT
OVERALL COMPLIANCE:
Non-Compliance
(98.6%)
VULNERABILITY AREA: Access Control
Non-Compliance
(94.7%)
VULNERABILITY AREA: Accountability
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Administration
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Data Integrity
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Disclosure
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Documentation
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Evaluation
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Policy
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Privacy Act
There is 100% non-compliance in this area of vulnerability.
VULNERABILITY AREA: Reliability
Vulnerability Report 2
There is 100% non-compliance in this area of vulnerability.
2.2 Assets within category
Assets are identified, by category, by commonly used name; associated with each individual asset there is other related information. Depending on the asset category, other data is also provided for each asset. This will include the level of sensitivity for data, the quantity of a duplicated hardware item, etc.. When the information is available, an indication is included about the basic attribute(s) of each assets that states whether the asset is
critical (in the sense that the mission of the enterprise depends on the correct and timely functioning of this asset), or
financial (with respect to the need to control modification), or sensitive (with respect to disclosure), or supportive (non of the above).
The definition of each asset category is also provided
The monetary values assigned represent the estimated replacement or purchase cost of the asset, not its current value. For example, the recruitment cost, the training cost, and the staff salaries and benefits were used to determine personnel costs. For leased equipment, replacement cost of obtaining a new lease is used since the organization is responsible for obtaining a replacement resource.
The value of sensitive resources could be greater than the replacement value to account for the loss of future opportunity and the extent of exposure that agencies have resulting from the disclosure of data subject to the Privacy Act; awards of $1,000 to $5,000 per individual record have been assessed by the courts based on the sanctions included in the Privacy Act of 1974.
The sections below deal, in turn, with each of the asset categories included in the analysis.
2.2.1 Accounts Payable
Asset Replacement Cost Percentage of Total
RTG $1,337. 100.0%
Figure 7.1
This information about replacement costs is presented below as a barchart.
RTG 
1 2 3 4 5 6 7 8 9 10 11 12 13 (x 100)
Dollars
Figure 8.1
2.2.2 Accounts Receivable
Asset Replacement Cost Percentage of Total
321 $50,000. 100.0%
Figure 7.2
This information about replacement costs is presented below as a barchart.
321 
5 10 15 20 25 30 35 40 45 50 (x 1,000)
Dollars
Figure 8.2
2.2.3 Applications
Asset Replacement Cost Percentage of Total 345 $50,000. 100.0%
2
Figure 7.3
This information about replacement costs is presented below as a barchart.
345 
5 10 15 20 25 30 35 40 45 50 (x 1,000)
Dollars
Figure 8.3
2.2.4 Communications Hardware
Asset Replacement Cost Percentage of Total
$50,000. 100.0%
Figure 7.4
This information about replacement costs is presented below as a barchart.
5 10 15 20 25 30 35 40 45 50 (x 1,000)
Dollars
Figure 8.4
2.2.5 Communications Software
Asset Replacement Cost Percentage of Total
EWQ $25,000. 100.0%
Figure 7.5
This information about replacement costs is presented below as a barchart.
EWQ 
25 50 75 100 125 150 175 200 225 250 (x 100)
Dollars
Figure 8.5
2.2.6 Databases
Asset Replacement Cost Percentage of Total
456 $7,500. 100.0%
Figure 7.6
This information about replacement costs is presented below as a barchart.
3
456 
1 2 3 4 5 6 7 (x 1,000)
Dollars
Figure 8.6
2.2.7 Documentation
Asset Replacement Cost Percentage of Total
OI $10,000. 100.0%
Figure 7.7
This information about replacement costs is presented below as a barchart.
OI 
1 2 3 4 5 6 7 8 9 10 (x 1,000)
Dollars
Figure 8.7
2.2.8 Hardware
Asset Replacement Cost Percentage of Total
HARD $25,000. 100.0%
Figure 7.8
This information about replacement costs is presented below as a barchart.
HARD 
25 50 75 100 125 150 175 200 225 250 (x 100)
Dollars
Figure 8.8
2.2.9 Office Equipment
Asset Replacement Cost Percentage of Total
QWE $7,500. 60.0%
QWE $5,000. 40.0%
Figure 7.9
This information about replacement costs is presented below as a barchart.
4
Dollars
Figure 8.9
The percentage of the total replacement cost for this category that is contributed by each asset is indicated in the following diagram.
Figure 9.9
2.2.10 Personnel
Asset Replacement Cost Percentage of Total
PERS $2,000. 100.0%
Figure 7.10
This information about replacement costs is presented below as a barchart.
PERS 
25 50 75 100 125 150 175 200 (x 10)
Dollars
Figure 8.10
2.2.11 System Software
Asset Replacement Cost Percentage of Total
HELPMEPLEASE $7,500. 100.0%
Figure 7.11
This information about replacement costs is presented below as a barchart.
5
ELPMEPLEASE 
1 2 3 4 5 6 7 (x 1,000)
Dollars
Figure 8.11
2.2.12 Utilities
Asset Replacement Cost Percentage of Total
42 $0. 0.0%
42 $0. 0.0%
Figure 7.12
3.2 INCIDENTS INVOLVING EACH THREAT
Each Incident is defined as triple of the form <threat, loss category, asset category>. By doing things this way it is possible to separate the various forms of loss that a given threat may cause to the enterprise as the result of acting on the same asset category.
The sections below look at each threat and indicate the various incidents that were associated with it in the analysis. For each incident, a table is presented (FIGURES 13.1, 13.2, ...) indicating its SLE and ALE (where the ALE is generated by multiplying the SLE for the incident by the AFE of the threat). The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. This is shown as the total of the third column. The percentage of this total represented by the ALE for each incident is indicated in the fourth column.
Also shown for each threat is a barchart that provides a visual presentation of the relative magnitudes of the ALE for each incident. These are shown as FIGURES 14.1, 14.2, ....
Piecharts are then also provided that indicate the percentage of each threat ALE that is accounted for by each incident that is used in its calculation.
3.2.1 Blackmail - AFE: 0.05
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Direct Loss, Personnel $20. $1. 0.0%
Figure 13.1
Direct,
Personnel 
2 4 6 8 10 12 14 16 18 20
Dollars
Figure 16.1 Blackmail - SLE's
3.2.2 Budget Loss - AFE: 0.50
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Disclosure, Databases $25,000. $12,500. 100.0%
Figure 13.2
Disclosure,
Databases 
1 2 3 4 5 6 7 8 9 10 11 12 (x 1,000)
Dollars
Figure 14.2 Budget Loss - ALE's
Disclosure,
Databases 
25 50 75 100 125 150 175 200 225 250 (x 100)
Dollars
Figure 16.2 Budget Loss - SLE's
3.2.3 Cold/Frost/Snow - AFE: 5.00
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Disclosure, Databases $12,500. $62,500. 100.0%
Figure 13.3
Disclosure,
Databases 
5 10 15 20 25 30 35 40 45 50 55 60 (x 1,000)
Dollars
Figure 14.3 Cold/Frost/Snow - ALE's
Disclosure,
Databases 
1 2 3 4 5 6 7 8 9 10 11 12 (x 1,000)
Dollars
Figure 16.3 Cold/Frost/Snow - SLE's
3.2.4 Data Destruction - AFE: 20.00
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Disclosure, Databases $250,000. $5,000,000. 98.9%
Direct Loss, Databases $2,751. $55,027. 1.1%
Figure 13.4
Disclosure,
Databases 
5 10 15 20 25 30 35 40 45 50 (x 100,000)
Dollars
Direct,
Databases 
5 10 15 20 25 30 35 40 45 50 55 (x 1,000)
Dollars
Figure 14.4 Data Destruction - ALE's
Direct, Databases (1.1%)
Disclosure, Databases (98.9%)
Figure 15.4 Data Destruction - ALE's
Disclosure,
Databases 
25 50 75 100 125 150 175 200 225 250 (x 1,000)
Dollars
Direct,
Databases 
25 50 75 100 125 150 175 200 225 250 275 (x 10)
Dollars
Figure 16.4 Data Destruction - SLE's
3.2.5 Data Disclosure - AFE: 3.00
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Disclosure, Databases $1,938. $5,813. 100.0%
Figure 13.5
Disclosure,
Databases 
5 10 15 20 25 30 35 40 45 50 55 (x 100)
Dollars
Figure 14.5 Data Disclosure - ALE's
Disclosure,
Databases 
25 50 75 100 125 150 175 (x 10)
Dollars
Figure 16.5 Data Disclosure - SLE's
3.2.6 Data Integrity Loss - AFE: 3.00
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Direct Loss, Accounts Receivable $5,526. $16,576. 27.8%
Direct Loss, Applications $5,507. $16,523. 27.7%
Disclosure, Personnel $4,500. $13,500. 22.7%
Direct Loss, Communications Software $2,723. $8,171. 13.7%
Direct Loss, System Software $817. $2,451. 4.1%
Direct Loss, Databases $640. $1,921. 3.2%
Direct Loss, Accounts Payable $147. $443. 0.7% Disclosure, Databases $0. $0. 0.0%
Figure 13.6
Dollars
Direct,
Accts Pay 
5 10 15 20 25 30 35 40 (x 10)
Dollars
Figure 14.6 Data Integrity Loss - ALE's
Direct, Accts Rec (27.8%)
Direct, Applicatns (27.7%) 4 Others (8.1%)
Direct, Comms S/W (13.7%)
Disclosure, Personnel (22.7%)
Figure
15.6 Data Integrity Loss - ALE's
Dollars
Figure 16.6 Data Integrity Loss - SLE's
3.2.7 Flooding/Water Damage - AFE: 0.01
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Direct Loss, Communications Hardware $10,001. $100. 93.5%
Direct Loss, Office Equipment $625. $6. 5.8% Disclosure, Databases $250. $3. 2.3%
Figure
13.7
Direct, Comms H/W
1 2 3 4 5 6 7 8 9 10 (x 10)
Dollars
Dollars
Figure 14.7 Flooding/Water Damage - ALE's
Disclosure, Databases (2.8%)
Direct, Off Equip (5.5%)
Direct, Comms H/W (91.7%)
Figure 15.7 Flooding/Water Damage - ALE's
Direct,
Comms H/W 
1 2 3 4 5 6 7 8 9 10 (x 1,000)
Dollars
Dollars
Figure 16.7 Flooding/Water Damage - SLE's
3.2.8 Hardware Failure - AFE: 70.00
The various incident classes associated with this threat are shown in the following table:
Incident Class SLE ALE % of total ALE
Direct Loss, Hardware $375,000. $26,250,000. 100.0%
Disclosure, Databases $0. $0. 0.0%
Figure 13.8
Direct,
Hardware 
25 50 75 100 125 150 175 200 225 250 (x 100,000)
Dollars
Figure 14.8 Hardware Failure - ALE's
Direct,
Hardware 
5 10 15 20 25 30 35 (x 10,000)
Dollars
Figure 16.8 Hardware Failure - SLE's
3.2.9 Pirating Key Personnel - AFE: 1.00
The various incident classes associated with this threat are shown in the following table:
There are no incidents associated with this threat.
The section below looks at each safeguard and indicates, for each threat, the ALE before and after the safeguard is implemented. The overall ALE for a threat is the sum of the ALEs for each of the associated incidents. The percentage by which the ALE is reduced by the safeguard is also indicated.
The next section contains a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented.
Safeguard: Physical Access Control
Threat Original ALE |
|
ALE with Safeguard |
|
Percentage Drop |
|
|||
Data Destruction |
$5,055,028. |
$5,035,861. |
0.38% |
|||||
Data Disclosure |
$5,813. |
$4,915. |
15.45% |
|||||
Data Integrity Loss |
$59,584. |
$43,827. |
26.45% |
|||||
Safeguard: Application Controls
Threat
Original ALE
ALE with Safeguard
Percentage Drop
Data Destruction $5,055,028. $4,549,525. 10.00%
Safeguard: Classification Markings
Threat Original ALE |
|
ALE with Safeguard |
|
Percentage Drop |
Data Disclosure $5,813. $3,459. 40.50%
Data Destruction |
$5,055,028. $2,527,514. |
50.00% |
Data Disclosure |
$5,813. $2,861. |
50.78% |
Data Integrity Loss
Safeguard: Detection System |
$59,584. $44,688. |
25.00% |
Threat |
Original ALE ALE with Safeguard |
Percentage Drop |
Data Destruction |
$5,055,028. $5,047,361. |
0.15% |
Data Disclosure |
$5,813. $5,372. |
7.59% |
Data Integrity Loss |
$59,584. $53,251. |
10.63% |
Safeguard: Contract Specifications
|
|
|||||||||
|
Safeguard: Life Cycle Management
Threat Original ALE |
|
ALE with Safeguard |
|
Percentage Drop |
Data Integrity Loss $59,584. $59,238. 0.58%
Data Disclosure
Safeguard: Personnel Clearances |
$5,813. $5,740. |
1.26% |
Threat |
Original ALE ALE with Safeguard |
Percentage Drop |
Data Destruction |
$5,055,028. $5,050,854. |
0.08% |
Data Disclosure |
$5,813. $4,337. |
25.39% |
Data Integrity Loss |
$59,584. $56,505. |
5.17% |
Safeguard: Passwords/Authenticaion
Threat Original ALE |
|
ALE with Safeguard |
|
Percentage Drop |
Safeguard: Personnel Control
ALE with Safeguard |
|
Percentage Drop |
ALE with Safeguard |
|
Percentage Drop |
Threat |
Original ALE |
Data Disclosure |
$5,813. |
Data Integrity Loss
Safeguard: Quality Assurance |
$59,584. |
Threat |
Original ALE |
Data Integrity Loss
Safeguard: Risk Analysis |
$59,584. |
Threat |
Original ALE |
ALE with Safeguard |
|
Percentage Drop |
$59,563. 0.04%
$53,627. 10.00%
Data Destruction $5,055,028. $5,049,525. 0.11%
Data Disclosure |
$5,813. |
$5,232. |
9.99% |
Data Integrity Loss |
$59,584. |
$54,977. |
7.73% |
Safeguard: Security Policy
Threat Original ALE |
|
ALE with Safeguard |
|
Percentage Drop |
|
|||
Data Destruction |
$5,055,028. |
$4,796,256. |
5.12% |
|||||
Data Disclosure |
$5,813. |
$4,703. |
19.10% |
|||||
Data Integrity Loss |
$59,584. |
$52,058. |
12.63% |
|||||
The following is a table indicating, for each safeguard, the ALE before (Original ALE) and after the safeguard is implemented (ALE with Safeguard). This table also indicates the difference between the two ALE values.
Also shown is a barchart that provides a visual presentation of the difference in ALE for each safeguard.
Safeguard Original ALE |
|
ALE with Safeguard |
|
Difference |
|
|||
Physical Access Control |
$31,445,536. |
$31,409,712. |
$35,824. |
|||||
Application Controls |
$31,445,536. |
$30,940,033. |
$505,503. |
|||||
Classification Markings |
$31,445,536. |
$31,443,182. |
$2,354. |
|||||
Contract Specifications |
$31,445,536. |
$31,445,536. |
$0. |
|||||
Data Encryption |
$31,445,536. |
$28,900,174. |
$2,545,362. |
|||||
Detection System |
$31,445,536. |
$31,431,094. |
$14,442. |
|||||
Life Cycle Management |
$31,445,536. |
$31,445,189. |
$347. |
|||||
Passwords/Authenticaion |
$31,445,536. |
$31,445,463. |
$73. |
|||||
Personnel Clearances |
$31,445,536. |
$31,436,806. |
$8,730. |
|||||
Personnel Control |
$31,445,536. |
$31,445,451. |
$85. |
|||||
Quality Assurance |
$31,445,536. |
$31,439,578. |
$5,958. |
|||||
Risk Analysis |
$31,445,536. |
$31,434,844. |
$10,692. |
|||||
Security Policy |
$31,445,536. |
$31,178,127. |
$267,409. |
|||||
Dollars
Dollars
Instructions for preparing Final Reports.
In Phase 4, there are many different reports that can be generated. To facilitate the assembly of these smaller specialized reports into a single "Final Report" for submission to management, provision is made to attach the name of each selected report file (each is a .WRI file) to a list that is made available to the analyst at the end of the reporting phase, Phase 4.
A couple of points must be kept in mind when the final report is assembled; it is assumed that a word processor will be used to prepare the Final Report and the following are tasks and ideas that are within the purview of most word processors:
On the parameter screen in Phase 1, you indicated that the sensitivity level of the system being analyzed is 1. Because reports that deal with a system must bear markings that indicated that the report is of a similar level of sensitivity, you are warned that the word processor used in the assembly process must also be used to indicate, as both Headers and
Footers, this level of sensitivity on EVERY page;
There is no provision in the RiskWatch system for the title page or pages that come before paragraphs, sections, or diagrams. The analyst wishing these must provide them himself using the facilities of the word processor employed;
The ordering of sections is left to the discretion of the analyst - some people prefer to have the Executive Summary as the very first section, even preceding the Table of Contents, while others may wish to have their Table of Contents immediately following the Cover page;
Because of the strong possibility that different enterprises will opt to assemble different pieces (sub-reports) into their respective Final Reports, the Table of Contents for the Final Report is left to the analyst, using the power of a modern word processor.
In the text provided by RiskWatch as part of the reports that embody the results of the analysis and the initial data, there are several sections that are enclosed in triple square brackets (that is, [[[ and ]]] ). All text that is between these braces is given SOLELY as a guide to suggested text to surround the numbers that form the basis of the reports. The text serves no other purpose. Please replace this text with other text that is more appropriate to your enterprise.
Reommendations 1