Story problem

M

mackiespi

New member
Joined
Jun 20, 2019
Messages
3
Here is the question: What is the ALE for phishing emails for the company, in pounds; e.g. 203,760?

Here is the scenario: Phishing is of major concern to an organisation, so they have begun to monitor how big a risk it is posing. On average, 80 phishing emails are sent to everyone in the company per day. The company email filters stop 99.8% of these getting through. Of the emails that do get through, 30% of employees click on the link. Out of those employees, 2% expose their company login details to the phishing website. For every set of company login details that are exposed to the hackers, the company has found that it costs them £225. The company has 7,000 employees.

ALE = SLE x ARO
annual loss expectency = single loss expectancy x annual rate of occurance

SLE = AV x EF
single loss expectancy = asset value x exposure factor

ARO is the probability that something will happen per year; ARO in the example above is 0.5 floods per year. The single loss expectancy (SLE) is the cost of a single loss and is broken down further into two parts: the Asset Value (AV) and the Exposure Factor (EF):

I'm stuck on the exposure factor and annual rate of occurence.
 
Here are the data, and my interpretation:
  • 80 phishing emails are sent to everyone in the company per day. (80*7000 = 560000 actual emails received)
  • The company email filters stop 99.8% of these getting through. (0.2% of 560000 = 1120 per day get through)
  • Of the emails that do get through, 30% of employees click on the link. (30% of 1120 = 336 are clicked)
  • Out of those employees, 2% expose their company login details to the phishing website. (2% of 336 = 6.72 exposures/day: DRO?)
  • For every set of company login details that are exposed to the hackers, the company has found that it costs them £225. (SLE?)
  • The company has 7,000 employees. (Used above)
What I called DRO is the daily rate of occurrence. What would the annual rate of occurrence be? (This depends on how many "days" you think there are in a year.)

You didn't define exposure factor; my sense is that the SLE is just given to you, as indicated above, so AV and EF have already been taken into account. (Frankly, I think the number doesn't make sense. One login could open up the whole company to disaster at once, couldn't it?)

Don't trust anything I've said here; check both my numbers and the proper definitions!
[/QUOTE]
 
Exposure factor is a little confusing. For the example provided to me:

EF = 80% as a decimal rating = 0.8 (this is the percentage of laptops destroyed per hurricane)

thanks for the hints. I'll work on this in a little bit and let you know if it worked (if you're interested).
 
I could imagine that EF here might be some or all of the 2nd, 3rd, and 4th items on the list; or as I suggested it might be hidden inside the calculation of the £225 (i.e. the percentage of the "asset value" that would be lost to one successful hacking). In my mind, it doesn't matter where you make the split between "exposure" and "event".
 
You must log in or register to reply here.
Top