CISSP Quantitative Risk Analysis
Scenario Question
I read a joke the other day that went something like this:
Did you hear that there was a huge fire in the Yugo assembly plant? Over 80% of the building was destroyed. Insurance adjusters estimate the damages at $800.
This of course brings to mind a quantitative risk analysis. Remember, there are two main types of risk analysis – Qualitative and Quantitative. A qualitative risk analysis creates a scenario and attempts to rank seriousness of threats against the sensitivity of the asset. Quantitative risk analysis attempts to assign a specific cost to a threat.
Perhaps an exam type scenario question is in order:
There was a fire at a factory and 80% of the building was destroyed. The damage to the building was $800. Fire statistics reveal that the Yugo factory has had a similar fire an average of once every five years. Use this information to answer the following questions:
1. Given that the cost of the damages to the building was $800, what is the total asset value of the Yugo Factory?
a. $800
b. $1600
c. $500
d. $1000
2. Senior management decides to spend $1200 installing a fire prevention system in the newly repaired factory. This system requires a $100 per year maintenance contract that extends the warranty of the fire prevention system to 15 years assuming the maintenance is performed annually. The warranty covers the cost of all repairs including parts and labor. Would you advise management for or against buying this system?
a. Yes, buy the system; it will save the company $300 over the next 15 years.
b. No, do not buy the system; it will cost the company $300 over the next 15 years.
c. No, do not buy the system. Management should never spend more money preventing fires than the factory is worth.
d. Yes, buy the system it will save the company $100 over the next 15 years
3. What is the Annual Rate of Occurrence (ARO) of fires at the Yugo factory?
a. 2
b. .2
c. 5
d. .5
Answers:
1. D. $1000.
The formula for computing Single Loss Expectancy (SLE) is Asset Value (AV) x Exposure Factor (EF). In this scenario the SLE= $800 and the EF = 80% or .8. This gives the formula $800=AV X .8. Solving for AV we get AV = $800/.8 which gives us $1000 for the Asset Value. We can prove this equation by multiplying $1000 by .8 and we come up with $800.
2. B. No, do not buy the system; it will cost the company $300 over the next 15 years.
Assuming one fire every five years, and $800 of loss for each fire, we come up with three fires in 15 years for a total of $2400 in loss ($800 X 3 fires). The fire prevention system has an initial cost of $1200 and an additional $1500 over the next 15 years. The total cost of the system would be $2700.
$2400 – $2700 = -$300, so we would be losing $300.
3. B. .2
Statistics show us one fire every five years, or two fires every ten years. 2/10=.2, so the ARO is .2.
In this scenario we are assuming no loss of life and are not concerned with company reputation. In the real world the answers might be slightly different especially question number two as those two factors would likely swing the balance of the equation in the other direction. The scenario did not mention people, data, or reputation, so please do not add things into this question or the exam questions that you are not presented with.
Thanks for this, i liked it and specially the efforts you have put to explain the stuff and not just put the question.