[CCCure CISSP] Comparing ALE and Cost of control

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[CCCure CISSP] Comparing ALE and Cost of control

Amlan Deb
 
Hello everyone,
 
I have a doubt related to comparing the cost of a control to Losses before and after implementing the control.
 
Scenario#1
 
If a Co. finds out that the Annual Loss Expectancy for an asset = $100
Is my understanding correct that business will approve to implement a control upto a maximum of $100 to protect the asset?
 
(So business will approve to install a control that will cost them $60 to mitigate the risk)
 
 
Scenario#2
 
If a Co. finds out that the Annual Loss Expectancy for an asset = $100. After implementing control the ALE for the asset = $50 and the control will cost them $60.
 
Should the business implement the control?
 
[
 
If we use the formula Value of control = (Old ALE) - (New ALE) - (Cost of control) then  we get:
 
Value of control = 100 - 50 - 60 = -10 (negative $10) suggests that it is not a good decision to implement the control.
 
doubt: But we stand to lose $100 as compared to $50 if we do not implement the control? And as per Scenario#1 if we do not mix the new ALE in the picture and just compare the cost of the control($60) and the original ALE($100), the cost of control seems to be fine?
 
]
 
My doubt:
 
So do we need to follow separate approaches for these 2 separate scenarios i.e. in Scenario-1 base decision just on basis of the single ALE and the cost of control but in Scenario-2 base decision using Old ALE - New ALE - Cost of Value and implement the control only if the value is 0 or positive?
 
Thanks,
Amlan

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org