[CCCure CISSP] Comparing ALE and Cost of control

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[CCCure CISSP] Comparing ALE and Cost of control

Amlan Deb
Hello everyone,
I have a doubt related to comparing the cost of a control to Losses before and after implementing the control.
If a Co. finds out that the Annual Loss Expectancy for an asset = $100
Is my understanding correct that business will approve to implement a control upto a maximum of $100 to protect the asset?
(So business will approve to install a control that will cost them $60 to mitigate the risk)
If a Co. finds out that the Annual Loss Expectancy for an asset = $100. After implementing control the ALE for the asset = $50 and the control will cost them $60.
Should the business implement the control?
If we use the formula Value of control = (Old ALE) - (New ALE) - (Cost of control) then  we get:
Value of control = 100 - 50 - 60 = -10 (negative $10) suggests that it is not a good decision to implement the control.
doubt: But we stand to lose $100 as compared to $50 if we do not implement the control? And as per Scenario#1 if we do not mix the new ALE in the picture and just compare the cost of the control($60) and the original ALE($100), the cost of control seems to be fine?
My doubt:
So do we need to follow separate approaches for these 2 separate scenarios i.e. in Scenario-1 base decision just on basis of the single ALE and the cost of control but in Scenario-2 base decision using Old ALE - New ALE - Cost of Value and implement the control only if the value is 0 or positive?

You can find the list archive at:

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below: