Module 5: Course Project

In this module you will expand on all prior work and use the FAIR model to complete an initial estimate of risk with a financial impact.

Execute the following steps:

  1. Using the Miami office number of users with the Outlook CVE-2024-21413 vulnerability, generate a 3-point estimate of vulnerability. Apply +/- 10% for the upper and lower bounds of your estimate.
  2. Use the $50,000 estimate provided for recovery and generate a 3-point estimate using a +/- 10%. What is the estimate for loss magnitude?
  3. Use the .31 as the mid-point value, generate a new 3-point estimate for threat event frequency with a +/- 10%. What is the estimated range?
  4. Given the previous values of threat event frequency and vulnerability, what is the rounded FAIR model calculation for loss event frequency?
  5. Given the values previously estimated for loss event frequency and loss magnitude, what is the average of FAIR model calculation of risk?
  6. Using the triangular distributions in the probability distribution tool and input the FAIR model values for threat event frequency (.21-.31-.41) into triangular 1 and vulnerability (70%-80%-90%) into triangular 2. Now find the corresponding chart labeled Triangular1_Triangular2 and note the average? How does it compare to what the FAIR model calculated for loss event frequency?
  7. Why are the same ranges multiplied in the probability distribution tool different than the results shown in the FAIR model?
  8. Using the probability distribution tool, calculate loss event frequency of .147-.248-.369 in Triangular 1 and the loss magnitude of $45k – $50K – $60K in Triangular 3. Compare the Triangular 1_Triangular 3 results to the FAIR calculation of Risk. What are the average values of each?
  9. If the organization experiences 12 incidents per month, what is the rate per month?
  10. Using a rate of 12 as input to the Poisson 1 distribution in the probability distribution tool, what is the resulting Poisson 1 average number of events?

License

Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Cybersecurity Risk Quantification Copyright © 2024 by Charlene Deaver-Vazquez is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.