# Module 5: Course Project

In this module you will expand on all prior work and use the FAIR model to complete an initial estimate of risk with a financial impact.

Execute the following steps:

- Using the Miami office number of users with the Outlook CVE-2024-21413 vulnerability, generate a 3-point estimate of vulnerability. Apply +/- 10% for the upper and lower bounds of your estimate.
- Use the $50,000 estimate provided for recovery and generate a 3-point estimate using a +/- 10%. What is the estimate for loss magnitude?
- Use the .31 as the mid-point value, generate a new 3-point estimate for threat event frequency with a +/- 10%. What is the estimated range?
- Given the previous values of threat event frequency and vulnerability, what is the rounded FAIR model calculation for loss event frequency?
- Given the values previously estimated for loss event frequency and loss magnitude, what is the average of FAIR model calculation of risk?
- Using the triangular distributions in the probability distribution tool and input the FAIR model values for threat event frequency (.21-.31-.41) into triangular 1 and vulnerability (70%-80%-90%) into triangular 2. Now find the corresponding chart labeled Triangular1_Triangular2 and note the average? How does it compare to what the FAIR model calculated for loss event frequency?
- Why are the same ranges multiplied in the probability distribution tool different than the results shown in the FAIR model?
- Using the probability distribution tool, calculate loss event frequency of .147-.248-.369 in Triangular 1 and the loss magnitude of $45k – $50K – $60K in Triangular 3. Compare the Triangular 1_Triangular 3 results to the FAIR calculation of Risk. What are the average values of each?
- If the organization experiences 12 incidents per month, what is the rate per month?
- Using a rate of 12 as input to the Poisson 1 distribution in the probability distribution tool, what is the resulting Poisson 1 average number of events?