Return on Security Investment Calculator

NSW Dept of Commerce OICT ROSI TOOL V1.0 Sample Threat & Risk Assessment PLUS Cost Analysis Legend Purple cells contain values to be entered by the user Yellow cells contain calculated results Grey cells are copied as is from an actual TRA TABLE 1 LIKELIHOOD GRADE TRANSORMED TO FREQUENCY Max freq p.a. Negligible 0.05 Very Low 0.5 Low 1.0 Medium 2.0 High 12.0 Very High 50.0 Extreme 500.0 TABLE 2 SEVERITY GRADE TRANSFORMED TO DIRECT COST Cost Insignificant -$ Minor 1,000 $ Significant 10,000 $ Damaging 100,000 $ Serious 1,000,000 $ Grave 10,000,000 $ RISK CALCULATIONSLikely to occur multiple times per day Likely to occur multiple times per month or less Will have almost no impact if threat is realised. Likely to occur once per month or less Unlikely to occur Likely to occur two/three times every five years Likely to occur once every year or less Likely to occur once every six months or less Will result in some tangible harm, albeit only small and perhaps only noted by a few individuals or agencies. Will require some expenditure of resources to repair (eg "political embarrassment"). May cause damage to the reputation of system management, and/or notable loss of confidence in the system's resources or services. Will require expenditure of significant resources to repair. May cause extended system outage, and/or loss of connected customers or business confidence. May result in compromise of large amounts of Government information or services. Will have some minor effect on the asset value. Will not require any extra effort to repair or reconfigure the system. May cause system to be permanently closed, and/or be subsumed by another (secure) environment. May result in complete compromise of Government agencies. Insignificant Minor Significant Damaging Serious Grave Negligible Negligible Negligible Negligible Negligible Negligible Negligible Very Low Negligible Low Low Low Medium Medium Low Negligible Low Medium Medium High High Medium Negligible Low Medium High High Critical High Negligible Medium High High Extreme Extreme Very High Negligible Medium High Critical Extreme Extreme Extreme Negligible Medium High Critical Extreme Extreme ANNUAL INCIDENT COST AT EACH RISK POINT Capped at cost of a single Grave incident Insignificant Minor Significant Damaging Serious Grave Annual Prob $ -$ 1,000 $ 10,000 $ 100,000 $ 1,000,000 10,000,000 $ Negligible 0.05 $ -$ 50 $ 500 $ 5,000 $ 50,000 $ 500,000 Very Low 0.50 $ -$ 500 $ 5,000 $ 50,000 $ 500,000 $ 5,000,000 Low 1.00 $ -$ 1,000 $ 10,000 $ 100,000 $ 1,000,000 $ 10,000,000 Medium 2.00 $ -$ 2,000 $ 20,000 $ 200,000 $ 2,000,000 $ 10,000,000 High 12.00 $ -$ 12,000 $ 120,000 $ 1,200,000 $ 10,000,000 $ 10,000,000 Very High 50.00 $ -$ 50,000 $ 500,000 $ 5,000,000 $ 10,000,000 $ 10,000,000 Extreme 500.00 $ -$ 500,000 $ 5,000,000 $ 10,000,000 $ 10,000,000 $ 10,000,000 Likelihood Degree of Harm and Cost per Incident Degree of Harm LikelihoodNSW Dept of Commerce OICT ROSI TOOL V1.0 Sample Threat & Risk Assessment PLUS Cost Analysis Legend Purple cells contain values to be entered by the user Yellow cells contain calculated results Grey cells are copied as is from an actual TRA Sample Threat & Risk Assessment PLUS Cost Analysis No. Asset Potential incident (Threat to the Asset) Likelihood Severity Estimated Risk Annual rate of occurrence Direct Cost per incident Opportunity Cost per incident Total UNTREATED Annual Cost 0.05 $ 1,000,000 $ 50,000 2 $ 10,000 $ 20,000 1 $ 1,000,000 $ 1,000,000 0.5 $ 100,000 $ 50,000 1 $ 10,000 $ 10,000 0.5 $ 10,000 $ 5,000 Misconfiguration of key infrastructure e.g. routers, PIX, switches) Low Failure of Cooling System Medium Significant Serious Nil Significant Medium Destruction of key infrastructure e.g. routers, PIX, switches) Negligible A8 Availability of DXXY internet connection A10 A9 Medium A11 Hardware failure of key infrastructure e.g. routers, PIX, switches) Very Low Serious High Damaging Low Significant Low A12 A13 Denial of service attack on carrier or provider network infrastructure Very Low Incorrect building patching LowA14 DNS hardware failure Negligible Damaging Nil 0.05 $ 100,000 $ 5,000 12 $ 100,000 $ 1,200,000 A16 Accidental misconfiguration of mail servers Low Damaging Medium 1 $ 100,000 $ 100,000 ANNUAL TOTALS 2,440,000 $ SUMMARY Annual Cost of Incidents -Untreated 2,440,000 $ Annual Cost of Incidents -Residual after Countermeasures 116,600 $ Annual Gross Savings 2,323,400 $ Countermeasure Upfront Cost 370,000 $ Countermeasure Recurring Cost 105,000 $ Ammortisation period (years) 3 Ammortised Countermeasure upfront cost 123,333 $ Countermeasure Annual Cost 228,333 $ Annual Nett Savings 2,095,067 $ Damaging High A15 Availability of DXXY internet email Denial of service attack on email system HighCounter Measures Upfront Cost per Countermeaasur Recurring Cost per Countermeaasur Residual likelihood Residual severity Total TREATED Annual Cost Saving Per Threat Notes Business Continuity Plan (1) $ 50,000 $ 20,000 Spare parts (4) $ 50,000 $ 10,000 Service level agreements (5) $ -$ -Physical security (access control procedures and controls for computer room) (6) $ 10,000 $ 10,000 Negligible Minor $ 50 $ 49,950 Environmental controls for computer room (2) $ 30,000 $ 5,000 Business Continuity Plan (1) Counted Counted Service level agreements (5) Counted Counted Very low Minor $ 500 $ 19,500 Configuration management system (8) $ 70,000 $ 10,000 Change control procedures (15) $ 30,000 $ 5,000 Negligible Serious $ 50,000 $ 950,000 Business Continuity Plan (1) Counted Counted Spare parts (4) Counted Counted Service level agreements (5) Counted Counted Very low Minor $ 500 $ 49,500 Standards for cabling including labelling and coding (9) $ 10,000 $ -Physical security (6) Counted Counted Very low Significant $ 5,000 $ 5,000 Large capacity network connection (10) $ 10,000 $ 10,000 Redundant Internet connection (7) $ 10,000 $ 10,000 Very low Minor $ 500 $ 4,500 Harm reduced to Minor by BCP; Likelihood to Very Low by Environ controls Likelihood reduced to Negligible by Config Mgt Won't affect the likelihood of an event, but reduces harm by better recovery Redundancy means minor effect on failoverReplication of DNS server (11) $ 10,000 $ -Negligible Minor $ 50 $ 4,950 Network based Intrusion Detection System (NIDS) (12) $ 70,000 $ 20,000 Use DSD evaluated products (13) $ 20,000 $ 5,000 Deny all unless explicitly allowed firewall rules (14) $ -$ -Low Significant $ 10,000 $ 1,190,000 Change control procedures (15) (including peer review) Counted Counted Very low Damaging $ 50,000 $ 50,000 370,000 $ 105,000 $ 116,600 $ 2,323,400 $ No amelioration of degree of harm