NSW Dept of Commerce OICT ROSI TOOL V1.0 Sample Threat & Risk Assessment PLUS Cost Analysis Legend Purple cells
Yellow cells Grey cells contain values to be entered by the user contain calculated results are copied as is from an actual TRA Max freq p.a. 0.05 0.5 1.0 2.0 12.0 50.0 500.0 Cost $ $ 1,000
TABLE 1 LIKELIHOOD GRADE TRANSORMED TO FREQUENCY Negligible Very Low Low Medium High Very High Extreme Unlikely to occur Likely to occur two/three times every five years Likely to occur once every year or less Likely to occur once every six months or less Likely to occur once per month or less Likely to occur multiple times per month or less Likely to occur multiple times per day
TABLE 2 SEVERITY GRADE TRANSFORMED TO DIRECT COST Insignificant Minor Significant Will have almost no impact if threat is realised. Will have some minor effect on the asset value. Will not require any extra effort to repair or reconfigure the system. Will result in some tangible harm, albeit only small and perhaps only noted by a few individuals or agencies. Will require some expenditure of resources to repair (eg "political embarrassment"). May cause damage to the reputation of system management, and/or notable loss of confidence in the system's resources or services. Will require expenditure of significant resources to repair. May cause extended system outage, and/or loss of connected customers or business confidence. May result in compromise of large amounts of Government information or services. May cause system to be permanently closed, and/or be subsumed by another (secure) environment. May result in complete compromise of Government agencies.
$
10,000
Damaging
$
100,000
Serious
$ 1,000,000 $ 10,000,000
Grave
RISK CALCULATIONS
Negligible Very Low Low Medium High Very High Extreme
Insignificant Negligible Negligible Negligible Negligible Negligible Negligible Negligible
Minor Negligible Low Low Low Medium Medium Medium
Degree of Harm Significant Damaging Negligible Negligible Low Low Medium Medium Medium High High High High Critical High Critical
Serious Negligible Medium High High Extreme Extreme Extreme
Grave Negligible Medium High Critical Extreme Extreme Extreme
ANNUAL INCIDENT COST AT EACH RISK POINT Capped at cost of a single Grave incident Insignificant $ $ $ $ $ $ $ $ Degree of Harm and Cost per Incident Minor Significant Damaging Serious $ 1,000 $ 10,000 $ 100,000 $ 1,000,000 $ 50 $ 500 $ 5,000 $ 50,000 $ 500 $ 5,000 $ 50,000 $ 500,000 $ 1,000 $ 10,000 $ 100,000 $ 1,000,000 $ 2,000 $ 20,000 $ 200,000 $ 2,000,000 $ 12,000 $ 120,000 $ 1,200,000 $ 10,000,000 $ 50,000 $ 500,000 $ 5,000,000 $ 10,000,000 $ 500,000 $ 5,000,000 $ 10,000,000 $ 10,000,000 Grave
$ 10,000,000
Likelihood
Negligible Very Low Low Medium High Very High Extreme
Annual Prob 0.05 0.50 1.00 2.00 12.00 50.00 500.00
$ $ $ $ $ $ $
500,000 5,000,000 10,000,000 10,000,000 10,000,000 10,000,000 10,000,000
Likelihood
NSW Dept of Commerce OICT ROSI TOOL V1.0 Sample Threat & Risk Assessment PLUS Cost Analysis Legend
Purple cells Yellow cells Grey cells contain values to be entered by the user contain calculated results are copied as is from an actual TRA
Sample Threat & Risk Assessment PLUS Cost Analysis
No. Asset Potential incident (Threat to the Asset) Likelihood Severity Estimated Risk Nil Annual rate Direct Cost Opportunity of per incident Cost per occurrence incident 0.05 $ 1,000,000 Total UNTREATED Annual Cost $ 50,000
A8
Availability of Destruction of key Negligible D-XYZ internet infrastructure e.g. routers, connection PIX, switches)
Serious
A9
Failure of Cooling System Medium
Significant
Medium
2 $
10,000
$
20,000
A10
A11
A12
Misconfiguration of key Low infrastructure e.g. routers, PIX, switches) Hardware failure of key Very Low infrastructure e.g. routers, PIX, switches) Incorrect building Low patching Denial of service attack on carrier or provider network infrastructure Very Low
Serious
High
1 $ 1,000,000
$
1,000,000
Damaging
Low
0.5 $
100,000
$
50,000
Significant
Medium
1 $
10,000
$
10,000
A13
Significant
Low
0.5 $
10,000
$
5,000
DNS hardware failure A14 A15 Availability of Denial of service attack D-XYZ internet on email system email
Negligible High
Damaging Damaging
Nil High
0.05 $ 12 $
100,000 100,000
$ $
5,000 1,200,000
A16
Accidental misconfiguration of mail servers
Low
Damaging
Medium
1 $
100,000
$
100,000
ANNUAL TOTALS SUMMARY Annual Cost of Incidents - Untreated Annual Cost of Incidents - Residual after Countermeasures Annual Gross Savings Countermeasure Upfront Cost Countermeasure Recurring Cost Ammortisation period (years) Ammortised Countermeasure upfront cost Countermeasure Annual Cost Annual Nett Savings $ 2,440,000 $ 116,600 $ 2,323,400 $ $ $ $ 370,000 105,000 3 123,333 228,333
$ 2,440,000
$ 2,095,067
Counter Measures
Business Continuity Plan (1) Spare parts (4) Service level agreements (5) Physical security (access control procedures and controls for computer room) (6) Environmental controls for computer room (2) Business Continuity Plan (1) Service level agreements (5) Configuration management system (8) Change control procedures (15) Business Continuity Plan (1) Spare parts (4) Service level agreements (5) Standards for cabling including labelling and coding (9) Physical security (6) Large capacity network connection (10) Redundant Internet connection (7)
Upfront Cost per Countermeasure $ 50,000 $ 50,000 $ $ 10,000
Recurring Cost Residual per Counterlikelihood measure $ 20,000 $ 10,000 $ $ 10,000 Negligible
Residual severity
Total Saving Per TREATED Threat Annual Cost
Notes
Minor
$
50
$
49,950 Harm reduced to Minor by BCP; Likelihood to Very 19,500 Low by Environ controls Likelihood reduced to 950,000 Negligible by Config Mgt Won't affect the likelihood of an event, but reduces 49,500 harm by better recovery
$
30,000 $ Counted Counted 70,000 $ 30,000 $ Counted Counted Counted 10,000 $ Counted 10,000 $ 10,000 $
5,000 Counted Counted Very low 10,000 5,000 Negligible Counted Counted Counted Very low Counted Very low 10,000 10,000 Very low
Minor
$
500
$
$ $
Serious
$
50,000
$
Minor
$
500
$
$
Significant
$
5,000
$
5,000 Redundancy means 4,500 minor effect on failover
$ $
Minor
$
500
$
Replication of DNS server (11) Network based Intrusion Detection System (NIDS) (12) Use DSD evaluated products (13) Deny all unless explicitly allowed firewall rules (14) Change control procedures (15) (including peer review)
$ $ $ $
10,000 $ 70,000 $ 20,000 $ - $ Counted
- Negligible 20,000 5,000 Low Counted Very low
Minor
$
50
$
4,950
Significant
$
10,000
$
1,190,000
Damaging
$
370,000
$
105,000
$ $
50,000 116,600
No amelioration of degree $ 50,000 of harm $ 2,323,400