Return on Security Investment Calculator Statistical 2.2

NSW Dept of Commerce OICT ROSI TOOL V2.0 Prototype Statistical Module LOOKUP TABLES FOR QUANTIFYING THREAT LIKELIHOOD AND CONSEQUENCE Legend Purple cells Yellow cells Grey cells contain values to be entered by the user contain calculated results are copied as is from an actual TRA TABLE 5 LIKELIHOOD GRADE TRANSORMED TO PROBABILISTIC FREQUENCY Negligible Very Low Low Medium High Very High Extreme Unlikely to occur Likely to occur two/three times every five years Likely to occur once every year or less Likely to occur once every six months or less Likely to occur once per month or less Likely to occur multiple times per month or less Likely to occur multiple times per day Annual freq. #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? Min freq 0.0 0.1 0.8 1.5 2.5 20.0 120.0 TABLE 6 SEVERITY GRADE TRANSFORMED TO PROBABILISTIC DIRECT COST Dollar Cost Insignificant Minor Significant Damaging Serious Grave Will have almost no impact if threat is realised. Will have some minor effect on the asset value. Will not require any extra effort to repair or reconfigure the system. Will result in some tangible harm, albeit only small and perhaps only noted by a few individuals or agencies. Will require some expenditure of resources to repair (eg "political embarrassment"). May cause damage to the reputation of system management, and/or notable loss of confidence in the system's resources or services. Will require expenditure of significant resources to repair. system outage, and/or loss of connected customers or business May cause extended confidence. May result in compromise of large amounts of Government information or services. system to be permanently closed, and/or be subsumed by another (secure) May cause environment. May result in complete compromise of Government agencies. RISK CALCULATIONS Min Cost #NAME? #NAME? #NAME? #NAME? #NAME? $ $ $ $ $ 5,000 50,000 500,000 5,000,000 Negligible Very Low Low Medium High Very High Extreme Insignificant Negligible Negligible Negligible Negligible Negligible Negligible Negligible Minor Negligible Low Low Low Medium Medium Medium Degree of Harm Significant Damaging Negligible Negligible Low Low Medium Medium Medium High High High High Critical High Critical Serious Negligible Medium High High Extreme Extreme Extreme Grave Negligible Medium High Critical Extreme Extreme Extreme FORECAST ANNUAL COST AT EACH RISK POINT Capped at cost of a single Grave incident Insignificant $ #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? Minor #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? Degree of Harm and Cost per Incident Significant Damaging Serious #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? Grave #NAME? Likelihood Negligible Very Low Low Medium High Very High Extreme Annual Prob #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? Likelihood Max freq 0.10 0.8 1.5 2.5 20.0 120.0 1000.0 Likely cost Max Cost $ $ $ $ $ 1,000 10,000 100,000 1,000,000 10,000,000 $ $ $ $ $ 2,000 20,000 200,000 2,000,000 20,000,000 NSW Dept of Commerce OICT ROSI TOOL V2.0 Prototype Statistical Module Sample Threat & Risk Assessment PLUS Cost Analysis Legend Purple cells Yellow cells Grey cells contain values to be entered by the user contain calculated results are copied as is from an actual TRA No. Asset Potential incident (Threat to the Asset) Likelihood Severity Estimated Risk Annual rate Direct Cost of per incident occurrence #NAME? #NAME? Opportunity Cost per incident Total UNTREATED Annual Cost #NAME? A8 Availability of Destruction of key Negligible D-XYZ internet infrastructure e.g. routers, connection PIX, switches) Serious Nil A9 Failure of Cooling System Medium Significant Medium #NAME? #NAME? #NAME? A10 A11 A12 Misconfiguration of key Low infrastructure e.g. routers, PIX, switches) Hardware failure of key Very Low infrastructure e.g. routers, PIX, switches) Incorrect building Low patching Denial of service attack on carrier or provider network infrastructure Very Low Serious High #NAME? #NAME? #NAME? Damaging Low #NAME? #NAME? #NAME? Significant Medium #NAME? #NAME? #NAME? A13 Significant Low #NAME? #NAME? #NAME? DNS hardware failure A14 A15 Availability of Denial of service attack D-XYZ internet on email system email Negligible High Damaging Damaging Nil High #NAME? #NAME? #NAME? #NAME? #NAME? #NAME? A16 Accidental misconfiguration of mail servers Low Damaging Medium #NAME? #NAME? #NAME? ANNUAL TOTALS SUMMARY Annual Cost of Incidents - Untreated Annual Cost of Incidents - Residual after Countermeasures Annual Gross Savings Countermeasure Upfront Cost Countermeasure Recurring Cost Ammortisation period (years) Ammortised Countermeasure upfront cost Countermeasure Annual Cost Annual Nett Savings $ $ $ $ #NAME? #NAME? #NAME? 370,000 105,000 3 123,333 228,333 #NAME? (thousands) (thousands) (thousands) #NAME? Counter Measures Upfront Cost per Countermeasure $ $ $ $ 50,000 50,000 10,000 Recurring Cost Residual per Counterlikelihood measure $ $ $ $ 20,000 10,000 10,000 Negligible Residual severity Total Saving Per TREATED Threat Annual Cost Notes Business Continuity Plan (1) Spare parts (4) Service level agreements (5) Physical security (access control procedures and controls for computer room) (6) Environmental controls for computer room (2) Business Continuity Plan (1) Service level agreements (5) Configuration management system (8) Change control procedures (15) Business Continuity Plan (1) Spare parts (4) Service level agreements (5) Standards for cabling including labelling and coding (9) Physical security (6) Large capacity network connection (10) Redundant Internet connection (7) Minor #NAME? #NAME? Harm reduced to Minor by BCP; Likelihood to Very Low by Environ controls Likelihood reduced to Negligible by Config Mgt Won't affect the likelihood of an event, but reduces harm by better recovery $ 30,000 $ Counted Counted 70,000 $ 30,000 $ Counted Counted Counted 10,000 $ Counted 10,000 $ 10,000 $ 5,000 Counted Counted Very low 10,000 5,000 Negligible Counted Counted Counted Very low Counted Very low 10,000 10,000 Very low Minor #NAME? #NAME? $ $ Serious #NAME? #NAME? Minor #NAME? #NAME? $ Significant #NAME? #NAME? Redundancy means minor effect on failover $ $ Minor #NAME? #NAME? Replication of DNS server (11) Network based Intrusion Detection System (NIDS) (12) Use DSD evaluated products (13) Deny all unless explicitly allowed firewall rules (14) Change control procedures (15) (including peer review) $ $ $ $ 10,000 $ 70,000 $ 20,000 $ - $ Counted - Negligible 20,000 5,000 Low Counted Very low Minor #NAME? #NAME? Significant #NAME? #NAME? No amelioration of degree of harm Damaging $ 370,000 $ 105,000 #NAME? #NAME? #NAME? #NAME? Frequency outputNett Savings+Nett Savings(thousands) Bin Min Bin Max Bin Range Frequency Cumulative% 800 1200 800 to 1200 6 2.40% 1200 1600 1200 to 1600 21 10.80% 1600 2000 1600 to 2000 35 24.80% 2000 2400 2000 to 2400 34 38.40% 2400 2800 2400 to 2800 43 55.60% 2800 3200 2800 to 3200 47 74.40% 3200 3600 3200 to 3600 35 88.40% 3600 4000 3600 to 4000 14 94.00% 4000 4400 4000 to 4400 9 97.60% 4400 4800 4400 to 4800 3 98.80% 4800 5200 4800 to 5200 2 99.60% 5200 5600 5200 to 5600 0 99.60% 5600 6000 5600 to 6000 1 100.00% 6000 6400 6000 to 6400 0 100.00% 6400 6800 6400 to 6800 0 100.00% 50 45 40 35 30 25 20 15 10 5 0 Statistics Count Mean Minimum Maximum Range Median Sample Std Dev 95 percentile 90 percentile 80 percentile 20 percentile 10 percentile 5 percentile Kurtosis Skewness 250 2662.955 892.61 5732.72 4840.11 2707.125 837.0071 4076.224 3634.355 3302.514 1861.618 1539.278 1351.982 0.121136 0.324246 output Nett Savings+ Nett Savings (thousands) 100.00% 90.00% 80.00% 70.00% Cumulative% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 0.00% Bin Range Frequency Cumulative% Frequency outputTreated Cost+Treated Cost (thousands) Bin Min Bin Max Bin Range Frequency Cumulative% 30 48 30 to 48 12 4.80% 48 66 48 to 66 11 9.20% 66 84 66 to 84 28 20.40% 84 102 84 to 102 33 33.60% 102 120 102 to 120 34 47.20% 120 138 120 to 138 38 62.40% 138 156 138 to 156 28 73.60% 156 174 156 to 174 22 82.40% 174 192 174 to 192 13 87.60% 192 210 192 to 210 13 92.80% 210 228 210 to 228 9 96.40% 228 246 228 to 246 5 98.40% 246 264 246 to 264 3 99.60% 264 282 264 to 282 0 99.60% 282 300 282 to 300 1 100.00% 40 35 30 25 20 15 10 5 0 Frequency Statistics Count Mean Minimum Maximum Range Median Sample Std Dev 95 percentile 90 percentile 80 percentile 20 percentile 10 percentile 5 percentile Kurtosis Skewness 250 127.6752 30 291.51 261.51 125.075 50.39796 220.069 199.956 167.366 83.218 67.799 48.201 -0.07037 0.481518 output Treated Cost+ Treated Cost (thousands) 100.00% 90.00% 80.00% 70.00% Cumulative% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 0.00% Bin Range Frequency Cumulative% Frequency outputUntreated Cost+Untreated Cost (thousands) Bin Min Bin Max Bin Range Frequency Cumulative% 1200 1600 1200 to 1600 7 2.80% 1600 2000 1600 to 2000 26 13.20% 2000 2400 2000 to 2400 34 26.80% 2400 2800 2400 to 2800 32 39.60% 2800 3200 2800 to 3200 43 56.80% 3200 3600 3200 to 3600 50 76.80% 3600 4000 3600 to 4000 29 88.40% 4000 4400 4000 to 4400 13 93.60% 4400 4800 4400 to 4800 10 97.60% 4800 5200 4800 to 5200 3 98.80% 5200 5600 5200 to 5600 2 99.60% 5600 6000 5600 to 6000 0 99.60% 6000 6400 6000 to 6400 1 100.00% 6400 6800 6400 to 6800 0 100.00% 6800 7200 6800 to 7200 0 100.00% Untreated Cost (tho 60 50 40 30 20 10 0 Statistics Count Mean Minimum Maximum Range Median Sample Std Dev 95 percentile 90 percentile 80 percentile 20 percentile 10 percentile 5 percentile Kurtosis Skewness 250 3018.963 1207.97 6112.75 4904.78 3075.075 850.9572 4444.323 4024.926 3648.446 2232.722 1903.6 1670.51 0.1163 0.325521 output Untreated Cost+ Untreated Cost (thousands) 100.00% 90.00% 80.00% 70.00% Cumulative% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 0.00% Bin Range Frequency Cumulative% output Untreated Cost+ Untreated Cost (thousand s) $2,234.59 $3,015.07 $3,049.91 $2,690.81 $1,965.54 $2,268.19 $3,131.84 $2,697.97 $3,243.70 $5,288.84 $3,111.59 $3,348.20 $2,518.93 $2,340.98 $2,057.96 $1,979.33 $2,518.94 $3,552.03 $2,325.22 $3,490.20 $3,030.45 $3,140.93 $1,526.77 $2,404.11 $2,590.75 $4,718.42 $3,024.83 $3,622.94 $3,344.25 $3,292.39 $4,661.12 $3,746.36 $3,201.38 $2,578.80 $3,406.28 $1,974.61 $3,317.84 $1,652.19 $2,006.90 $3,755.46 $3,589.52 $3,625.39 $3,469.22 output Treated Cost+ Treated Cost (thousand s) $144.39 $82.01 $112.06 $127.06 $39.45 $111.92 $106.87 $76.12 $105.48 $214.02 $116.49 $130.23 $82.63 $93.73 $96.87 $33.76 $128.86 $30.00 $191.95 $242.42 $141.29 $116.86 $150.14 $114.82 $138.08 $177.66 $98.91 $78.32 $206.21 $232.58 $208.99 $163.33 $70.45 $100.72 $129.16 $98.42 $48.41 $124.60 $100.27 $122.97 $62.11 $139.98 $159.70 output Nett Savings+ Nett Savings (thousand s) $1,861.86 $2,704.73 $2,709.52 $2,335.42 $1,697.76 $1,927.93 $2,796.63 $2,393.52 $2,909.88 $4,846.49 $2,766.77 $2,989.64 $2,207.96 $2,018.91 $1,732.75 $1,717.23 $2,161.75 $3,293.70 $1,904.93 $3,019.44 $2,660.83 $2,795.74 $1,148.30 $2,060.96 $2,224.33 $4,312.43 $2,697.59 $3,316.29 $2,909.71 $2,831.48 $4,223.80 $3,354.70 $2,902.59 $2,249.74 $3,048.78 $1,647.85 $3,041.10 $1,299.25 $1,678.29 $3,404.16 $3,299.07 $3,257.08 $3,081.19 $3,530.08 $2,415.15 $2,622.81 $3,956.36 $3,022.32 $3,752.75 $4,041.09 $2,866.70 $3,581.01 $2,139.17 $2,583.84 $3,161.81 $2,284.49 $2,754.08 $2,450.92 $3,173.25 $3,115.69 $2,717.50 $2,271.07 $2,537.36 $3,356.32 $2,128.87 $3,402.88 $1,865.99 $1,207.97 $2,982.45 $3,597.80 $3,263.61 $2,905.47 $2,541.23 $1,535.58 $1,644.00 $2,769.69 $2,042.57 $1,879.18 $2,297.60 $3,817.35 $1,775.52 $3,226.96 $2,982.28 $3,408.56 $3,908.34 $2,029.09 $2,184.82 $2,710.19 $2,569.26 $1,928.47 $4,009.99 $3,150.68 $4,406.63 $3,398.73 $75.94 $90.44 $79.89 $193.98 $153.34 $182.07 $183.65 $209.40 $127.13 $199.40 $160.38 $146.09 $115.31 $40.12 $112.72 $111.02 $106.02 $158.04 $137.34 $94.20 $76.58 $61.63 $83.24 $131.33 $87.03 $158.27 $167.22 $193.75 $90.53 $80.87 $125.09 $101.55 $189.54 $148.96 $134.52 $63.94 $189.52 $109.53 $99.00 $100.33 $89.24 $149.73 $145.14 $110.24 $87.55 $189.50 $70.66 $100.09 $125.06 $220.42 $181.73 $3,225.81 $2,096.37 $2,314.58 $3,534.05 $2,640.65 $3,342.35 $3,629.11 $2,428.97 $3,225.54 $1,711.44 $2,195.13 $2,787.39 $1,940.84 $2,485.63 $2,109.87 $2,833.89 $2,781.34 $2,331.13 $1,905.40 $2,214.83 $3,051.41 $1,838.91 $3,091.30 $1,506.32 $892.61 $2,595.84 $3,202.24 $2,841.53 $2,586.60 $2,232.03 $1,182.16 $1,314.11 $2,351.82 $1,665.28 $1,516.33 $2,005.33 $3,399.50 $1,437.66 $2,899.63 $2,653.62 $3,090.99 $3,530.28 $1,655.63 $1,846.25 $2,394.30 $2,151.43 $1,629.48 $3,681.56 $2,797.29 $3,957.88 $2,988.66 $2,084.01 $3,555.49 $3,306.61 $3,148.14 $2,370.21 $3,682.04 $2,148.45 $5,449.34 $4,445.25 $3,403.79 $2,939.95 $3,150.11 $2,112.72 $4,510.87 $2,392.53 $3,302.66 $3,072.62 $4,682.72 $3,637.58 $3,118.60 $1,661.24 $3,559.54 $3,538.78 $1,952.81 $3,075.78 $4,606.85 $4,827.56 $1,623.18 $1,993.87 $2,315.99 $2,788.54 $3,786.53 $3,273.08 $3,116.11 $3,440.48 $4,337.60 $2,136.26 $1,633.44 $1,864.12 $3,316.48 $2,287.52 $2,195.68 $4,023.02 $3,222.73 $3,439.67 $3,025.95 $4,023.13 $4,427.89 $4,215.48 $3,573.54 $2,962.69 $192.99 $139.74 $85.17 $228.61 $153.52 $89.99 $131.45 $191.95 $77.13 $168.76 $79.34 $128.30 $125.86 $191.30 $100.94 $128.29 $104.36 $42.39 $134.75 $139.95 $86.50 $111.61 $209.39 $138.30 $75.44 $130.37 $134.54 $107.99 $79.37 $133.57 $164.75 $108.49 $162.94 $47.18 $112.16 $102.04 $77.24 $48.03 $96.34 $54.25 $209.23 $106.70 $240.05 $194.94 $118.12 $224.35 $251.78 $204.96 $148.06 $212.65 $138.53 $1,662.69 $3,187.41 $2,993.11 $2,691.20 $1,988.35 $3,363.72 $1,788.67 $5,029.06 $4,139.80 $3,006.69 $2,632.27 $2,793.47 $1,758.53 $4,091.24 $2,063.25 $2,946.04 $2,739.92 $4,412.00 $3,274.50 $2,750.32 $1,346.41 $3,219.60 $3,101.06 $1,586.18 $2,772.01 $4,248.15 $4,464.68 $1,286.85 $1,686.16 $1,954.08 $2,395.46 $3,449.70 $2,881.81 $2,840.60 $3,099.99 $4,007.23 $1,830.68 $1,357.08 $1,539.45 $3,033.90 $1,849.96 $1,860.65 $3,554.64 $2,799.46 $3,093.22 $2,573.27 $3,543.02 $3,994.60 $3,839.08 $3,132.55 $2,595.83 $4,775.46 $3,378.12 $2,649.72 $2,027.97 $3,144.41 $2,144.36 $1,687.42 $1,904.13 $3,412.70 $2,727.05 $2,383.82 $3,130.52 $3,729.31 $3,539.86 $1,727.94 $3,984.99 $2,818.97 $2,348.87 $2,873.06 $3,241.82 $2,889.83 $2,784.40 $3,074.37 $3,460.54 $4,360.38 $3,639.64 $4,443.19 $2,416.19 $2,256.29 $3,263.40 $2,960.47 $4,806.71 $1,816.05 $3,638.40 $2,842.37 $2,100.11 $2,484.80 $2,415.88 $1,898.83 $3,918.87 $2,811.94 $2,426.78 $1,555.38 $1,423.35 $3,115.07 $2,697.12 $3,781.33 $3,663.07 $3,381.31 $3,809.84 $1,898.71 $220.49 $95.86 $126.87 $91.24 $85.06 $165.81 $71.08 $168.81 $162.65 $112.94 $126.85 $161.56 $44.35 $217.76 $97.07 $144.84 $70.57 $140.49 $152.24 $109.04 $82.92 $128.67 $99.36 $65.61 $219.64 $209.28 $156.98 $128.07 $149.64 $118.96 $104.03 $66.20 $67.07 $167.95 $123.11 $111.65 $90.99 $61.40 $164.22 $158.37 $125.50 $124.89 $75.42 $124.12 $243.29 $120.29 $86.44 $166.67 $78.11 $116.03 $149.30 $4,326.64 $3,053.93 $2,294.52 $1,708.40 $2,831.02 $1,750.22 $1,388.00 $1,506.99 $3,021.72 $2,385.77 $2,028.64 $2,740.63 $3,456.62 $3,093.77 $1,402.53 $3,611.81 $2,520.07 $1,980.04 $2,492.49 $2,904.45 $2,578.58 $2,427.40 $2,746.68 $3,166.60 $3,912.40 $3,202.03 $4,057.87 $2,059.79 $1,878.32 $2,916.10 $2,628.11 $4,512.18 $1,520.65 $3,242.12 $2,490.93 $1,760.13 $2,165.48 $2,126.14 $1,506.28 $3,532.16 $2,458.11 $2,073.56 $1,251.63 $1,070.90 $2,643.45 $2,348.50 $3,466.56 $3,268.07 $3,074.87 $3,465.48 $1,521.08 $3,291.02 $3,384.76 $3,011.99 $2,874.31 $4,168.70 $2,434.90 $3,076.30 $1,338.90 $3,749.97 $3,713.22 $3,895.77 $3,617.47 $3,241.33 $3,600.29 $2,470.25 $4,832.92 $3,644.79 $2,212.84 $4,021.74 $2,834.26 $2,900.60 $1,872.89 $3,773.84 $3,175.57 $2,759.97 $2,559.70 $1,928.72 $1,419.39 $1,650.56 $3,282.51 $3,558.65 $3,383.09 $3,254.62 $4,274.97 $3,850.75 $2,225.25 $4,269.14 $2,942.19 $4,130.57 $1,681.84 $3,229.50 $3,677.57 $3,993.29 $4,182.24 $2,312.90 $2,732.98 $2,271.70 $2,370.23 $3,055.50 $3,211.06 $6,112.75 $135.24 $103.96 $132.87 $83.13 $91.31 $71.97 $291.51 $60.09 $177.89 $32.51 $137.43 $127.70 $98.73 $138.22 $106.61 $223.17 $195.94 $37.18 $177.72 $117.06 $129.89 $106.82 $141.24 $67.88 $80.33 $42.88 $37.10 $96.59 $131.40 $251.85 $131.37 $169.69 $147.61 $91.17 $160.59 $59.48 $138.72 $118.97 $129.42 $81.11 $107.75 $125.67 $142.81 $101.27 $218.11 $105.62 $183.82 $54.18 $168.90 $44.46 $151.70 $2,927.44 $3,052.47 $2,650.79 $2,562.85 $3,849.06 $2,134.59 $2,556.46 $1,050.48 $3,343.75 $3,452.38 $3,530.01 $3,261.43 $2,914.27 $3,233.73 $2,135.30 $4,381.41 $3,220.52 $1,947.33 $3,615.68 $2,488.86 $2,542.38 $1,537.73 $3,404.26 $2,879.36 $2,451.31 $2,288.48 $1,663.29 $1,094.47 $1,290.83 $2,802.32 $3,198.94 $2,985.07 $2,878.68 $3,955.47 $3,461.83 $1,937.44 $3,902.09 $2,594.88 $3,772.82 $1,372.40 $2,893.42 $3,323.56 $3,622.15 $3,852.64 $1,866.46 $2,399.02 $1,859.54 $2,087.71 $2,658.26 $2,938.27 $5,732.72 $3,321.62 $1,717.30 $3,400.89 $169.11 $2,924.17 $141.16 $1,347.81 $246.91 $2,925.65