NSW Dept of Commerce OICT ROSI TOOL V1.0

Sample Threat & Risk Assessment PLUS Cost Analysis

Legend Purple cells contain values to be entered by the user

Yellow cells contain calculated results

Grey cells are copied as is from an actual TRA

TABLE 1 LIKELIHOOD GRADE TRANSORMED TO FREQUENCY Max freq p.a.

Negligible 0.05

Very Low 0.5

Low 1.0

Medium 2.0

High 12.0

Very High 50.0

Extreme 500.0

TABLE 2 SEVERITY GRADE TRANSFORMED TO DIRECT COST Cost

Insignificant -$

Minor

1,000$

Significant

10,000$

Damaging

100,000$

Serious

1,000,000$

Grave

10,000,000$

RISK CALCULATIONS

Will have some minor effect on the asset value. Will not require any extra effort to repair or

reconfigure the system.

Unlikely to occur

Likely to occur two/three times every five years

Likely to occur once every year or less

Likely to occur once every six months or less

Likely to occur multiple times per day

Likely to occur multiple times per month or less

Will have almost no impact if threat is realised.

Likely to occur once per month or less

May cause system to be permanently closed, and/or be subsumed by another (secure)

environment. May result in complete compromise of Government agencies.

Will result in some tangible harm, albeit only small and perhaps only noted by a few

individuals or agencies. Will require some expenditure of resources to repair (eg "political

embarrassment").

May cause damage to the reputation of system management, and/or notable loss of

confidence in the system's resources or services. Will require expenditure of significant

resources to repair.

May cause extended system outage, and/or loss of connected customers or business

confidence. May result in compromise of large amounts of Government information or

services.

Insignificant Minor Significant Damaging Serious Grave

Negligible Negligible Negligible Negligible Negligible Negligible Negligible

Very Low Negligible Low Low Low Medium Medium

Low Negligible Low Medium Medium High High

Medium Negligible Low Medium High High Critical

High Negligible Medium High High Extreme Extreme

Very High Negligible Medium High Critical Extreme Extreme

Extreme Negligible Medium High Critical Extreme Extreme

ANNUAL INCIDENT COST AT EACH RISK POINT

Capped at cost of a single Grave incident

Insignificant Minor Significant Damaging Serious Grave

Annual Prob $ - $ 1,000 $ 10,000 $ 100,000 $ 1,000,000 10,000,000$

Negligible 0.05 $ - $ 50 $ 500 $ 5,000 $ 50,000 $ 500,000

Very Low 0.50 $ - $ 500 $ 5,000 $ 50,000 $ 500,000 $ 5,000,000

Low 1.00 $ - $ 1,000 $ 10,000 $ 100,000 $ 1,000,000 $ 10,000,000

Medium 2.00 $ - $ 2,000 $ 20,000 $ 200,000 $ 2,000,000 $ 10,000,000

High 12.00 $ - $ 12,000 $ 120,000 $ 1,200,000 $ 10,000,000 $ 10,000,000

Very High 50.00 $ - $ 50,000 $ 500,000 $ 5,000,000 $ 10,000,000 $ 10,000,000

Extreme 500.00 $ - $ 500,000 $ 5,000,000 $ 10,000,000 $ 10,000,000 $ 10,000,000

Lik

elih

oo

d

Degree of Harm and Cost per Incident

Degree of Harm

Lik

elih

oo

d

Department of Fiance and Services ROSI TOOL V1.0

Sample Threat & Risk Assessment PLUS Cost Analysis

Legend Purple cells contain values to be entered by the user

Yellow cells contain calculated results

Grey cells are copied as is from an actual TRA

Sample Threat & Risk Assessment PLUS Cost Analysis

No. Asset Potential incident

(Threat to the Asset)

Likelihood Severity Estimated

Risk

Annual rate

of

occurrence

Direct Cost

per incident

Opportunity

Cost per

incident

Total

UNTREATED

Annual Cost

0.05 $ 1,000,000 $ 50,000

2 $ 10,000 $ 20,000

1 $ 1,000,000 $ 1,000,000

0.5 $ 100,000 $ 50,000

1 $ 10,000 $ 10,000

0.5 $ 10,000 $ 5,000

Failure of Cooling System Medium

Significant

Serious Nil

Significant Medium

Misconfiguration of key

infrastructure e.g. routers,

PIX, switches)

Low

A9

Destruction of key

infrastructure e.g. routers,

PIX, switches)

NegligibleA8 Availability of

D-XYZ internet

connection

Serious High

Damaging Low

Medium

A11 Hardware failure of key

infrastructure e.g. routers,

PIX, switches)

Very Low

A10

Significant Low

A12

A13 Denial of service attack

on carrier or provider

network infrastructure

Very Low

Incorrect building

patching

Low

A14 DNS hardware failure Negligible Damaging Nil 0.05 $ 100,000 $ 5,000

12 $ 100,000 $ 1,200,000

A16 Accidental

misconfiguration of mail

servers

Low Damaging Medium 1 $ 100,000 $ 100,000

ANNUAL TOTALS 2,440,000$

SUMMARY

Annual Cost of Incidents - Untreated 2,440,000$

Annual Cost of Incidents - Residual after Countermeasures 116,600$

Annual Gross Savings 2,323,400$

Countermeasure Upfront Cost 370,000$

Countermeasure Recurring Cost 105,000$

Ammortisation period (years) 3

Ammortised Countermeasure upfront cost 123,333$

Countermeasure Annual Cost 228,333$

Annual Nett Savings 2,095,067$

Damaging HighA15 Availability of

D-XYZ internet

email

Denial of service attack

on email system

High

Counter Measures Upfront Cost

per Counter-

measure

Recurring Cost

per Counter-

measure

Residual

likelihood

Residual

severity

Total

TREATED

Annual Cost

Saving Per

Threat

Notes

Business Continuity Plan (1) $ 50,000 $ 20,000

Spare parts (4) $ 50,000 $ 10,000

Service level agreements (5) $ - $ -

Physical security (access control

procedures and controls for

computer room) (6)

$ 10,000 $ 10,000

Negligible Minor $ 50 $ 49,950

Environmental controls for

computer room (2)

$ 30,000 $ 5,000

Business Continuity Plan (1) Counted Counted

Service level agreements (5) Counted Counted Very low Minor $ 500 $ 19,500

Configuration management system

(8)

$ 70,000 $ 10,000

Change control procedures (15) $ 30,000 $ 5,000 Negligible Serious $ 50,000 $ 950,000

Business Continuity Plan (1) Counted Counted

Spare parts (4) Counted Counted

Service level agreements (5) Counted Counted Very low Minor $ 500 $ 49,500

Standards for cabling including

labelling and coding (9)

$ 10,000 $ -

Physical security (6) Counted Counted Very low Significant $ 5,000 $ 5,000

Large capacity network connection

(10)

$ 10,000 $ 10,000

Redundant Internet connection (7) $ 10,000 $ 10,000 Very low Minor $ 500 $ 4,500

Harm reduced to Minor by

BCP; Likelihood to Very

Low by Environ controls

Likelihood reduced to

Negligible by Config Mgt

Won't affect the likelihood

of an event, but reduces

harm by better recovery

Redundancy means

minor effect on failover

Replication of DNS server (11) $ 10,000 $ - Negligible Minor $ 50 $ 4,950

Network based Intrusion Detection

System (NIDS) (12)

$ 70,000 $ 20,000

Use DSD evaluated products (13) $ 20,000 $ 5,000

Deny all unless explicitly allowed

firewall rules (14)

$ - $ -

Low Significant $ 10,000 $ 1,190,000

Change control procedures (15)

(including peer review)

Counted Counted

Very low Damaging $ 50,000 $ 50,000

370,000$ 105,000$ 116,600$ 2,323,400$

No amelioration of degree

of harm