# Cost-Benefit Analysis

The book outlines the process of completing a cost-benefit analysis. The recorded lecture also shows an example of completing the quantitative part of a CBA (it doesn’t discuss the research part). To help you get started, I’ve provided an for your CBA.

Here is what you need to do:

1. Pick a company to conduct the analysis for.
You will need to pick a company so that you’ll be able to make some realistic assumptions about information technology risks, threats and controls (especially quantitatively). You may pick a company you’re personally familiar with or that you’ve read about in a case in previous weeks. It’s probably not a good idea to pick a large multinational enterprise though. You may need information like number of employees, location (in case of natural disaster threats),annual revenue/profit, etc.
2. Select (at least) 5 information assets (hardware, software, data, procedures, people) that are important for your selected company to perform business operations.
Assign a dollar value to each asset. Use any method discussed in the text, but be consistent for all three assets.
3. Select (at least) 5 security threats.
Ideally, pick threats from some different threat categories. The threats you pick must have vulnerabilities that would impact the asset (i.e. T1V1A1 should exist).

You would really need to complete a TVA worksheet here. However, you can just “guesstimate” what you feel are the top 5+ assets and top 5+ threats to this company.

1. Research the annual rate of occurrence of these threats for your business.
You will need to make a number of assumptions. That’s fine, but be sure they are somehow supported by fact. Find and reference some information that supports your assumptions.
2. Research the loss expectancy of incidents.
3. Research controls that can help mitigate those risks.
Select at least 2 for each threat. Calculate (again supported by fact) the annualized cost of those controls as it would apply to your firm.
4. Complete the CBA worksheet (using Excel formulas for anything that’s calculated)
5. Write up (a few paragraphs should be sufficient) a brief analysis of each control. Does it make sense to implement it?Why or why not?

Submit (attach multiple files to a single submission – please don’t zip or do multiple submissions):

• The completed CBA Excel spreadsheet