Systems Security Certified Practitioner – SSCP – Question0568

What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of once every five years and an exposure factor (EF) of 30%?

A.
$300,000
B. $150,000
C. $60,000
D. $1,500

Correct Answer: C

Explanation:

The cost of a countermeasure should not be greater in cost than the risk it mitigates (ALE). For a quantitative risk assessment, the equation is ALE = ARO x SLE where the SLE is calculated as the product of asset value x exposure factor. An event that happen once every five years would have an ARO of .2 (1 divided by 5).
SLE = Asset Value (AV) x Exposure Fact (EF) SLE = 1,000,000 x .30 = 300,000
ALE = SLE x Annualized Rate of Occurance (ARO) ALE = 300,000 x .2 = 60,000
Know your acronyms: ALE –Annual loss expectancy ARO –Annual rate of occurrence SLE –Single loss expectancy
The following are incorrect answers: $300,000 is incorrect. See the explanation of the correct answer for the correct calculation. $150,000 is incorrect. See the explanation of the correct answer for the correct calculation. $1,500 is incorrect. See the explanation of the correct answer for the correct calculation.
Reference(s) used for this question: Mc Graw Hill, Shon Harris, CISSP All In One (AIO) book, Sixth Edition , Pages 87-88 and Official ISC2 Guide to the CISSP Exam, (OIG), Pages 60-61