Kim manages risk for an online publishing company on the island of St. Kitts, which currently uses an on-premises datacenter as its content development facility; it e-ships content to customers who are then responsible for hosting it wherever they want. Kim’s division vice president is concerned about risks, and so Kim has done some estimating. The datacenter has enough backup power supply capacity to do a graceful shutdown, but normal round-the-clock, seven-day-per-week development operations must have commercial power available. Recent experience shows that at least once per month, a brownout or blackout lasting at least eight hours occurs. Each disruption costs the company an additional two hours to restore operations. Which statements about risk assessment are not correct? (Choose all that apply.)
A . Risk appetite should determine the MAO, which can then be used as part of estimating SLE.
B. If the SLE exceeds the safeguard value, Kim should advise that the company implement that safeguard.
C. If the ALE exceeds the safeguard value, Kim should advise that the company implement that safeguard.
D.Once she has estimated the ALE, Kim can assess different safeguards to see how long their payback period might be so that she can advise her management regarding these alternatives.
Are you saying that B is considered a correct answer here per the exam?
A isn't.
B isn't, imho, either. Given that SLE is to be multiplied by probability.
C is a correct answer.
D is a correct answer.
@Ron62659 This question made my brain hurt; apologies if I have this wrong, but I think what the question and answer B is trying to get you to recognize is that SLE in this case should be significantly less than ALE (Single Losss Expectancy x Annual Rate of Occurrence = Annual Loss Expectancy) given that the outages happen at least once per month. Hence, if the SLE exceeds safeguard value, then most definitely (in this case) ALE would exceed safeguard value. (which is also answer C).
Despite the effort to present this as a "real-world" scenario, I'm not sure I like this question. There are ample tools for studying risk or it is easy enough to build out a spreadsheet if you don't have such resources. These are assessments that should be done thoughtfully, not off the top of your head (as the question seems to induce). In other words - and perhaps to your post - you should never have to compare SLE and safeguard value (you should be comparing ALE before and after). That said, it's a way of testing whether you understand the terms and formula in a way that is more creative than recitation.
Most of the time if the safe guard cost exceeds the loss expectancy money value, the business will usually eat the cost. That's what this question is trying to convey but we don't have enough information from the question to answer what you're asking. We would need to know how much money it costs the company to be down 10 hours per month to calculate the ALE. Once we know that cost, we then could compare that to the safe guard cost to know if it's a viable option. I hope that makes sense.
Here's my swipe at these answers, fully open to dispute/debate 🙂
A . Risk appetite should determine the MAO, which can then be used as part of estimating SLE.
I say this is incorrect. Yes, risk appetite will influence maximum allowable outage/downtime, that should not be part of estimating SLE. The loss expectancy is a matter of asset value and exposure factor. The fact that an organization doesn't mind if its headquarters burns down, doesn't change the asset loss if that does happen.
B. If the SLE exceeds the safeguard value, Kim should advise that the company implement that safeguard.
In this case, I say this is correct(ish). Safeguard value is the difference between ALE before and after minus the cost of the safeguard. Hence, if original ALE is greater than the safeguard value, then the safeguard makes sense. As SLE has to be less than ALE in this case (since these are monthly occurrences). If SLE is greater than safeguard value, ALE must be. HOWEVER, you need to compute the safeguard values for all the possible strategies. Just because one strategy works financially, it doesn't mean it is the best one or the preferred one.
C. If the ALE exceeds the safeguard value, Kim should advise that the company implement that safeguard.
I see this as basically the same as B in this scenario.
D.Once she has estimated the ALE, Kim can assess different safeguards to see how long their payback period might be so that she can advise her management regarding these alternatives.
I'd call this the most correct of the four statements.