Question E-security Q 1. Suppose XYZ Software Company has a new application development project, with projected revenues of $1,200,000. Using the following table, calculate the ARO and ALE for each threat category that XYZ Software Company faces for this project. Show all the intermediate steps and formulae used. [3 marks] Threat category Cost per Incident Frequency of Occurrence Programmer mistakes $5,000 1 per month Loss of intellectual property $75,000 1 per year Software piracy $500 1 per week Virus, worms, Trojan horses $1,500 1 per week Fire $500,000 1 per 10 years 2. Assume a year has passed and XYZ has improved security by applying a number of controls. Using the information from the previous exercise and the following table, calculate the postcontrol ARO and ALE for each threat category listed. [3 marks] Threat categories Cost per Incident Frequency of Occurrence Cost of Control Type of Control Programmer mistakes $4,000 1 per month $10,000 Training Loss of intellectual property $75,000 1 per 2 years $25,000 Firewall/IDS Software piracy $800 1 per month $30,000 Firewall/IDS Virus, worms, Trojan horses $1,500 1 per month $15,000 Antivirus Fire $500,000 1 per 10 years $10,000 Insurance/backupsCP5603 JCU Brisbane Individual Assignment Page 3 of 5 Why have some values changed in the columns Cost per Incident and Frequency of Occurrence? [1 mark] 3. Assume the values in the Cost of Control column presented in the table are those unique costs directly associated with protecting against that threat. In other words, don't worry about overlapping costs between controls. Calculate the CBA for the planned risk control approach for each threat category and determine if the proposed control is worth the costs. [3 marks] PART 2 Using the figure below, create rules necessary for both the internal and external firewalls to allow a remote user to access an internal machine from the Internet using the software Timbuktu. Timbuktu uses UDP 407 and 1419 for Connection setup and handshaking, TCP 1417 for Send commands, TCP 1418 for View screen, TCP 1419 for Send file, and TCP 1420 for Receive file. [10 marks]CP5603 JCU Brisbane Individual Assignment Page 4 of 5 PART 3 Review the following scenarios carefully and respond to each question using the statement provided, choosing the description you find most appropriate: I feel the actions of this individual were (very ethical / ethical / neither ethical nor unethical / unethical / very unethical). Justify your responses. [5 marks] 1. A student found a loophole in the university computer's security system that allowed him access to other students' records. He told the system administrator about the loophole, but continued to access others' records until the problem was corrected two weeks later. a) The student's action in searching for the loophole was: b) The student's action in continuing to access others' records for two weeks was: c) The system administrator's failure to correct the problem sooner was: 2. A student enrolled in a computer class was also employed at a local business part-time. Frequently her homework in the class involved using popular word-processing and spreadsheet packages. Occasionally she worked on her homework on the office computer at her part-time job, on her coffee or meal breaks. a) The student's use of the company computer was: b) If the student had worked on her homework during "company time" (not during a break), the student's use of the company computer would have been: 3. A student at a university learned to use an expensive spreadsheet program in her accounti