Stupid ARO question

Up front statement: I have not sat for the test, this comes from a sample question:

When performing quantitative risk calculations, after implementing a countermeasure, what factor will change?
Exposure factor, SLE, ARO, or Asset Value ?

Most people will eliminate Asset Value immediately, however an argument can be made for any of these choices, so it comes down to what ISC2 wants.

Depending on your approach, you could set yourself up for failure. And what I mean by that is lets say in your analysis you try to come up with an example to help you figure it out. Lets say you imagine you are protecting your server room from damage from an earthquake. So you plug in some made up numbers to further help. Lets say the value of your server room equipment is $500,000 so then you infer that whatever countermeasure you put in place will not change that value, so you eliminate Asset Value. So far so good. So now you think to yourself, I have no control over how often the earthquakes happen, I cannot affect the threat, so ARO is not affected either. Whether it happens once every 10 years, or once every 100 years is not going to change regardless of my countermeasure. Now your left with SLE and EF. They both look good, in fact EF looks real good because whatever countermeasure you've implemented is directed at limiting the damage done by the threat event. Perhaps you've lowered the EF from 75% to 25%. However, the SLE is affected by the EF so now your really screwed... which one do I pick? Well as it turns out it doesn't matter because they are both wrong, the answer, as many of you probably know because you've simply memorized it for the test, is ARO.

Definition of ARO: Annualized Rate of Occurrence The annualized rate of occurrence (ARO) is the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year.

ALE examples from the same book that has the ARO question:
For example, if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power loss) is .5, then the ALE is $45,000. On the other hand, if the ARO for a specific threat (such as compromised user account) were 15, then the ALE would be
$1,350,000.

So if we look at those ALE examples we see that for the power loss example, most of us would think that the countermeasure to address power loss would be an UPS. If we were to calculate ALE before the UPS, and ALE after the UPS, can anyone tell me why the ALO would change? The power loss is STILL going to happen, we've just mitigated the 'exposure' to the power loss; one could argue that we've drastically reduced the EF, and therefore reduced the SLE.

For the second (compromised user account)example I do see how our countermeasure would affect the ARO because they are directed at preventing (the key word is preventing).

My point is that this question sucks

. You could be approaching the problem in a perfectly acceptable way and arrive at a correct, but wrong ISC2 answer. Unless your countermeasure directly affects the probability of the event happening, then ARO is not the right answer, but that's not always the case. A countermeasure is anything that removes or reduces a vulnerability or protects against one or more specific threats. An UPS is a countermeasure that protects the Availability, and yet if we install one we are not changing ARO.

Find more posts tagged with

Comments

dhay13

I remember a similar question in my studies and I was a little confused by the answer. I don't remember which resource it was from but likely Sybex, but what they said was correct was the ARO. I felt it was EF. Like you, I can't see how a countermeasure can affect how often a tornado occurs, but what you can control is the damage done, which would be EF? The study material said the correct answer was ARO.

My opinion is to not get to wrapped up in an individual topic or question. Focus on having a broad understanding of the material across all domains and you should be good to go. I was averaging anywhere from 65% to 85% across all domains (security testing was my lowest while risk management was my strongest). Besides the 65% in security testing I was over 75% in the other 7 domains so felt pretty good about it and I passed on my first attempt.

Good luck!

JDMurray

What I see first is the use of the term "countermeasure" in the question. A countermeasure comes into play after a threat has been realized, while a safeguard prevents a threat from being realized. For example, fire sprinklers are countermeasures that are activated after a fire has started, while using fire-proof building materials is a safeguard that prevents a fire from starting in the first place.

Assuming the question's author is using the same definition of countermeasure, I do not see how a countermeasure can alter any rate of occurrence. However, a countermeasure certainly alters the Exposure Factor by mitigating the potential loss caused by the threat once the threat has been realized.

If the question used the term "safeguard" then I could see ARO being the answer if the author meant "successful occurrence" and not "any occurrence." There are many attempts made to discover/exploit vulnerabilities, but very few of these attempts are successful because of implicit or explicit safeguards.

Also consider the possibility that people write practice exam items without fully understanding the topic(s) they are writing about.:)

logicmyfoot

Hi,

I think ARO fits in here perfectly because the question asks what changes when a countermeasure is applied.

The cost or value of a safeguard / countermeasure is measured from ROI and Actual cost of the safeguard point of view. When you apply a countermeasure, the EF remains same due to the fact that in the event of a countermeasure /safeguard failure it will still lead to full exposure without any countermeasure applied.

In the example of fire-extinguisher / sprinkler the countermeasure cannot prevent fire from occurring however will lead to reduction in Risk resulting from a fire. In the case of an earthquake, an earthquake resistant building does not reduces exposure from the event however it decreases the damage/risk. Quantitative risk assessment is always about the $ value and ultimately any countermeasure / safeguard needs to be assessed from ROI point of view.

You have to analyze the question from Quantitative Risk Assessment point of view. Does applying a countermeasure reduces the Risk and ultimately saving $$ for my org.

Hope it help and kindly correct in case my understanding needs to be updated .

jcundiff

logicmyfoot wrote: »

Hi,

In the example of fire-extinguisher / sprinkler the countermeasure cannot prevent fire from occurring however will lead to reduction in Risk resulting from a fire. In the case of an earthquake, an earthquake resistant building does not reduces exposure from the event however it decreases the damage/risk. Quantitative risk assessment is always about the $ value and ultimately any countermeasure / safeguard needs to be assessed from ROI point of view.

Hope it help and kindly correct in case my understanding needs to be updated .

It is not reducing risk, and risk was not one of the options...

"Exposure factor (EF) is the subjective, potential percentage of loss to a specific asset if a specific threat is realized. The exposure factor is a subjective value that the person assessing risk must define."

the fire extinguisher reduces the EF because it should reduce the potential percentage of loss because you will be able to put the fire out and not have the building/equipment be a total loss. Due to this, the countermeasure reduced the EF... it did nothing to reduce the risk of a fire occuring

Sirkassad

My point in this discussion was not to say ARO is the wrong answer; in certain scenarios it is the right answer. But in more scenarios it is the wrong answer. The only time adding a countermeasure reduces the ARO is if the countermeasure reduces the likelihood (ie. the risk) of the event happening. However, in practically all scenarios, adding a countermeasure has a direct impact on your exposure factor, which in turns affects your SLE.
I just wanted to point out that if ARO is indeed the 'ISC2' correct answer; it is a terrible question.

Allow me to quote the 7th edition of AIO:

"Applying the right countermeasure can eliminate the vulnerability and exposure, and thus reduce the risk. The company cannot eliminate the threat agent, but it can protect itself and prevent this threat agent from exploiting vulnerabilities within the environment."

I think that sentence proves my point. I will go on to say that in most quantitative scenarios, the variable we have the least control over is the ARO.
Again a quote from Shon:
"The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe."

It is a well known fact that we do not have control over the threat.

JDMurray

jcundiff wrote: »

"Exposure factor (EF) is the subjective, potential percentage of loss to a specific asset if a specific threat is realized. The exposure factor is a subjective value that the person assessing risk must define."

This is exactly what I teach EF to be: how much (percentage) loss occurs after a threat is realized.

Many people assume "Exposure Factor" is the same as "Vulnerability Exposure," and it is not. For example, if a host is exposing three vulnerable services to the Internet, and I patch or disable one of those services, then I have not reduced the host's EF by 33%. The EF only comes into play after one or more of those vulnerable services has been exploited by a threat. The EF % can be derived from both a quantitative calculation and a qualitative judgement.

deadjoe

Fire is the threat. The building is the asset. The asset is made of wood, has a gas stove and is in the middle of the desert (high risk, very vulnerable). ARO is 2. The fire extinguisher is the countermeasure. If the building burns down you lose 100% of the value of your asset, this is the EF.

Yesterday there was a fire but you managed to put it out with the fire extinguisher. Congrats, your countermeasure worked against the threat and you can subtract one off your ARO.

Today there was a bigger fire and your fire extinguisher was too small to put it out. The building burned to the ground. Damn it, this time your countermeasure failed and you lost 100% of your asset.

In retrospect, you should have spent more money on a better countermeasure. Luckily no-one was hurt or killed.

EF should be a constant value. Correct?

That question sucks btw.

JDMurray

deadjoe wrote: »

Yesterday there was a fire but you managed to put it out with the fire extinguisher. Congrats, your countermeasure worked against the threat and you can subtract one off your ARO.

The fire (threat) occurred regardless of the affect (loss) that resulted from the fire. That fire incident would add one to the rate of occurrence of fire for that year. After a few years, you will have metrics for the rates of occurrences of fire that will produce an average ARO for fire threats in your organization.

logicmyfoot

the question clearly is taking about quantitative risk assessment after applying a countermeasure in terms of changes it brings to ALE.

Quoting from Official study guide.

" Calculating Annualized Loss Expectancy with a Safeguard : In addition to determining the annual cost
of the safeguard, you must calculate the ALE for the asset if the safeguard is implemented. This requires a new
EF and ARO specific to the safeguard. In most cases, the EF to an asset remains the same even with an applied
safeguard. (Recall that the EF is the amount of loss incurred if the risk becomes realized.) In other words, if the
safeguard fails, how much damage does the asset receive? Think about it this way: If you have on body armor
but the body armor fails to prevent a bullet from piercing your heart, you are still experiencing the same damage
that would have occurred without the body armor. Thus, if the safeguard fails, the loss on the asset is usually
the same as when there is no safeguard. However, some safeguards do reduce the resultant damage even when
they fail to fully stop an attack. For example, though a fire might still occur and the facility may be damaged by
the fire and the water from the sprinklers, the total damage is likely to be less than having the entire building
burn down.

atech

Interesting question, and it has sparked quite the debate (pun - so sorry).

Roughly, the choices you have to the question break down like so:

Exposure factor
% Loss to an org based on the assets value
SLE
Cost of realised risk against an asset
ARO
Frequency of threat or risk occuring in 1 year

Asset Value
The value of an asset typically expressed in $$$

Without knowing what countermeasure was implemented against what type of asset, we really shouldn't be assuming too much here. To me, the question is really asking "Would a countermeasure reduce the likelihood of a threat occurring?". Without knowing anything else, the best answer would be "Yes", otherwise why would you have implemented it in the first place? Therefore, given the above definitions, ARO is the only correct answer.