Calculating ROI for Legacy Web Application Vulnerability Mitigation

Determining ROI for Legacy Web Application Vulnerability Mitigation

Question

A legacy web application, which is being used by a hospital, cannot be upgraded for 12 months.

A new vulnerability is found in the legacy application, and the networking team is tasked with mitigation.

Middleware for mitigation will cost $100,000 per year.

Which of the following must be calculated to determine ROI? (Choose two.)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

AD.

ROI (Return on Investment) is a financial metric used to calculate the profitability of an investment, by comparing the cost of the investment with the return on investment. In the context of the given scenario, the ROI is calculated to determine whether the cost of middleware for mitigating the vulnerability is justified.

To calculate the ROI, the two key metrics that need to be determined are:

  1. Annualized Loss Expectancy (ALE): ALE is the expected loss for an asset due to a particular risk over a year. It is calculated by multiplying the Single Loss Expectancy (SLE) with the Annualized Rate of Occurrence (ARO). SLE is the expected loss from a single occurrence of a risk, while ARO is the expected number of times the risk will occur in a year.

  2. Cost of mitigation: The cost of middleware for mitigating the vulnerability is $100,000 per year.

Therefore, the two options that need to be calculated to determine ROI are:

A. ALE: ALE needs to be calculated to determine the expected loss for the hospital due to the vulnerability in the legacy web application. Once ALE is determined, it can be compared with the cost of middleware to determine whether the investment is justified.

D. ARO: ARO needs to be calculated to determine the expected frequency of the vulnerability in the legacy web application. ARO is used in calculating ALE and can help determine the cost-benefit analysis of investing in middleware for mitigating the vulnerability.

The other options C. MTBF (Mean Time Between Failures), B. RTO (Recovery Time Objective), and E. RPO (Recovery Point Objective) are not directly relevant to determining the ROI in the given scenario. MTBF is a measure of how long a system can run between failures, RTO is the maximum amount of time it should take to recover from a disruption, and RPO is the maximum amount of data loss that can be tolerated in the event of a disruption.