CAS-003 Question #447: Real Exam Question with Answer & Explanation

The correct answer is A: ALE. ROI for a security control is calculated by comparing the cost of the control against the Annual Loss Expectancy (ALE). ALE is derived from multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO), making both values required inputs.

Question

A legacy web application, which is being used by a hospital, cannot be upgraded for 12 months. A new vulnerability is found in the legacy application, and the networking team is tasked with mitigation. Middleware for mitigation will cost $100,000 per year. Which of the following must be calculated to determine ROI? (Choose two.)

Options

AALE
BRTO
CMTBF
DARO
ERPO

Explanation

ROI for a security control is calculated by comparing the cost of the control against the Annual Loss Expectancy (ALE). ALE is derived from multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO), making both values required inputs.

Common mistakes.

B. RTO (Recovery Time Objective) defines the maximum tolerable downtime for a system; it is a business continuity metric, not a financial risk calculation input.
C. MTBF (Mean Time Between Failures) measures hardware reliability and availability; it informs maintenance decisions but is not a direct input to the ALE-based ROI formula.
E. RPO (Recovery Point Objective) defines the acceptable amount of data loss measured in time; it is a business continuity metric unrelated to the financial ROI calculation for a security control.

Concept tested. Calculating security control ROI using ALE and ARO

Reference. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Community Discussion

No community discussion yet for this question.

Full CAS-003 Practice