What is the highest amount a company should spend annually on countermeasures for protecting an asset
valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of once every five years
and an exposure factor (EF) of 30%?

A.
$300,000

B.
$150,000

C.
$60,000

D.
$1,500

Explanation:
The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset.
The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific
threat taking place within a 12-month timeframe. The range can be from 0.0 (never) to 1.0 (once a year) to
greater than 1 (several times a year) and anywhere in between. For example, if the probability of a fire taking
place and damaging our data warehouse is once every ten years, the ARO value is 0.1.
In this question, the EF is $1,000,000 x 30% = $300,000.
The ARO is once every five years which equals 0.2 (1 / 5).
Therefore, the highest amount a company should spend annually on countermeasures is $300,000 x 0.2 =
$60,000.
Incorrect Answers:
A: The highest amount a company should spend annually on countermeasures is $60,000 not $300,000.
B: The highest amount a company should spend annually on countermeasures is $60,000 not $150,000.
D: The highest amount a company should spend annually on countermeasures is $60,000 not $1,500.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 87