A security administrator plans on replacing a critical business application in five years. Recently,
there was a security flaw discovered in the application that will cause the IT department to
manually re-enable user accounts each month at a cost of $2,000. Patching the application today
would cost $140,000 and take two months to implement. Which of the following should the security
administrator do in regards to the application?
A.
Avoid the risk to the user base allowing them to re-enable their own accounts
B.
Mitigate the risk by patching the application to increase security and saving money
C.
Transfer the risk replacing the application now instead of in five years
D.
Accept the risk and continue to enable the accounts each month saving money
Explanation:
This is a risk acceptance measure that has to be implemented since the cost of patching would be
too high compared to the cost to keep the system going as is. Risk acceptance is often the choice
you must make when the cost of implementing any of the other four choices (i.e. risk deterrence,
mitigation, transference or avoidance) exceeds the value of the harm that would occur if the risk
came to fruition.
Here is my calculation: One Year maintenance $2000X12month = $24,000
for 5 years is : $24,000 X 5year = $120,000
Add extra to fix 2000 X 2 month
120000+4000 = $124,000
To replace new cost $140,000
by keeping the way it is, you save ($140000 – $124000) = $16,000.
This amount you can give to your IT bonus $3200 every year for five years. That is a cheap bonus.
0
0