# talk about information security Scenario 1: Use the following facts to assess the time-based…

Scenario 1: Use the following facts to assess the time-based model of security for the ABC Company; how
well does the existing system protect ABC? Assume the best-, average-, and worst-case estimates areindependent for each component of the model.• Estimated time that existing controls will protect the system from attack (No 5) 14 minutes (bestcase), 18 minutes (average case), and 22 minutes (Worst case)• Estimated time to detect that an attack is happening (No 5) 6 minutes (best case), 9 minutes(average case) and 12 minutes (worst case)• Estimated time to respond to an attack (No 5) once it has been detected 5 minutes (best case), 10minutes (average case), and 15 minutes (worst case)Scenario 2: The company is considering investing an additional \$100,000 to improve its security. Giventhe following possibilities, which single investment would you recommend? Explain your answer.• An investment of \$100,000 in better perimeter defenses would change the estimates for protectiontime to 20 minutes (worst case), 24 minutes (average case), and 30 minutes (best case).• An investment of \$100,000 in better detection systems would change the estimates for detectiontime to 3 minutes (best case), 5 minutes (average case), and 8 minutes (worst case).• An investment of \$100,000 in training would change the estimates for response time to 1 minute(best case), 2 minutes (average case), and 4 minutes (worst case).[Answer Hints: Research on ‘The time-based model of information security’ to have most accurate idea foranswer.Time-based model of information security: Using the formula to evaluate if security procedures areeffective (if true)… P>D+R, where P=the time it takes an attacker to break through the various controls thatprotect the organization’s information assets, D=the time it takes for the organization to detect that anattack is in progress, and R=the time it takes to respond to and stop the attack. ]

