A well-known retailer has experienced a massive credit card breach. The retailer had gone through an audit
and had been presented with a potential problem on their network. Vendors were authenticating directly to the
retailer’s AD servers, and an improper firewall rule allowed pivoting from the AD server to the DMZ where credit
card servers were kept. The firewall rule was needed for an internal application that was developed, which
presents risk. The retailer determined that because the vendors were required to have site to site VPN’s no
other security action was taken.
To prove to the retailer the monetary value of this risk, which of the following type of calculations is needed?
Residual Risk calculation
A cost/benefit analysis
Quantitative Risk Analysis
Qualitative Risk Analysis