In this exercise, we will ask you to attribute losses to two hypothetical attacks. These two hypothetical attacks help us gauge how participants assign blame to the same incident. In the exercise, you will need to attribute the provided losses to specific subcontrol failures that would be probably for this type of incident. With SCRAM, we ask firms to choose up to 5 failed subcontrols that were responsible for each loss that is contributed to the platform. Using the green columns in the linked spreadsheet below, enter the value “1” for up to five subcontrols that would likely be responsible for each of the following losses.

• Event 01: DDoS attack with an estimated loss of $100,000
• Event 02: Ransomware attack with an estimated loss of $150,000

(NOTE: Don’t put in any of your real data. This is only to see how we as a group assign blame for these synthetic situations).

• Step 1: Download the data template (xls, 2021-03-05)
• Step 2: Assign responsibility for the provided losses with up to 5 implicated subcontrols (CIS 20)
• Step 3: Log in to the SCRAM development server and upload your data.
• Step 4: Discuss the results after the computation.