04 · IMPACT & VALUE

Putting a naira value on doing nothing

A missing security header is abstract. A number is not. This page translates the review's findings into quantified cyber-risk — using the standard Single Loss Expectancy and Annualised Loss Expectancy method — to show what the identified vulnerabilities could cost Anambra State if they are exploited before they are patched.

ILLUSTRATIVE

The figures below are an illustrative risk model built on stated assumptions — not audited losses or a claim that any breach has occurred. They exist to make risk comparable and decision-ready. Real numbers should be validated with the ICT Agency using actual asset values, remediation quotes and incident history.

How the model works

Two formulas, four inputs

Single Loss Expectancy
SLE = AV × EF

The cost of a single successful incident — the value of the asset at stake (AV) multiplied by the share of that value lost when it's hit (Exposure Factor).

Annualised Loss Expectancy
ALE = SLE × ARO

The expected cost per year — one incident's cost multiplied by how often it's expected to happen annually (Annualised Rate of Occurrence).

AV
Asset Value — what the platform & its data are worth to the State
EF
Exposure Factor — % of that value lost in one incident (0–1)
SLE
Single Loss Expectancy — cost of one incident
ARO
Annualised Rate of Occurrence — expected incidents per year
The model, applied to our findings

Five risk scenarios, mapped to real vulnerabilities

Each scenario is tied to an anonymised finding from the review. Asset values reflect incident response, service disruption, regulatory exposure and reputational repair for a state government.

Scenario
AV (₦)
EF
SLE (₦)
ARO
ALE (₦/yr)
Abandoned domain takeover
CRITICAL
85.0M
0.70
59.5M
0.50
29.8M
Data-exposure outlier breach
CRITICAL
180.0M
0.55
99.0M
0.40
39.6M
Admin-login credential attack
HIGH
35.0M
0.50
17.5M
1.00
17.5M
Clickjacking / session fraud
MEDIUM
40.0M
0.40
16.0M
1.50
24.0M
Unpatched shared plugin exploit
HIGH
30.0M
0.50
15.0M
0.80
12.0M
Total annualised exposure
₦122.9M
Exposure vs. the cost to fix it
Annualised loss exposure if unpatched₦122.9M
Illustrative first-year remediation cost≈ ₦22M

Most remediation is one-off configuration on infrastructure the State already owns — two platforms already prove a Grade-A posture is achievable at no new licensing cost.

Return on remediation
≈ 5×

Every ₦1 spent hardening these platforms removes roughly ₦5 of annualised risk in the first year — and far more in every year after, since the fixes persist.

Assumptions: remediation is modelled to reduce total ALE by ~85% (residual ≈ ₦18M), i.e. ~₦105M of annual exposure avoided for ~₦22M of first-year spend. Figures are illustrative and should be validated against actual quotes and asset values.

The value we created

Beyond a list of website problems

The project's lasting value is institutional — a capability the State keeps long after this cohort has moved on.

A common language

Every MDA can now be assessed using the same definitions of Pass, Partial, Fail, severity and evidence.

A repeatable process

Future teams don't need to design a review methodology from scratch — the manual is ready to re-run.

Better accountability

Every issue can be assigned to a named platform owner, MDA or technical contact.

Institutional memory

The documentation stays useful even when appointees or civil servants change.

A basis for official action

The ICT Agency can convert findings into targeted communications and remediation requests to MDA heads.

Continuous improvement

The review can be repeated quarterly, biannually or annually to track progress over time.

The remediation roadmap

What to do, and when

0–2 WEEKSIMMEDIATE
Fix the abandoned domain — restore or remove the dangling DNS record
Re-audit the data-exposure outlier platform
Restrict or rename discoverable admin/login paths
1–3 MONTHSSHORT-TERM
Roll out a standard security-header baseline estate-wide
Patch the shared, outdated site-builder software
Suppress version-disclosure headers; add branded error pages
3–12 MONTHSMEDIUM-TERM
Complete SSL, authentication & NDPR checklist sections
Establish a State Digital Service Standard & asset register
Require an owner & SLA per platform; add uptime monitoring
Remediation priority model

Fix what blocks service and trust first

Remediation should follow citizen risk, not ease of fixing.

P1Critical service availabilityPlatform down, invalid certificate, core journey impossible
P2Security & privacyMissing protective controls, unclear data handling
P3Citizen journeyBroken forms, unclear instructions, mobile barriers
P4Feedback & accountabilityNo confirmation, response time or escalation route
P5Content & presentationTypos, dummy text, missing logo, inactive social links
Innovation — the AI-native opportunity

Toward an AI-native ICT Agency

The ICT Agency leadership expressed an ambition to become an AI-native MDA. For BRINCS, that opens ways to accelerate the review — while keeping humans in the loop.

Consolidating findings Identifying recurring issues Drafting MDA-specific memos Classifying severity Monitoring website changes Summarising citizen feedback

Guardrail: AI output must be reviewed by humans, findings must stay evidence-based, and confidential data must be protected. AI accelerates judgment — it does not replace it.

Proposed governance model

Three tiers of responsibility

Central coordination

Anambra State ICT Agency

Maintain the platform register, issue minimum standards, coordinate periodic audits, monitor remediation, and manage domain & hosting policy.

MDA responsibility

Each platform-owning ministry

Maintain accurate content, assign service owners, respond to citizen enquiries, fund maintenance, report performance and implement remediation.

Technical responsibility

Technical teams & vendors

Maintain security, manage updates, monitor uptime, resolve defects, document deployments, and support backups & recovery.

Sustainability plan

How BRINCS lives beyond the capstone

The review should become a recurring governance practice — not a one-time school project.

Transfer the evaluation manual
Controlled document repository
A standing review coordinator
MDA focal persons
Repeat assessments
A remediation tracker
An updated checklist
Sensitive findings restricted
How success should be measured

The dashboard for future reviews

Future success is not “number of websites reviewed.” It is measurable improvement in the things citizens feel.

Availability

Platform uptime

Security

Critical issues resolved

Ownership

Named owners per platform

Accessibility

WAVE / keyboard pass

Feedback

Acknowledgement + response time

Maintenance

Updated content + patch plan

Adoption

Service completion success

Trust

Official identity & contact clarity

Meet the team behind it