Putting a naira value on doing nothing
A missing security header is abstract. A number is not. This page translates the review's findings into quantified cyber-risk — using the standard Single Loss Expectancy and Annualised Loss Expectancy method — to show what the identified vulnerabilities could cost Anambra State if they are exploited before they are patched.
The figures below are an illustrative risk model built on stated assumptions — not audited losses or a claim that any breach has occurred. They exist to make risk comparable and decision-ready. Real numbers should be validated with the ICT Agency using actual asset values, remediation quotes and incident history.
Two formulas, four inputs
The cost of a single successful incident — the value of the asset at stake (AV) multiplied by the share of that value lost when it's hit (Exposure Factor).
The expected cost per year — one incident's cost multiplied by how often it's expected to happen annually (Annualised Rate of Occurrence).
Five risk scenarios, mapped to real vulnerabilities
Each scenario is tied to an anonymised finding from the review. Asset values reflect incident response, service disruption, regulatory exposure and reputational repair for a state government.
Most remediation is one-off configuration on infrastructure the State already owns — two platforms already prove a Grade-A posture is achievable at no new licensing cost.
Every ₦1 spent hardening these platforms removes roughly ₦5 of annualised risk in the first year — and far more in every year after, since the fixes persist.
Assumptions: remediation is modelled to reduce total ALE by ~85% (residual ≈ ₦18M), i.e. ~₦105M of annual exposure avoided for ~₦22M of first-year spend. Figures are illustrative and should be validated against actual quotes and asset values.
Beyond a list of website problems
The project's lasting value is institutional — a capability the State keeps long after this cohort has moved on.
A common language
Every MDA can now be assessed using the same definitions of Pass, Partial, Fail, severity and evidence.
A repeatable process
Future teams don't need to design a review methodology from scratch — the manual is ready to re-run.
Better accountability
Every issue can be assigned to a named platform owner, MDA or technical contact.
Institutional memory
The documentation stays useful even when appointees or civil servants change.
A basis for official action
The ICT Agency can convert findings into targeted communications and remediation requests to MDA heads.
Continuous improvement
The review can be repeated quarterly, biannually or annually to track progress over time.
What to do, and when
Fix what blocks service and trust first
Remediation should follow citizen risk, not ease of fixing.
Toward an AI-native ICT Agency
The ICT Agency leadership expressed an ambition to become an AI-native MDA. For BRINCS, that opens ways to accelerate the review — while keeping humans in the loop.
Guardrail: AI output must be reviewed by humans, findings must stay evidence-based, and confidential data must be protected. AI accelerates judgment — it does not replace it.
Three tiers of responsibility
Central coordination
Maintain the platform register, issue minimum standards, coordinate periodic audits, monitor remediation, and manage domain & hosting policy.
MDA responsibility
Maintain accurate content, assign service owners, respond to citizen enquiries, fund maintenance, report performance and implement remediation.
Technical responsibility
Maintain security, manage updates, monitor uptime, resolve defects, document deployments, and support backups & recovery.
How BRINCS lives beyond the capstone
The review should become a recurring governance practice — not a one-time school project.
The dashboard for future reviews
Future success is not “number of websites reviewed.” It is measurable improvement in the things citizens feel.
Availability
Platform uptime
Security
Critical issues resolved
Ownership
Named owners per platform
Accessibility
WAVE / keyboard pass
Feedback
Acknowledgement + response time
Maintenance
Updated content + patch plan
Adoption
Service completion success
Trust
Official identity & contact clarity