Risk Management: Risk Assessment and Planning


WORKSHEET AND SUBMISSION SHEET

License

This work by Z. Cliffe Schreuders at Leeds Beckett University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

For this specific exercise, you are encouraged to work together on the same document/tables with other (up to 5) students. If you work as a group (and everyone in your group agrees who was involved), you will all receive the same marks.

Download/copy this document, and insert your answers and solutions below. Submit individually via MyBeckett. It’s ok if your work matches other students you have documented working with.

Due by: Week 3 (Sunday midnight at the end of the next teaching week).

Scenario

Consider this case:

You work for an online retailer that has a website, with online shopping. You accept credit card payments, and store details of transactions in a database. You also provide a mailing list for customers.

You can make assumptions about the business that you think are realistic. List the assumptions you have made about the business:

Risk assessment: identification

Given the scenario above, fill in the table below with some potential threats and vulnerabilities that you identify.

Table entries created by: ______________

Category of threat

Process (non technical) vulnerabilities / threats

Technical vulnerabilities / threats

Example: Lose our customers, due to loss/leakage of information

Someone tricks a member of staff into giving over someone else’s account details

Attacker gets all the credit card details via an SQL Injection


Save a copy of the above table, as evidence that you have completed this part of the task.

Label it or save it as “Risk-1”. Saving a copy of this document is fine.

Marking criteria guidelines:

Table showing >= 5 general categories of threat, each with specific threats or vulnerabilities    25

Table showing >= 5 general categories of threat, each with specific threats or vulnerabilities -- although some don't make much sense    15

Table showing < 5 general categories of threat, each with specific threats or vulnerabilities    5

Incorrect submission    0


Risk assessment: magnitude

For 10 specific threats/vulnerabilities (taken from columns 2 and 3 in the table above), determine the magnitude of risk, and enter into the table below:

Table entries created by: ______________

Threat

Likelihood (0-1)

Impact (1-10)

Cost per Event

Risk impact (likelihood * impact)

Annual loss expectancy

(likelihood * cost per event)

Example: Attacker gets all the credit card details via an SQL Injection

.10, Unlikely (we are careful, and we use countermeasures)

8, this could ruin our reputation

£70,000, Could lose lots of business if customers lost trust in us

.8 (8/100)

£7,000


Save a copy of the table, as evidence that you have completed this part of the task.

Label it or save it as “Risk-2”.

Marking criteria guidelines:

Table showing >= 10 threats, each with very well thought out assessments    25

Table showing >= 10 threats, each with well thought out assessments    20

Table showing >= 10 threats, each with fairly well thought out assessments    15

Table showing <= 10 threats, each with assessments    5

Incorrect submission    0


Planning responses

For each threat or vulnerability identified in the table above (Table 2), list at least two risk solution alternatives.

For each alternative, state whether risk is accepted, avoided, mitigated, shared, or transferred.

Very roughly attempt to guess at total cost of ownership (purchase + yearly operating costs).

For each threat/vulnerability, recommend one solution that you think is best suited, with one sentence justifications.

Threat

Solution 1

Solution 1 TCO

Solution 2

Solution 2 TCO

Solution 1 or 2?

Example: Attacker gets all the credit card details via an SQL Injection

Modsecurity

- risk is mitigated

£800

PayPal (stop accepting credit cards)

- risk is avoided

£3000

Recommend solution 1, PayPal takes a % of sales, modsecurity is much cheaper than ALE of threat.


Save a copy of the table, as evidence that you have completed this part of the task.

Label it or save it as “Risk-3”.

Marking criteria guidelines:

Table showing >= 10 threats, each with very well thought out alternative responses and solutions    25

Table showing >= 10 threats, each with very well thought out alternative responses and solutions -- however, you should have stated whether risk is accepted, avoided, mitigated, shared, or transferred    20

Table showing >= 10 threats, each with alternative responses and solutions    17

Table showing >= 10 threats, each with alternative responses and solutions -- you should have included more justification    16

Table showing <= 10 threats, each with alternative responses and solutions    5

Incorrect submission    0


Based on your above assumptions and risk analysis, what would be your highest priority recommendation(s) for this fictional company? Max 500 words.


Save a copy of the table, as evidence that you have completed this part of the task.

Label it or save it as “Risk-4”.

Marking criteria guidelines:

An outstanding reasoned and justified recommendation, based on the presented analysis    25

A very well reasoned and justified recommendation, based on the presented analysis    20

A well reasoned and justified recommendation, based on the presented analysis    15

A fair recommendation, based on the presented analysis (could be further justified)    10

A poorly justified recommendation    5

Incorrect submission    0