Module 3: Security and Risk Management

A 12-Unit Module that Started on August 2022 and was Covered in 12 Weeks by Douglas Millward

Summary

This Module covered the different methods of Risk Assessment: both qualitative and quantitative assessment methods.

It looked at the traditional risk models (like: OWASP, STRIDE, CVSS, DREAD, Attack trees, etc) and explored the growing trends on hybrid models.

Additionally, it reviewed security standards, disaster recovery solutions, and the key research topics and advances in security and risk management.

Skills Acquired

The difference between Qualitative and Quantitative Risk Assessment methods and how to apply them.

Better understanding of the creation and application of Risk Assessment models like: OpenFAIR, OCTAVE, STRIDE, DREAD, CVSS, OWASP, MITRE ATT&CK, Cyber Kill Chain, etc.

Designing and application of Disaster Recovery and Business Continuity solutions.

Gained more knowledge on the different Security and Risk Management Standards. From General Data Protection Regulation (GDPR), ISO 31000, ISO 27001, ISO 27005, SABSA (Sherwood Applied Business Security Architecture), COBIT (Control Objectives for Information Technology), OCTAVE to NIST 800-30.

Application of quantitative risk assessment approaches like using the Monte Carlo simulation, Bayes Theorem, Multiple Criteria Decision Analysis.

Use of YASAI tool to do a Monte Carlo Simulation plus also learned about other tools eg @risk, etc.

How to perform risk assessments on organisation and the factors to consider.

Gained the ability to Design appropriate Cyber Security Solutions so as to digitise an enterprise.

It provided me with Aspects that I would likely encounter during a digitisation process.

Team working, Communication, Literacy skills, Analysis, Research, Critical thinking, and reflection.

Learned the future trends in Security and Risk Management: i.e. Artificial Intelligence, Machine Learning, DevSecOp, etc.

References Used

Below is a list of all the Sources (articles, books, reports, whitepapers, websites, etc) that I used through out this module (Using Harvard Referencing style).

Kovaite, K. & Stankeviciene, J., 2019. Risks of Digitalisation of Business Models. Vilnius, Lithuania, Vilnius Gediminas Technical University.

Rajnai, Z. & Kocsis, I., 2017. Labor market risks of industry 4.0, digitization, robots and AI. Subotica, Serbia, IEEE.

Anon, N.D.. Top 10 Industry 4.0 Trends & Innovations in 2022. [Online] Available at: https://www.startus-insights.com/innovators-guide/top-10-industry-4-0-trends-innovations-in-2021/ [Accessed 26 August 2022].

Spears, J. & Barki, H. (2010) User Participation in Information Systems Security Risk Management. MIS Quarterly 34(3): 503.

Renn, O., Beier, G. and Schweizer, P.-J. (2021) The opportunities and risks of digitalisation for sustainable development: a systemic perspective. GAIA - Ecological Perspectives for Science and Society, 30(1), pp.23-28..

Josey, A., Hietala, J. & Jones, J. (2014) Introducing The Open Group Open FAIR™ Risk Analysis Tool.

AIRMIC (2010) A structured approach to enterprise risk management.

Lambrinoudakis, C. et al., 2022. COMPENDIUM OF RISK MANAGEMENT FRAMEWORKS WITH POTENTIAL INTEROPERABILITY, Attiki, Greece: European Union Agency for Cybersecurity (ENISA).

Tsukerman, E., 2020. Cybersecurity Threat Modeling with OCTAVE. [Online] Available at: https://www.pluralsight.com/guides/cybersecurity-threat-modeling-with-octave [Accessed 9 September 2022].

Anon, N.D.. Mitre Att&ck. [Online] Available at: https://attack.mitre.org/ [Accessed 10 Seeptember 2022].

Carnegie Mellon Institute, N.D. Octave Forte. [Online] Available at: https://resources.sei.cmu.edu/asset_files/
FactSheet/2020_010_001_643960.pdf [Accessed 9 September 2022].

Orenda, 2017. Do You Know the Difference Between Hub, Switch & Router. [Online] Available at: https://medium.com/@fiberstoreorenda/do-you-know-the-difference-between-hub-switch-router-b74c2e8a8143 [Accessed 9 September 2022].

Trellix, N.D.. What Is the MITRE ATT&CK Framework?. [Online] Available at: https://www.trellix.com/en-us/security-awareness/cybersecurity/what-is-mitre-attack-framework.html [Accessed 9 September 2022].

Anon, N.D. 10 Data Security Standards. [Online] Available at: https://www.digitalsocialcare.co.uk/data-security-protecting-my-information/national-policy/ [Accessed 1 July 2022].

Department of Health and Social Care, 2020. New health data security standards and consent/opt-out model. [Online] Available at: https://www.gov.uk/government/consultations/new-data-security-standards-for-health-and-social-care [Accessed 20 July 2022].

Lees, S., 2021. GDPR - understanding personal data in the healthcare sector. [Online] Available at: https://www.gl.law/insight/news/gdpr-understanding-personal-data-in-the-healthcare-sector/ [Accessed 20 July 2022].

McCue , I., 2020. SaaS ERP Explained. [Online] Available at: https://www.netsuite.com/portal/resource/
articles/erp/saas-erp.shtml#:~:text=SaaS%20ERP%20is%20an%
20enterprise,the%20software%20over%20the%
20internet [Accessed 5 September 2022].

Meier, J. D. et al., 2010. Chapter 2 - Threats and Countermeasures. [Online] Available at: https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648641(v=pandp.10)?redirectedfrom=MSDN

National Cyber Security Centre, 2018. GDPR security outcomes. [Online] Available at: https://www.ncsc.gov.uk/guidance/gdpr-security-outcomes [Accessed 20 July 2022].

Reciprocity, 2020. Pros and Cons of the FAIR Framework. [Online] Available at: https://reciprocity.com/pros-and-cons-of-the-fair-framework/ [Accessed 5 September 2022].

Anon, N.D.. Best Practices in Cyber Supply Chain Risk Management. [Online] Available at: https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf [Accessed 17 October 2022].

Rauniyar, K. et al., 2022. Risk management of supply chains in the digital transformation era: contribution and challenges of blockchain technology. Industrial Management & Data Systems.

Rodriguez, D., 2019. 7 Basic Types of Supply Chain Risks. [Online] Available at: https://precoro.com/blog/7-basic-types-of-supply-chain-risks/ [Accessed 5 October 2022].

Leite, L. et al., 2020. A Survey of DevOps Concepts and Challenges. ACM Computing Surveys, 52(6), pp. 1-35.

Agarwal, H., 2019. Roadmap to IT Revolution: DevOps History. [Online] Available at: https://www.appknox.com/blog/history-of-devops [Accessed 25 10 2022].

Kumaran, S. M., N.D.. DevSecOps-Securing Cyber Security. [Online] Available at: https://www.nic.in/blogs/devsecops-securing-cyber-security/ [Accessed 25 10 2022].

Horwitz, L., 2022. The top eight DevSecOps trends in 2022. [Online] Available at: https://www.dynatrace.com/news/blog/top-eight-devsecops-trends/ [Accessed 25 10 2022].

Spring, J. et al., 2021. Time to Change the CVSS?. IEEE Security & Privacy, 19(2), pp. 74 - 78.

Bailey, T., Barriball, E., Dey, A., Sankur, A. (2019). A practical approach to supply-chain risk management. McKinsey & Company.

Gisslen, L., Horndahl, A. (2016). A Quantitative Approach to Risk and Cost Assessment in Supply Chain Management. 2016 European Intelligence and Security Informatics Conference.

GOV.UK (2022). Cyber Security Breaches Survey 2022. Available from: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022 [Accessed 20th October 2022].

National Cyber Security Centre (2022). Threat Reports. Available from: https://www.ncsc.gov.uk/section/keep-up-to-date/threat-reports?q=&defaultTypes=report&sort=date%2Bdesc [Accessed 15th October 2022].

IBM (2020). Monte Carlo Simulation. Available from: https://www.ibm.com/cloud/learn/monte-carlo-simulation [Accessed 15th October 2022].

Opara-Martins, J., Sahandi, R., Tian, F. (2016). Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective. Journal of Cloud Computing: Advances, Systems and Applications.

Morrow, T. et al., 2021. Cloud Security Best Practices Derived from Mission Thread Analysis, Pittsburgh, PA: Carnegie Mellon University.

Binus, S., 2014. Implementation OCTAVE-S and ISO 27001 Controls in Risk Management Information Systems. ComTech, 5(2), pp. 685-693.

Dominick, S., 2020. Steps to Combine MITRE ATT&CK and FAIR to Focus Cyber Risk Management. [Online] Available at: https://www.fairinstitute.org/blog/3-steps-to-combine-mitre-attck-and-fair-to-focus-cyber-risk-management#:~:text=The%20MITRE%20ATT
%26CK%20Framework%20provides,cyber%20risk
%20analysis%20is%20crucial.[Accessed 29 10 2022].

Violino, B., 2021. IT risk assessment frameworks realworld experience. [Online] Available at: https://www.csoonline.com/article/2125140/it-risk-assessment-frameworks-real-world-experience.html [Accessed 29 October 2022].

Overview of Key Tasks and Projects Completed

Using Lecture casts, book reading and a having a seminar sessions with the Lecturer, this module provided an in-depth understanding of Security and Risk Management through various activities, assessments, and group projects.
Below is an organized overview of the tasks and assignments I completed during the Module.

Introduction to Security and Risk Management

Focused on the common definitions, concepts and processes of not only Security and Risk Management, but also of terms like Confidentiality, Integrity, Availability, risks, threats, vulnerabilities, Industry 4.0, digitization, etc.

Learnt on the different types of Standards and there compatibility to OpenFAIR framework (i.e. ISO 31000, ISO 27001, ISO 27005, NIST 800-30, COSO ERM, etc) and also looked on OpenFAIR and OCTAVE framework.

Looked at the approaches to quantify and qualify risks, and also categorisation of the risk standards to different situations.

Our lecturer assigned us to group of 4 so that we work on an Assessment Project.

Users, Assessments and the Risk Management Process

Dived deeper into the effects of different types of assessment (Qualitative vs. Quantitative).

Learned the importance of user participation in the risk management process to ensure accurate assessment and mitigation strategies.

Collaborated with members of my group (using WhatsApp for texts and calls, personal emails, zoom and teams video calls and Google Docs), to develop a Risk Identification Report, which required us to create a detailed risk assessment document.

Threat Modelling and Management

Focused on the popular Threat Modelling Approaches/Frameworks: STRIDE, DREAD, Attack Trees and hybrid models such as the Process for Attack Simulation and Threat Analysis (PASTA).

Guided on how to select the right framework(S) to use as per a case study and I learned that one could perform risk assessment on one case study using multiple approaches.

We were assigned a case study (a Development Team Project) to do in Groups. The requirement was to create and design a Risk Identification report (which was to be handed in on week 6) and an Executive Summary (which was to be handed in on week 11).

Designed Use-case diagrams and Sequence diagrams Using Visual Paradigm UML tool to represent system workflows and identify potential threats.

Security and Risk Standards in the Industry and the Enterprise

Studied different security standards such as GDPR standard (UK/EU), ISO 27000 (global), NIST (globally), etc. and their relevance to security compliance across different industries and locations.

Analyzed case studies to understand the implications of these standards in various scenarios.

Participated in a seminar discussing the practical applications of Security and Risk Standards.

Quantitative Risk Modelling

Covered on the methods that can be used as part of quantitative risk modelling: probabilistic approaches such as Monte Carlo simulations and Bayes Theorem-based methods, as well as Multi-Criteria Decision Analysis (MCDA) techniques such as TOPSIS, AHP and ANP.

Learnt the various scenarios and principles that are needed for the application of the quantitative approaches. Not forgetting their tools eg YASAI, monteCarlito, @risk, etc, and the probability distributions eg uniform, binomial, geometric, etc.

Performed risk modelling activities on Monte Carlo Simulation in Excel and Bayes.

Participated in a Collaborative Learning Discussion, critiquing the CVSS (Common Vulnerability Scoring System) and discussing alternatives for risk assessment.

Risk, Business Continuity and Disaster Recovery.

Gained knowledge on creating and implementing Business Continuity Plans (BCP) and Disaster Recovery (DR) plans.As well as its contributing factors such as Business Impact Assessments (BIA), Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

Learnt the different solutions to meet specific recovery objectives. The examples of the solutions included: Hybrid cloud model, Cloud DRaaS like Amazon (AWS), Microsoft (Azure), Google (GCP), Alibaba, IBM, Rackspace and many others.

Contributed to the development of a Disaster Recovery Plan and an Executive Summary outlining the Business Continuity and Disaster Recovery solutions for a given case study.

Future Trends in Security and Risk Management

Explored current and future trends in Security and Risk Management, and their advantages, disadvantages and impacts.

These future trends included Enterprise Risk Management (ERM), Machine Learning, DevSecOps, Artificial Intelligence, Science Security, etc.

Participated in the Great Debate on the most influential trends in Security and Risk Management, whereby as a group we focused on Software Supply Chain Management as the trend for the future of Security and Risk Management (SRM).

Conclusion

This module provided a comprehensive overview of Security and Risk Management, combining theoretical frameworks with practical group projects.
The skills and knowledge gained will contribute significantly to my professional development, preparing me for real-world cybersecurity challenges.

Submitted a Reflective Essay analyzing key takeaways from this module, challenges faced, and how the acquired skills apply to real-world secure software development.

Key Tasks and Projects Completed

The tasks, projects and assignments that I submited throughout this module so as to equipped me with practical skills in cybersecurity and software development.

Collaborative Learning Discussion 1: Initial Post

We " read a case study by (Kovaitė and Stankevičienė, 2019) and we were tasked to do a Collaborative Discussion by answering the 3 questions below:

- What do the authors mean by the term 'Industry 4.0' - give two examples.

- Give two real-world examples of risks that fit into the authors categories.

- Find another journal article that either supports or contradicts the points made in the cited study."

Below is My Initial Post on the Collaborative Learning Discussion 1 that I shared with my peers.

Download PDF

Collaborative Learning Discussion 1: Peer's Response

The Collaborative Learning Discussion 1 was still on going, whereby I read the posts of my peers and responded to some of them. Below is a screenshot of a response I wrote on my peer's post.

Download PDF

Collaborative Learning Discussion 1: Summary Post

After reading my Peers' views on the Collaborative Learning Discussion 1, I wrote a Summary Post (shown below) of the discussion.

Download PDF

My Contributions towards the Group Project

My contribution towards successful completion of the Risk Identification report group project.

Download PDF

My contribution towards successful completion of the Executive Summary group project.
With the help of Jane, my team mate and articles/books, we were able to apply the Monte Carlo simulation using the Yasai tool so as to find the probability of risks happening (results are shown in the Executive Summary), while the other team members worked on Business Continuity and Disaster Recovery plans and Solutions.

Download PDF

GDPR Case Study Exercise

Reviewed a couple of GDPR case studies and below is a review I did on one of the case study.

Download PDF

Group Project: Risk Identification Report

Below is the final copy of the Risk Identification Report that we handed over as a group.

Download PDF

Group Project: Executive Summary

Below is the final copy of the Executive Summary Report that we handed over as a group.

Download PDF

Group Work: The Great Debate

Presentation on 'DevSecOps' as the future trend in Security and Risk Management (SRM).

Download PDF

Reflective Review

Below is a Reflective Review on all that I acquired during this module

Download PDF

E-Portfolio: Beatrice MUTEGI-ROYER