Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Security and Risk Management

Verified

Added on 2023/01/18

AI Summary

This report highlights the importance of implementing a response plan towards cyber threats and the application of cyber security principles in real-world organizations. It includes a cyber security risk assessment for Commonwealth Bank, Target Australia, and ABC organization.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: SECURITY AND RISK MANAGEMENT
Security and Risk Management
Name of the student:
Name of the university
Author note:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1SECURITY AND RISK MANAGEMENT
Abstract
The following report is prepared so as to point out the importance of Cyber security risk
analysis for every business field. The report presents a brief description of the cyber security
analysis procedure and following that, the cyber security risk assessment is prepared based on
three different scenarios. For each and every scenario, the respected cyber security threats are
identified and their impacts are analyzed and rated depending in its likelihood and value.

2SECURITY AND RISK MANAGEMENT
Table of Contents
Introduction:...............................................................................................................................3
Discussion:.................................................................................................................................4
Cyber security analysis for-.......................................................................................................4
Scenario 1: Cyber Security Risk Assessment for Commonwealth Bank...............................4
Scenario 2: Cyber Security Risk Assessment for Target Australia........................................9
Scenario 3: Cyber Security Risk Assessment for ABC organisation:..................................14
Conclusion:..............................................................................................................................18
References:...............................................................................................................................19

3SECURITY AND RISK MANAGEMENT
Introduction:
Cyber space is defined as the interconnected world of digital technology. Cyberspace
is often used by security professionals, in the military fields and by technology strategists in
order to describe the global domain of technology. Cyber space forms the heart of our
modern technology-based society and has its impact on almost all parts of our lives including
service centers and business fields. As almost all parts of our modern life are connected with
the cyberspace hence the growing threat with it is also increasing. Any threat in cyber space
affects both the private and public sector of the society. The increased threat in the cyber
space allows some black hat people to use the cyber space for malicious activity, exploiting
the operational activity of the computer networks that area used in the cyber space. With the
increased amount of cyber risks in modern organisation, the information assets of every
organisation are at the verge of cyber risks (Ali and Awad 2018). The different types of cyber
threats that are emerging as a result of it includes phishing, Ransomware attacks, crypto
jacking, cyber physical attacks, state sponsored attacks, IoT attacks and third-party attacks
(Nurse, Creese and De Roure 2017). Most of the employees within organisations are unaware
of the different cyber space threats and cyber risks that are often taking up major of the
credential information from the organization’s database (Sadgrove 2016). As a result of the
potential cyber risks in organization’s information assets, cyber attackers are enabled with
stealing user logins, personal financial information and many more (Latif et al. 2014) Thus,
for all these reasons it is necessary that organisations should take up and implement cyber
security risk assessment with in their organizational system in order to plan, develop and
finally implement effective measures to secure the information assets of the organisation
from the potential cyber threats (Shameli-Sendi, Aghababaei-Barzegar and Cheriet 2016.). In
this respect, organisations besides implementing a proper cyber risk assessment, should also
follow the cyber security principles to safeguard the information assets (Fenz et al. 2014).

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4SECURITY AND RISK MANAGEMENT
The three security objectives of information security principles include confidentiality,
Integrity and Availability (Soomro, Shah and Ahmed 2016). Implementation of Cyber
Security principles in organisation helps in identifying the security issues before hackers can
get hold of it and use it for the purpose of hacking and stealing information for the company’s
datacenter (McIlwraith 2016). This report is prepared so as to highlight the importance of
implementing a response plan towards inevitable cyber threats and the application of cyber
security principals to the real world organisations.
Discussion:
Performing the cyber security risk assessment is an important part of any
organization’s information security management (Ahmad, Maynard and Park 2014). In every
organisation, there are some level of security risks that are present for which the critical data
sets of the information assets are at the risk of cyber issues (Farooq et al. 2015). For this
reason, organisations need to prepare a cyber risk assessment report so as to address the
security risks and to protect the information assets of the organisation.
Cyber security analysis for-
Scenario 1: Cyber Security Risk Assessment for Commonwealth Bank
Characterization of the system:
Commonwealth bank is one of the important and well-known banks in Australia, with
its wide spreading business across united states, United Kingdom and New Zealand. It was
founded in the year 1911 as a government bank and I the year 1991 as a public company. It
has its headquarters at Darling Harbor, Sydney, Australia. The Commonwealth Bank has
about 1,100+ branches with about 4300+ ATM services worldwide. Its total assets range to
about A$933.078 billion.

5SECURITY AND RISK MANAGEMENT
Data contained in it:
The common wealth bank facilitates a wide variety of services such as financial
services in the field of business, retail, institutional banking and areas involving funds
management.
Vendors of the bank:
The vendors who were utilized under the Commonwealth Bank in Australia includes-
Workday a leading cloud service provider, Algosec- a well-known service provider to
manage the security in business process and many more. Over and about 20 million of
customers uses the services provided by the Commonwealth bank of Australia.
Data access method:
The Common wealth bank of Australia uses the open data access method in order to
access its data sets. Customers are provided with full right to access their data. Like all other
banking systems, the data flow procedure of the common wealth bank is similar.
Data storage method:
All the information that get transferred within the system of the Common wealth
bank related to transfer of money or account details of customers are stored in a huge data
center that is owned by the organisation.
Threats that are faced in the organisation:
It has been reported that the data center of the Common wealth bank of Australia, recently
faced some threats at their data center where the majority of the information of the
organisation gets stored (Jouini, Rabai and Aiss 2014). The different types of risks that gets
associated with data centers of any organization includes-

6SECURITY AND RISK MANAGEMENT
1. Server failure
2. Ineffective monitoring of behavior
3. Inefficient management of the data center keys
4. Malfunctioning of the equipment in each of the machine cabinets
5. Ineffective inventory management procedure
6. External hackers
7. Network connection failure
8. Lack of high-level management staffs
9. Undetected coming of smoke that can lead to fire incidents
10. Ineffective notification systems during emergencies.
In the year 2016, the common wealth bank faced a major data breach at there datacenters
(Sallam 2015). Among all the mentioned risks that can occur in any data crenters, the risks
that kely took place at the data center of the common wealth bank includes-
1. Ineffective notification system: One of the major concerns that was raised as a result
of the data breach at the datacenter, was that the Common wealth bank failed to notify
its customers about the data breach even before the media came to knew about it.
2. Another risk that was identified with the organization’s data breach from its
datacenters was that though the mission to destroy the magnetic tape were
accomplished but still there were no digital certificate that confirms its destruction.
3. Though the bank has confirmed that the account monitoring system was at its own
place during the data breach but still question arises with the sufficient use of these
monitoring systems in order to prevent unauthorized access of the users.
4. With all these mentioned risks that aroused due to the data breach at the common
wealth bank datacenter, another risk which is also identified is the lack in the presence
of high-level management staffs.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7SECURITY AND RISK MANAGEMENT
Determination of Inherent Risk & Impact:
Identified
Threat
Impact Likelihood Value Risk
calculation
Ineffective
notification
system
Information
which are
involved within
the system gets
compromised
and fails to
notify
customers in
case of any
major data
breach (Solic
Ocevcic and
Golub 2015). In
case of
Commonwealth
bank, the bank
failed to notify
its customers
about the
potential data
breach that took
place even
before the
media took up
the story.
(High): [100]
High
[1.0]
100*1.0=100 Severe
Poor
governance and
risk
management
culture
Data loss/ Data
loss at the third-
party vendors
due to poor
governance and
lack of
controlling the
risks (Pan and
Tomlinson
2016).
(High): [100]
High
[1.0]
100*1.0=100 Severe
Lack of digital
certificate
confirmation
In
Commonwealth
Bank, it was
supposed that
the magnetic
tapes were
High
[1.0]
100*1.0=100 Severe

8SECURITY AND RISK MANAGEMENT
destroyed as
they were
intended to but
there is no
digital
certificate
present that
confirms their
destruction and
hence there is a
possibility that
those tapes were
not lost and
risks still lies
within their data
center.
(High):[100]
Ineffective
account
monitoring
system
As a result of
the ineffective
account
monitoring
system, the
information that
are stored
related to
account of
customers, gets
compromised,
unauthorized
users gets
access to the
accounting
system and steal
data while
crashing the
system (Ahmad,
Maynard and
Park 2014).
(High):[100]
High
[1.0]
100*1.0=100 Severe
Lack in the
presence of
high-level
management
staff
Lack in
controlling the
security threats
within the
organisation
and thus leading
to data loss
(Islam et al.
2016).
Medium
[.5]
100*.5=50 Elevated

9SECURITY AND RISK MANAGEMENT
(High):[100]
Analysis of the control environment:
Existing controls:
The security policy of the Commonwealth Bank recognizes and commits to sustained
funding in order to secure its data sets. According to the existing security policy of the
Commonwealth bank, the reliable data not only permits the business and individuals to
structure their affairs but also enables them to access their data timely ( Shameli-Sendi,
Cheriet and Hamou-Lhadj 2014). The current existing policy mandates open data access
within their data centers. Other controls like training the employees about the cyber threats,
generation of digital certificates are not in place with the existing controls.
Proposed control:
As with the majority of the threats that are identified with the data center used, it is
recommended to implement more encryption with the data that re stored as well as
transferred, to implement data loss prevention software in order to detect the transmission of
extra filtration. It is also recommended to check the third-party vendors, implement end
point-based security solutions (Safa, Von Solms and Furnell 2016). It is also recommended to
avoid the use of mandating the open data access into the organisations data center. It should
be seen that the data sharing process is driven by market forces.
Scenario 2: Cyber Security Risk Assessment for Target Australia
Target Australia is one of the well-known retailers in Australia. It was founded in the
year 1973 with its headquarters at Geelong, VIC, Australia. Besides this it has it branches in
more than 380 locations.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10SECURITY AND RISK MANAGEMENT
Service provided and Data used:
The Target Australia retail company offer a wide range of products and services to its
customers based on fashion accessories, electrical appliances and a full range of different
types of toys games more. The company uses data such as credit related information, and
other personal credentials of the customers for their business process.
Data storage method:
All the data related to the transactions of the customers and details of products and
services that it offers are stored within the company’s database system.
Threats that are faced in the organisation:
Among the various retail companies around the world, Target Australia also faced
major data security risks in its business process. The company has reported to face risks of
unauthorized activity on their database system at their human resource technology provider
Page Up.
Target Australia Company uses the Page Up in order to manage their employment
related applications and other information that are related to the company. As a result of these
unauthorized activity it led to the loss of some important information related to the customers
names, address, email address and their telephone numbers (Manworren, Letwat and Daily
2016). According to report that was published about the cyber risk that Target faced was that
their computer systems were affected by some viruses that gradually spread through their
entire system causing them to shut down. The virus was reported to have attacked two major
systems within the company from where the details of the transactions were processed. Even
after this attack, Target faced a series of similar attacks through the corresponding years that
led them to close their personal information systems.

11SECURITY AND RISK MANAGEMENT
Determination of Inherent Risk & Impact:
Identified
Threat
Impact Likelihood Value Risk
calculation
Denial of
service attack
As a result of
the unknown
installation of
malware in their
systems, one of
the leading US
card issuers got
affected. It was
reported that
about 40000
retailers point of
sale got affected
due to the
breach. The
data breach
affected about
40 million
payment
credentials of
about 70 million
customer
records.
(High):100
High
[1.0]
100*1.0=100 Severe
Phishing email The data breach
at Target
Corporation
started with
sending of
phishing emails
by third party
vendors into
their systems.
This led to the
entire system of
Target company
affected by the
malware that
was injected.
(High):100
High
[1.0]
100*1.0=100 Severe
Unauthorized
access to the
information
systems
As a result of
unauthorized
access facility,
the attackers
High
[1.0]
100*1.0=100 Severe

12SECURITY AND RISK MANAGEMENT
gained free
access to the
systems of the
company and
started stealing
credentials
related to
account or
transaction
(Patil, and
Seshadri 2014).
The attackers
gained access to
the retailers
account and
gradually took
hold of the
entire server of
the Target
Australia retail
company.
(High):100
Supply chain
attacks
The method by
which the
attackers
accessed the
Targets POS
machines was
by gaining
information
about the
credentials of
their supply
chain through
external vendor
portal.
(High):100
High
[1.0]
100*1.0=100 Severe
Outdated Mag-
strips
Another reason
for the attack
was the use of
outdated mag
strips which
were used in the
payment cards.
These outdated
mag-strips are
vulnerable to
the cyber threats
100*1.0=100 Severe

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13SECURITY AND RISK MANAGEMENT
of skimming
which
contributed to
the breach in
the company.
(High):100
Use of flat
network
As the company
used the flat
network access
in their servers,
it led to external
intrusion
(Anikin 2015).
The breach of
data was mainly
initiated at the
network level
where the
attackers gained
access. It was
supposed that
the company
tried to clear its
processor or the
stored data by
transmitting
them through
the open
network.
(High):100
High
[1.0]
100*1.0=100 Severe
Lack of proper
firewall security
Target
corporation also
failed to
implement
proper firewall
into their
systems which
also led to the
entry of the
external
attackers into
their system
without any
problem.
(High):100
High
[1.0]
100*1.0=100 Severe

14SECURITY AND RISK MANAGEMENT
Analysis of the control environment:
Existing controls:
After the breach that happened, Target Corporation took additional steps to improve
its monitoring and logging systems by installing secured application into their POS system
and also disabled their free network access to the vendors.
Proposed controls:
By taking into account of the major data breach that took place through years in the
company of Target Corporation, it is thus recommended that the company should stay more
alerted about any security breach that are likely to take place, besides it should also start
implementing the use of smart chips in their payment cards instead of using the outdated
mag-strips as they are insecure way of payment process.
Scenario 3: Cyber Security Risk Assessment for ABC organisation:
ABC company is one of the well-known technology-based company. The company
has it headquarter at Dayton, Ohio. It is mainly based on software and hardware-based
products that are required for networking services.
Service provided and Data used:
The services that are provided by the ABC company, includes helping customers all
around the world top transform their business with innovative technology solutions. The data
sets of the company include information related to its copyrights, patents and legal
information.
Data storage method:
All the information that are used in the company are stored in the personal devices of
the employees as the company uses the BYOD policy within their organisation.

15SECURITY AND RISK MANAGEMENT
Threats that are faced in the organisation:
As recently reported that the company of ABC has faced major security risks within
their information system causing slowing down of computer systems, receiving unwanted
spam messages via email, unwanted and unauthorized access to the files and many more
issues. As a part of the security threats that its has faced includes automatic installation of
malware in to the devices affecting the network of the entire organisation. Due to all these
practices, the organisation faced a major security breach causing loss of devices that they
used for transferring information and other credentials including bank details and trade
related information.
Determination of Inherent Risk & Impact:
Identified
Threat
Impact Likelihood Value Risk
calculation
Threats with the
use of BYOD
Policy
As the company
uses the BYOD
policy within
their
information
system which
allows bringing
of personal
devices into the
company and
use it for the
company’s
purpose, many a
times, malicious
software and
untrusted
mobile
operating
systems gets
installed within
the devices
automatically
which in turn
may lead to
High
[1.0]
100*1.0=100 Severe

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

16SECURITY AND RISK MANAGEMENT
major data
breach
(Yeboah-
Boateng and
Boaten 2016).
(High):100
Use of social
networking at
work
Use of file
sharing
technologies
As the
employees
within the
organisation
uses their
personal
devices for
transferring data
and also for
their own
purposes like
for social
networking,
risks arise as
they may click
on to some links
injected with
viruses causing
the entire
organisation at
risks (Van den
Berg et al.
2014).
The file sharing
technology that
the organisation
uses also may
lead to cyber
threats within
the organisation
itself by
external
intrusions.
(High):100
High
[1.0]
100*1.0=100 Severe
Lack of security
control
The ABC
company lacks
control in
providing
proper security
with the use of
BYOD policy
within the
High
[1.0]
100*1.0=100 Severe

17SECURITY AND RISK MANAGEMENT
organization.
Employees
often remain
unaware of the
security risks
and often use
their personal
information
within files that
are meant for
companies use.
As a result of
which attackers
who are trying
to get hold of
the information
of the company
also get added
advantage by
getting hold of
the employee’s
personal
credentials.
(High):100
Inappropriate
use of emails
Employees
within the
organisation
often remain
unaware while
clicking onto
unknown links.
As a part of the
cyber risks that
the company
have, receiving
spam emails is
common
phenomenon
that the
company face
so when
employees click
into unknown
links, virus gets
infected within
the system and
spreads through
the entire
network of the
High
[1.0]
100*1.0=100 Severe

18SECURITY AND RISK MANAGEMENT
organization
(Chawla and
Chouhan 2014).
(High):100
Analysis of the control environment:
Existing controls:
The company of ABC implements the BYOD policy within their existing controls and
uses the password-based authentication method in order to authenticate any access into their
system.
Proposed control:
While taking into account all the identified threats with the ABC company, it is thus
recommended to use the certificate-based authentication method within their BYOD policy in
order to overcome the access of unauthenticated users into their information system. Also, it
is recommended to implement policies regarding the access of users into files within the
organisation to prevent losing of files or unwanted external attack (Raiyn 2014).
Conclusion:
Thus, from all the above scenarios it can be concluded that Cyber Security Risk
Assessment plays a vital role for ongoing processes within organizations as it helps in
identifying the potential risks within the organization and helps in evaluating that risk via
likelihood and risk calculation methods. A cyber security risk assessment is necessary for all
companies in order to predict the impact of the threats and take necessary controls against
those threats to safeguard the information assets in future.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

19SECURITY AND RISK MANAGEMENT
References:
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: Towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2),
pp.357-370.
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: Towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2),
pp.357-370.
Ali, B. and Awad, A., 2018. Cyber and physical security vulnerability assessment for IoT-
based smart homes. Sensors, 18(3), p.817.
Anikin, I.V., 2015, May. Information security risk assessment and management method in
computer networks. In 2015 International Siberian Conference on Control and
Communications (SIBCON) (pp. 1-5). IEEE.
Chawla, M. and Chouhan, S.S., 2014. A survey of phishing attack techniques. International
Journal of Computer Applications, 93(3).
Farooq, M.U., Waseem, M., Khairi, A. and Mazhar, S., 2015. A critical analysis on the
security concerns of internet of things (IoT). International Journal of Computer
Applications, 111(7).
Fenz, S., Heurix, J., Neubauer, T. and Pechstein, F., 2014. Current challenges in information
security risk management. Information Management & Computer Security, 22(5), pp.410-
430.
Islam, M.M., Lautenbach, A., Sandberg, C. and Olovsson, T., 2016, May. A risk assessment
framework for automotive embedded systems. In Proceedings of the 2nd ACM International
Workshop on Cyber-Physical System Security(pp. 3-14). ACM.

20SECURITY AND RISK MANAGEMENT
Jouini, M., Rabai, L.B.A. and Aissa, A.B., 2014. Classification of security threats in
information systems. Procedia Computer Science, 32, pp.489-496.
Latif, R., Abbas, H., Assar, S. and Ali, Q., 2014. Cloud computing risk assessment: a
systematic literature review. In Future Information Technology (pp. 285-295). Springer,
Berlin, Heidelberg.
Manworren, N., Letwat, J. and Daily, O., 2016. Why you should care about the Target data
breach. Business Horizons, 59(3), pp.257-266.
McIlwraith, A., 2016. Information security and employee behaviour: how to reduce risk
through employee education, training and awareness. Routledge.
Nurse, J.R., Creese, S. and De Roure, D., 2017. Security risk assessment in Internet of Things
systems. IT Professional, 19(5), pp.20-26.
Ortmeier, P.J., 2017. Introduction to security. Pearson.
Pan, L. and Tomlinson, A., 2016. A systematic review of information security risk
assessment. International Journal of Safety and Security Engineering, 6(2), pp.270-281.
Patil, H.K. and Seshadri, R., 2014, June. Big data security and privacy issues in healthcare.
In 2014 IEEE international congress on big data (pp. 762-765). IEEE.
Raiyn, J., 2014. A survey of cyber attack detection strategies. International Journal of
Security and Its Applications, 8(1), pp.247-256.
Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T., 2015.
Information security conscious care behaviour formation in organizations. Computers &
Security, 53, pp.65-78.

21SECURITY AND RISK MANAGEMENT
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance
model in organizations. Computers & Security, 56, pp.70-82.
Sallam, H., 2015. Cyber security risk assessment using multi fuzzy inference
system. IJEIT, 4(8), pp.13-19.
Shameli-Sendi, A., Aghababaei-Barzegar, R. and Cheriet, M., 2015. Taxonomy of
information security risk assessment (ISRA). Computers & Security, 57, pp.14-30.
Shameli-Sendi, A., Aghababaei-Barzegar, R. and Cheriet, M., 2016. Taxonomy of
information security risk assessment (ISRA). Computers & Security, 57, pp.14-30.
Shameli-Sendi, A., Cheriet, M. and Hamou-Lhadj, A., 2014. Taxonomy of intrusion risk
assessment and response system. Computers & Security, 45, pp.1-16.
Solic, K., Ocevcic, H. and Golub, M., 2015. The information systems' security level
assessment model based on an ontology and evidential reasoning approach. Computers &
security, 55, pp.100-112.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs
more holistic approach: A literature review. International Journal of Information
Management, 36(2), pp.215-225.
Van den Berg, J., Van Zoggel, J., Snels, M., Van Leeuwen, M., Boeke, S., van de Koppen,
L., Van der Lubbe, J., Van den Berg, B. and De Bos, T., 2014, October. On (the emergence
of) cyber security science and its challenges for cyber security education. In The NATO IST-
122 Cyber Security Science and Engineering Symposium.
Yeboah-Boateng, E.O. and Boaten, F.E., 2016. Bring-Your-Own-Device (BYOD): an
evaluation of associated risks to corporate information security. arXiv preprint
arXiv:1609.01821.

1 out of 22

+13062052269

info@desklib.com

Security and Risk Management

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Cyber Security Risk Assessment

EU CYBER-SECURITY POLICIES REPORT 2022

Cyber Security Policy Development

Big Data Analytics in Cyber Security

Cybersecurity Protection Measures

Cyber Security Countermeasures