BUS369e Group Report: Managing Information Security and Privacy at ATA
VerifiedAdded on 2022/09/08
|8
|2189
|13
Report
AI Summary
This report examines the information security and privacy landscape for ATA, focusing on the risks associated with employees using personal devices (BYOD). It identifies key threats like insider threats, malware infections, and data breaches, detailing vulnerabilities such as poor authentication, disabled security tools, and SQL injection. The report further analyzes various risk treatment strategies, including acceptance, avoidance, transfer, mitigation, and sharing, ultimately recommending risk avoidance as the most suitable approach for ATA. This strategy emphasizes measures like anti-malware tools, multi-factor authentication, and employee training to minimize security risks. The report concludes by referencing relevant academic sources to support its findings and recommendations.
Managing Information Security & Privacy
4/1/2020
4/1/2020
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
ATA
Table of Contents
Answer 2a..............................................................................................................................................2
Insider Threats...................................................................................................................................2
Malware Threats................................................................................................................................2
Data Breaches....................................................................................................................................3
Answer 2b.............................................................................................................................................3
Answer 3a..............................................................................................................................................4
References.............................................................................................................................................7
1
Table of Contents
Answer 2a..............................................................................................................................................2
Insider Threats...................................................................................................................................2
Malware Threats................................................................................................................................2
Data Breaches....................................................................................................................................3
Answer 2b.............................................................................................................................................3
Answer 3a..............................................................................................................................................4
References.............................................................................................................................................7
1
ATA
Answer 2a
There are several threats that are associated with saving the organizational data on the
personal devices of the employees.
Insider Threats
This is one threat category that the data stored on the personal devices of the employees is
exposed to. The employees have access to the internal information of the organization which
may be accessed from any remote location. The insider threats may occur as the employee
may pass this information to the other users that may not be authorized to view and access the
organizational data. For example, an employee may leave its laptop unattended and the laptop
may have the internal organizational data in the form of spreadsheets and documents. The
family member may send this information over the mails to other unauthorized entities or
may upload it on the social media channels (Hobbs, 2019). This is an example of the
accidental threat.
There may be deliberate threats that may be executed as well. The competitors of a business
firm may get in touch with the employee and may offer certain benefits to get access to the
data. The employee may agree to transfer the details to the competitor firm resulting in the
loss of information privacy and confidentiality.
Malware Threats
The malware threats can also occur and may lead to the loss of the organizational data or may
result in the loss of privacy and confidentiality of the information.
The personal devices of the employees may get connected to different networks. The
organizational data may be accessible on the comparatively secure virtual private networks;
however, the employee may download some of the information on the personal machine. The
employee may then connect the system to the home and public networks. This may lead to
the increased chances of malware threats and infection. The personal devices of the
employees may be enabled with different security tools (Bahtiyar, 2016). There are chances
that the malware protection in the form of anti-virus and anti-malware tools may not be
present on the devices of the employees. In such cases, the confidential organizational data
may get exposed to the malicious entities. The attackers may execute different malware
packages on the employee machine and it may enable them to replicate the malware. The
2
Answer 2a
There are several threats that are associated with saving the organizational data on the
personal devices of the employees.
Insider Threats
This is one threat category that the data stored on the personal devices of the employees is
exposed to. The employees have access to the internal information of the organization which
may be accessed from any remote location. The insider threats may occur as the employee
may pass this information to the other users that may not be authorized to view and access the
organizational data. For example, an employee may leave its laptop unattended and the laptop
may have the internal organizational data in the form of spreadsheets and documents. The
family member may send this information over the mails to other unauthorized entities or
may upload it on the social media channels (Hobbs, 2019). This is an example of the
accidental threat.
There may be deliberate threats that may be executed as well. The competitors of a business
firm may get in touch with the employee and may offer certain benefits to get access to the
data. The employee may agree to transfer the details to the competitor firm resulting in the
loss of information privacy and confidentiality.
Malware Threats
The malware threats can also occur and may lead to the loss of the organizational data or may
result in the loss of privacy and confidentiality of the information.
The personal devices of the employees may get connected to different networks. The
organizational data may be accessible on the comparatively secure virtual private networks;
however, the employee may download some of the information on the personal machine. The
employee may then connect the system to the home and public networks. This may lead to
the increased chances of malware threats and infection. The personal devices of the
employees may be enabled with different security tools (Bahtiyar, 2016). There are chances
that the malware protection in the form of anti-virus and anti-malware tools may not be
present on the devices of the employees. In such cases, the confidential organizational data
may get exposed to the malicious entities. The attackers may execute different malware
packages on the employee machine and it may enable them to replicate the malware. The
2
ATA
degree of the impact may be moderate to severe depending upon the motive of the attacker
and the type of the malware used.
Data Breaches
The third major security threat that may be witnessed is in the form of the data breaches. The
personal devices of the employees with have the organizational data that will be stored in the
system and will also be transmitted over the networks. The network and data security
breaches may occur and the information properties may be put at risk. For example, an
employee may share the confidential organization information on the public wireless
network. The malicious entity may be monitoring the network in an unauthorized manner and
will be able to capture the information shared over the network. The information captured
with this process may be misused by the attacker leading to further damage (Hammouchi et
al., 2019).
The information present within the system will not be secure and will be exposed to the
breaches. This is because the attackers may launch malware packages or may carry out
database injections which may result in the breaching of the data sets. This will lead to the
violation of the information privacy and will also result in the damage to the other
information properties, such as integrity and confidentiality of the information. The
organization may have to witness adverse implications as a result.
Answer 2b
There can be different security vulnerabilities that may be associated with the security threats
that have been identified. The details of these vulnerabilities are included below and these are
mapped with the security threats that are identified previously.
Security Threat Security Vulnerabilities
Insider Threats Poor/Broken Authentication: When an organization decides to provide
the employees with the ability to access the organizational information
on their personal devices and bring their devices at the work, there is
basic security mechanism that is followed by all the organizations.
However, the business firms usually do not acknowledge the security
steps that shall be taken to maintain the information security. The
authentication level applied on the organizational systems and
applications may be poor or broken. The single authentication mode is
3
degree of the impact may be moderate to severe depending upon the motive of the attacker
and the type of the malware used.
Data Breaches
The third major security threat that may be witnessed is in the form of the data breaches. The
personal devices of the employees with have the organizational data that will be stored in the
system and will also be transmitted over the networks. The network and data security
breaches may occur and the information properties may be put at risk. For example, an
employee may share the confidential organization information on the public wireless
network. The malicious entity may be monitoring the network in an unauthorized manner and
will be able to capture the information shared over the network. The information captured
with this process may be misused by the attacker leading to further damage (Hammouchi et
al., 2019).
The information present within the system will not be secure and will be exposed to the
breaches. This is because the attackers may launch malware packages or may carry out
database injections which may result in the breaching of the data sets. This will lead to the
violation of the information privacy and will also result in the damage to the other
information properties, such as integrity and confidentiality of the information. The
organization may have to witness adverse implications as a result.
Answer 2b
There can be different security vulnerabilities that may be associated with the security threats
that have been identified. The details of these vulnerabilities are included below and these are
mapped with the security threats that are identified previously.
Security Threat Security Vulnerabilities
Insider Threats Poor/Broken Authentication: When an organization decides to provide
the employees with the ability to access the organizational information
on their personal devices and bring their devices at the work, there is
basic security mechanism that is followed by all the organizations.
However, the business firms usually do not acknowledge the security
steps that shall be taken to maintain the information security. The
authentication level applied on the organizational systems and
applications may be poor or broken. The single authentication mode is
3
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
ATA
exposed to various security attacks and the same may lead to the
insider threats. The family members or colleagues may be able to gain
access to the organizational data and it may then be misused.
Malware Infections
& Threats
Disabling Security Tools: There are several security tools and devices
that are installed on the laptops and other computing resources. It has
been seen that there is considerable memory and resources that are
required by the security tools which may have a slight impact on the
system performance and the response time. In order to avoid the same,
the users may disable the security tools for a certain period of time so
that the resources may be allotted to the other processes running on
the system (Mansfield-Devine, 2017). This leads to the opportunity to
the attackers to take advantage of the vulnerability and they may
launch the malware attacks in this manner.
Data Breaches SQL Injection: The business firms make use of traditional or cloud-
based databases to store the information and the data sets associated
with the organization. These databases may be injected with the
malicious SQL queries enabling the attackers to capture the
confidential information present within the database. This may lead to
the breaching of the information (Latha & Ramaraj, 2015). The cloud-
based databases may also be used for carrying out these data breaches
over the network. The vulnerability may lead to the network based or
system data breaches and it may have an adverse implication on the
information properties.
Answer 3a
The risks that may be identified in the project or the organization can be treated by applying
five different treatment strategies and processes.
Risk Acceptance: It is the strategy in which the information regarding the risk is
obtained and there is no action that is taken to control or minimize the risk. It is the
strategy which is usually applied for the risks that are either positive or have a very
low possibility of occurrence. The use of personal devices may lead to unexpected
cost-savings if the information security threats do not occur. The risk can be accepted
with the proper security measures in place (Malhotra, 2015).
4
exposed to various security attacks and the same may lead to the
insider threats. The family members or colleagues may be able to gain
access to the organizational data and it may then be misused.
Malware Infections
& Threats
Disabling Security Tools: There are several security tools and devices
that are installed on the laptops and other computing resources. It has
been seen that there is considerable memory and resources that are
required by the security tools which may have a slight impact on the
system performance and the response time. In order to avoid the same,
the users may disable the security tools for a certain period of time so
that the resources may be allotted to the other processes running on
the system (Mansfield-Devine, 2017). This leads to the opportunity to
the attackers to take advantage of the vulnerability and they may
launch the malware attacks in this manner.
Data Breaches SQL Injection: The business firms make use of traditional or cloud-
based databases to store the information and the data sets associated
with the organization. These databases may be injected with the
malicious SQL queries enabling the attackers to capture the
confidential information present within the database. This may lead to
the breaching of the information (Latha & Ramaraj, 2015). The cloud-
based databases may also be used for carrying out these data breaches
over the network. The vulnerability may lead to the network based or
system data breaches and it may have an adverse implication on the
information properties.
Answer 3a
The risks that may be identified in the project or the organization can be treated by applying
five different treatment strategies and processes.
Risk Acceptance: It is the strategy in which the information regarding the risk is
obtained and there is no action that is taken to control or minimize the risk. It is the
strategy which is usually applied for the risks that are either positive or have a very
low possibility of occurrence. The use of personal devices may lead to unexpected
cost-savings if the information security threats do not occur. The risk can be accepted
with the proper security measures in place (Malhotra, 2015).
4
ATA
Risk Avoidance: This is the strategy in which risk is recognized for the organization
and there are steps that are taken to make sure that the risk does not occur. This is the
strategy that is primarily adopted when the impact of the risk is high or severe and
must be controlled. The BYOD scheme followed at ATA may expose the data sets to
the malware attacks and infections. These must be avoided by using the anti-malware
tools.
Risk Transfer: The risk treatment strategy is applied when the risk is transferred to an
additional party for handling the same. There may be cloud models used by ATA and
the risks on the cloud platforms provided by the cloud vendor may emerge. These
shall be transferred to the vendor.
Risk Mitigation: This is the strategy which is easier to implement and the steps are
undertaken to make sure that the risk impact is reduced even if it occurs. The
cryptanalysis attacks may also occur on the ATA systems and data and these shall be
mitigated (Fenz et al., 2015).
Risk Sharing: The strategy is applicable when the risk handling and management is
done jointly by two or more parties. The security risks on the hardware and servers
may be shared among ATA and the respective vendors.
One of the most suitable risk treatment strategies for ATA is the risk avoidance. The BYOD
scheme that has been implemented in ATA can provide the organization with a lot many
benefits, such as cost-savings, increased flexibility to the employees, enhanced employee
productivity, and others (Kumar & Singh, 2015). However, it may lead to the occurrence of
numerous security threats and attacks as well. The personal devices of the employees may not
have the enterprise-level security making them exposed to several security risks. Malware
and SQL injections may be common due to the poor status of the device security. The
employees may deliberately or accidentally share the information with the unauthorized
entities. There may be cases of data breach, eavesdropping attacks, and cryptanalysis attacks
that may be seen too. The use of risk avoidance strategy will enable the organization to make
sure that these security issues and controlled (Shamala et al., 2017).
There are measures that can be adopted to avoid the risks. For example, the installation of the
anti-malware or anti-virus tools may be done so that the malware attacks are avoided. The use
of multi-fold authentication may be done by ATA wherein the combination of passwords and
biometric authentication or single sign on may be done (Rusdan, 2020). This will lead to the
avoidance of a lot many threats around unauthorized network monitoring and breaches. The
5
Risk Avoidance: This is the strategy in which risk is recognized for the organization
and there are steps that are taken to make sure that the risk does not occur. This is the
strategy that is primarily adopted when the impact of the risk is high or severe and
must be controlled. The BYOD scheme followed at ATA may expose the data sets to
the malware attacks and infections. These must be avoided by using the anti-malware
tools.
Risk Transfer: The risk treatment strategy is applied when the risk is transferred to an
additional party for handling the same. There may be cloud models used by ATA and
the risks on the cloud platforms provided by the cloud vendor may emerge. These
shall be transferred to the vendor.
Risk Mitigation: This is the strategy which is easier to implement and the steps are
undertaken to make sure that the risk impact is reduced even if it occurs. The
cryptanalysis attacks may also occur on the ATA systems and data and these shall be
mitigated (Fenz et al., 2015).
Risk Sharing: The strategy is applicable when the risk handling and management is
done jointly by two or more parties. The security risks on the hardware and servers
may be shared among ATA and the respective vendors.
One of the most suitable risk treatment strategies for ATA is the risk avoidance. The BYOD
scheme that has been implemented in ATA can provide the organization with a lot many
benefits, such as cost-savings, increased flexibility to the employees, enhanced employee
productivity, and others (Kumar & Singh, 2015). However, it may lead to the occurrence of
numerous security threats and attacks as well. The personal devices of the employees may not
have the enterprise-level security making them exposed to several security risks. Malware
and SQL injections may be common due to the poor status of the device security. The
employees may deliberately or accidentally share the information with the unauthorized
entities. There may be cases of data breach, eavesdropping attacks, and cryptanalysis attacks
that may be seen too. The use of risk avoidance strategy will enable the organization to make
sure that these security issues and controlled (Shamala et al., 2017).
There are measures that can be adopted to avoid the risks. For example, the installation of the
anti-malware or anti-virus tools may be done so that the malware attacks are avoided. The use
of multi-fold authentication may be done by ATA wherein the combination of passwords and
biometric authentication or single sign on may be done (Rusdan, 2020). This will lead to the
avoidance of a lot many threats around unauthorized network monitoring and breaches. The
5
ATA
use of anti-denial tools may be done by ATA so that the DoS attacks do not occur. It will be
possible to avoid the risks by using certain administrative measures as well. The employees
of ATA shall be given security trainings so that the deliberate sharing of secure information
can be avoided. The ethical trainings shall be given as well to avoid the unethical activities
leading to the insider threats. The advanced access control measures, such as identity or
encryption-based access control shall be implemented in ATA so that the security attacks can
be avoided.
6
use of anti-denial tools may be done by ATA so that the DoS attacks do not occur. It will be
possible to avoid the risks by using certain administrative measures as well. The employees
of ATA shall be given security trainings so that the deliberate sharing of secure information
can be avoided. The ethical trainings shall be given as well to avoid the unethical activities
leading to the insider threats. The advanced access control measures, such as identity or
encryption-based access control shall be implemented in ATA so that the security attacks can
be avoided.
6
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
ATA
References
Bahtiyar, S. (2016). Anatomy of targeted attacks with smart malware. Security and
Communication Networks, 9(18), 6215–6226. https://doi.org/10.1002/sec.1767
Fenz, S., Heurix, J., Neubauer, T., & Pechstein, F. (2015). Current challenges in information
security risk management. Information Management & Computer Security, 22(5),
410–430. https://doi.org/10.1108/imcs-07-2013-0053
Hammouchi, H., Cherqi, O., Mezzour, G., Ghogho, M., & Koutbi, M. E. (2019). Digging
Deeper into Data Breaches: An Exploratory Data Analysis of Hacking Breaches Over
Time. Procedia Computer Science, 151, 1004–1009.
https://doi.org/10.1016/j.procs.2019.04.141
Hobbs, C. (2019). Insider threats. International Affairs, 95(3), 725–726.
https://doi.org/10.1093/ia/iiz084
Kumar, R., & Singh, H. (2015). A Proactive Procedure to Mitigate the BYOD Risks on the
Security of an Information System. ACM SIGSOFT Software Engineering Notes,
40(1), 1–4. https://doi.org/10.1145/2693208.2693231
Latha, R., & Ramaraj, D. E. (2015). SQL Injection Detection Based On Replacing The SQL
Query Parameter. International Journal Of Engineering And Computer Science.
https://doi.org/10.18535/ijecs/v4i8.29
Malhotra, Y. (2015). Cybersecurity & Cyber-Finance Risk Management: Strategies, Tactics,
Operations, &, Intelligence: Enterprise Risk Management to Model Risk
Management: Understanding Vulnerabilities, Threats, & Risk Mitigation
(Presentation Slides). SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2693886
Mansfield-Devine, S. (2017). Fileless attacks: compromising targets without malware.
Network Security, 2017(4), 7–11. https://doi.org/10.1016/s1353-4858(17)30037-5
Rusdan, M. (2020). Designing of User Authentication Based on Multi-factor Authentication
on Wireless Networks. Journal of Advanced Research in Dynamical and Control
Systems, 12(1), 201–209. https://doi.org/10.5373/jardcs/v12i1/20201030
Shamala, P., Ahmad, R., Zolait, A., & Sedek, M. (2017). Integrating information quality
dimensions into information security risk management (ISRM). Journal of
Information Security and Applications, 36, 1–10.
https://doi.org/10.1016/j.jisa.2017.07.004
7
References
Bahtiyar, S. (2016). Anatomy of targeted attacks with smart malware. Security and
Communication Networks, 9(18), 6215–6226. https://doi.org/10.1002/sec.1767
Fenz, S., Heurix, J., Neubauer, T., & Pechstein, F. (2015). Current challenges in information
security risk management. Information Management & Computer Security, 22(5),
410–430. https://doi.org/10.1108/imcs-07-2013-0053
Hammouchi, H., Cherqi, O., Mezzour, G., Ghogho, M., & Koutbi, M. E. (2019). Digging
Deeper into Data Breaches: An Exploratory Data Analysis of Hacking Breaches Over
Time. Procedia Computer Science, 151, 1004–1009.
https://doi.org/10.1016/j.procs.2019.04.141
Hobbs, C. (2019). Insider threats. International Affairs, 95(3), 725–726.
https://doi.org/10.1093/ia/iiz084
Kumar, R., & Singh, H. (2015). A Proactive Procedure to Mitigate the BYOD Risks on the
Security of an Information System. ACM SIGSOFT Software Engineering Notes,
40(1), 1–4. https://doi.org/10.1145/2693208.2693231
Latha, R., & Ramaraj, D. E. (2015). SQL Injection Detection Based On Replacing The SQL
Query Parameter. International Journal Of Engineering And Computer Science.
https://doi.org/10.18535/ijecs/v4i8.29
Malhotra, Y. (2015). Cybersecurity & Cyber-Finance Risk Management: Strategies, Tactics,
Operations, &, Intelligence: Enterprise Risk Management to Model Risk
Management: Understanding Vulnerabilities, Threats, & Risk Mitigation
(Presentation Slides). SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2693886
Mansfield-Devine, S. (2017). Fileless attacks: compromising targets without malware.
Network Security, 2017(4), 7–11. https://doi.org/10.1016/s1353-4858(17)30037-5
Rusdan, M. (2020). Designing of User Authentication Based on Multi-factor Authentication
on Wireless Networks. Journal of Advanced Research in Dynamical and Control
Systems, 12(1), 201–209. https://doi.org/10.5373/jardcs/v12i1/20201030
Shamala, P., Ahmad, R., Zolait, A., & Sedek, M. (2017). Integrating information quality
dimensions into information security risk management (ISRM). Journal of
Information Security and Applications, 36, 1–10.
https://doi.org/10.1016/j.jisa.2017.07.004
7
1 out of 8
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.