Post

Security and Risk Management

Posted Updated
Preview Image
By Zeier Tobias
10 min read
Security and Risk Management

๐ŸŽฏ Module Overview

This module enabled me to:

  • Discuss the difference between qualitative and quantitative risk assessments.
  • Describe how to carry out both kinds of assessments.
  • Explain what is meant by and how to create threat models.
  • Demonstrate how to create quantitative risk models.
  • Discuss and design Disaster Recovery (DR) solutions.

๐Ÿ“š Table of Contents

Unit 1: An Introduction to Security and Risk Management

๐Ÿ’ฌ โ€œA potential loss, disaster, or other undesirable event measured with probabilities assigned to losses of various magnitudes (Hubbard, 2020).โ€

Key Concepts:

  • Different definitions of risk.
  • Introduction to the first group assignment: risk assessment for a brick-and-mortar business considering an online presence.
  • Formative assignment: collaborative discussion on risk assessment frameworks in relation to Industry 4.0.

Reflections: This introductory unit provided foundational insights into Security and Risk Management, including diverse definitions of risk and the scope of our first group assignment. The formative collaborative discussion on risk assessment frameworks within the context of Industry 4.0 was particularly insightful, highlighting the evolving landscape of risk in digital environments.

Reference:

  • Hubbard, D. (2020) The Failure of Risk Management: Why Itโ€™s Broken and How to Fix It. John Wiley & Sons.

Related Work:

Unit 2: Users, Assessments and the Risk Management Process

Key Concepts:

  • Setting up and managing an ePortfolio on GitHub.
  • Group assignment kick-off: team formation, group contract, and initial task allocation for a risk assessment case study.
  • Continued collaborative discussion on the validity of traditional risk assessment frameworks in a digital world.

Reflections: This week involved the practical initiation of our ePortfolio development on GitHub, a novel experience that required dedicated effort to master. Concurrently, the group assignment commenced with formal team establishment, contract finalisation, and task distribution, where I assumed the role of meeting manager. My contributions to the collaborative discussion further explored the evolving relevance of traditional risk assessment frameworks in an increasingly digital landscape.

Related Work:

Unit 3: Introduction to Threat Modelling and Management

๐Ÿ’ฌ โ€œTraditional risk management approaches are outdated and inadequate for the new challenges presented by the digital era (Bone and Lee, 2023).โ€

Key Concepts:

  • Basic concepts of threat modelling frameworks (STRIDE & DREAD, CVSS, Attack Trees, PASTA, OWASP).
  • Practical application of risk assessment in the group assignment, focusing on inventory and supply chain management for a brick-and-mortar store.
  • Introduction to the โ€œCognitive Risk Frameworkโ€ which integrates human elements into risk management strategies.

Reflections: Unit 3 provided a comprehensive introduction to various threat modelling frameworks, enhancing my theoretical understanding and practical application through the group risk assessment. My contribution to the collaborative discussion highlighted the critical need for frameworks like the โ€œCognitive Risk Frameworkโ€ to address modern digital challenges by integrating human behaviour and cognitive biases into risk mitigation strategies.

Related Work:

Unit 4: Application of Threat Modelling and Management Techniques

Key Concepts:

  • Practical application of threat modelling frameworks using examples.
  • Utilisation of the Threat Modelling Manifesto, OWASP Threat Modelling Cookbook, and ATT&CK libraries as foundational resources.
  • Collaborative team meetings for task coordination and assignment for the group project.

Reflections: This unit provided practical experience in applying threat modelling techniques, with a focus on using established frameworks and libraries for real-world examples. Regular group meetings facilitated effective task management and ensured continuous progress on our collaborative assignment, reinforcing the importance of coordinated effort in complex projects.

Related Work:

Unit 5: An Introduction to Security and Risk Standards in Industry and the Enterprise

๐Ÿ’ฌ โ€œGDPR is the toughest privacy and security law in the world (gdpr.eu).โ€

Key Concepts:

  • General Data Protection Regulation (GDPR) as a critical data privacy and security law.
  • Seven principles for the lawful processing of personal data under GDPR: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality; Accountability.
  • Formative activity: case study analysis of personal data mishandling.
  • Creation of a Wiki post discussing IT security frameworks and their applicability.
  • Continued group assignment work, focusing on merging tasks into a cohesive final document.

Reflections: Unit 5 provided an in-depth understanding of GDPR, particularly its seven core principles for lawful data processing, which are crucial for maintaining data privacy and security. The practical application through a case study on data mishandling and the development of a Wiki post on IT security frameworks enhanced my grasp of industry standards. Collaborative efforts in the group assignment progressed towards final document integration, highlighting the complexities of merging diverse contributions.

Related Work:

Unit 6: The Practical Implications of Security and Risk Standards

Key Concepts:

  • Completion of the group assignment: risk assessment and threat modelling for a brick-and-mortar business with e-commerce adoption recommendations.
  • Peer reviews for group members.
  • Discussion on security standards such as GDPR, PCI-DSS, and HIPAA, and their importance for data protection, uniformity, and threat mitigation.

Reflections: This unit culminated in the completion of our comprehensive group assignment, which involved a detailed risk assessment and threat modelling for a business transitioning to e-commerce, along with peer evaluations. The seminar discussions reinforced the critical necessity of adhering to security standards like GDPR, PCI-DSS, and HIPAA, emphasising their role in preventing data misuse, ensuring uniformity, and protecting against evolving threats.

Related Work:

Unit 7: An Introduction to the Concepts of Quantitative Risk Modelling

๐Ÿ’ฌ โ€œThe overall aim of quantitative risk assessment as broadly defined can be described as the quantification of the population impact of any type of factor, exposure, policy or program, hypothesized or already present (Rigaud et al., 2024).โ€

Key Concepts:

  • Quantitative risk assessment and its aim of quantifying population impact.
  • Practical application of Monte Carlo Simulation and Bayesโ€™ theorem.
  • Critical evaluation of CVSS characteristics and alternatives.

Reflections: Unit 7 provided a foundational understanding of quantitative risk modelling, with hands-on experience in Monte Carlo Simulation and Bayesโ€™ theorem, which significantly enhanced my ability to quantify potential impacts. The collaborative discussion on the criticisms and alternatives to CVSS stimulated critical thinking on current vulnerability scoring practices.

Reference:

  • Rigaud, A., Delpierre, C. and Ducrot, P. (2024) Quantitative risk assessment in environmental health: a review of methods and applications. Environmental Research, 203, pp.111929.

Related Work:

Unit 8: Implementing Quantitative Risk Models

Key Concepts:

  • Practical implementation of quantitative risk models in real-world scenarios.
  • Discussion of group project feedback and grading systems.
  • Continuation of collaborative learning discussion through peer responses.
  • Application of Monte Carlo simulation to an inventory system for optimising reorder points and order quantities.

Reflections: Unit 8 provided valuable practical experience in implementing quantitative risk models, applying them to an inventory system to optimise reorder points and order quantities using Monte Carlo simulation. The seminarโ€™s focus on group project feedback and grading discussions, alongside continued peer engagement in the collaborative learning forum, underscored the importance of both individual accountability and collective learning.

Related Work:

Unit 9: Risk, Business Continuity and Disaster Recovery

Key Concepts:

  • Business Continuity (BC): keeping the business running during disruption.
  • Disaster Recovery (DR): recovering systems and data after a disaster.
  • Recovery Time Objective (RTO): acceptable downtime duration.
  • Recovery Point Objective (RPO): acceptable data loss in terms of time.

Reflections: This unit provided a comprehensive understanding of risk mitigation strategies, particularly focusing on Business Continuity (BC) and Disaster Recovery (DR). I gained clarity on key metrics such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO), which are crucial for planning and testing responses to service disruptions and outages. My summary post in the collaborative discussion forum further consolidated this learning.

Related Work:

Unit 10: Practical Applications and Issues in DR Implementations

๐Ÿ’ฌ โ€œA vendor lock-in makes customers dependent of a propriety product, service or technology provided by a vendor. In terms of cloud services, it is achieved by providing and developing services that are platform-dependent with proprietary technologies, interfaces or formats (Pellegrini et al., 2017).โ€

Key Concepts:

  • Vendor lock-in in cloud solutions and strategies to avoid it.
  • Disaster Recovery (DR) solutions for various scenarios with different RPO and RTO requirements.
  • Critical review of vendor lock-inโ€™s impact on cloud computing adoption.

Reflections: Unit 10 highlighted the critical issue of vendor lock-in in cloud solutions, offering strategies for mitigation based on a detailed review of its impact on cloud computing adoption. My preparation for the seminar, including a presentation on Disaster Recovery solutions tailored to varying RPO and RTO requirements, significantly enhanced my practical understanding of DR implementations.

Related Work:

Key Concepts:

  • Second assignment: qualitative risk modelling for availability and quality using Monte Carlo simulation based on a previous risk assessment.
  • Design of a disaster recovery solution tailored to specific stakeholder requirements.

Reflections: This unit culminated in the comprehensive second assignment, where I applied qualitative risk modelling through Monte Carlo simulation to address specific concerns regarding availability and quality for Pampered Pets. Furthermore, designing a bespoke disaster recovery solution based on key stakeholder requirements solidified my practical skills in SRM.

Related Work:

Unit 12: The Great Debate: What will be the most influential trend in SRM in the next 5 years?

Key Concepts:

  • Student presentations on the most influential trends in SRM over the next five years.
  • Discussion and voting on presented trends, revealing collective opinion.
  • Reflection on the moduleโ€™s workload, knowledge gain, and frameworks explored.
  • Final assignment: e-Portfolio completion and module reflection.

Reflections: The final unit culminated in a compelling debate where students presented their perspectives on the most influential SRM trends, culminating in a collective vote. My presentation on Risk Maturity Models, despite competing with AI-focused topics, was surprisingly identified by the majority as the most influential trend. This unit also served as an opportunity to reflect on the moduleโ€™s intense yet rewarding journey, consolidating the wealth of knowledge and frameworks acquired throughout my second MSc module.

Related Work:

๐Ÿ Summary of Achievements

  • โœ… Gained a comprehensive understanding of qualitative and quantitative risk assessments.
  • ๐Ÿ’ฌ Developed expertise in threat modelling and management techniques.
  • ๐Ÿง  Applied quantitative risk models using Monte Carlo Simulation and Bayesโ€™ theorem.
  • ๐Ÿ—‚ Designed and evaluated Business Continuity and Disaster Recovery solutions.
  • ๐Ÿ“ˆ Analysed emerging trends and standards in Security and Risk Management.
Modules, SRM
SRM risk management threat models quantitative risk models DR solutions
This post is licensed under CC BY 4.0 by the author.