ASSESSMENT 2 BRIEF
Subject Code and Title	MIS607 Cybersecurity
Assessment	Threat Model Report
Individual/Group	Individual
Length	1500 words (+/- 10%)
Learning Outcomes	The Subject Learning Outcomes demonstrated by successful completion of the task below include: Explore and articulate cyber trends, threats and staying safe in cyberspace, plus protecting personal and company data.Analyse issues associated with organisational data networks and security to recommend practical solutions towards their resolution.Evaluate and communicate relevant technical and ethical considerations related to the design, deployment and/or the uses of secure technologies within various organisational contexts.
Submission	Due by 11.55 pm AEST Sunday end of Module 4.1
Weighting	30%
Total Marks	100 marks

Task Summary

The goal of assessment 2 (A2) is to identify threats/vulnerabilities in the case scenario described in the associated file, Assessment Initial Case Scenario.docx. Not all threats/vulnerabilities you “discover” are in the initial case scenario. The scenario discusses some elements of the business that are needing mitigation, but you will need to also “discover” other threats/vulnerabilities.

The word count for this assessment is 1,500 words (±10%), not counting tables or figures. Tables and figures must be captioned (labelled) and referred to by caption (note that publishers do not guarantee tables and figures to be placed the same order or location as in your article). Caution: Items without a caption may be treated as if they are not in the report.

Be careful not to use up word count discussing cybersecurity basics. This is not an exercise in summarising your class notes, and such material will not count towards marks.

The report will not be marked without an Academic Integrity Declaration (see below).

DFD Requirements

The DFD must relate to the business described in the initial case scenario. Remember, the DFD is the first step in the risk analysis, but it is not the main output of the assessment. The main output is the categorised threats, see below.

For the DFD, you need at least a context diagram and a level-0 diagram. You can include further levels if you feel they are needed to show a threat boundary, but this is not necessary. The level-0 diagram (and further level diagrams, if needed) must not break the rules for proper DFD formation. And the DFDs (excluding the context diagram) must have labelled threat boundaries.

You must use the symbol convention shown in classes:

Threat Discovery

The main output of A2 should be a set of no less than 10 threats or vulnerabilities that need mitigation in the organisation. You will discover these with the help of the DFD and the threat boundaries.

The main threat for this assessment resembles a real-world attack. You need to develop a brief, factual overview of the real-world attack (web links can count as references here since the attack might not yet be covered academically). You are required to reference suggested mitigations, or costs in the real-world attack, this will help enormously with both A2 and A3 and will be taken into consideration when marking. Note carefully that any explanation of the real-world case is based on real information/data, not speculation or simulated “discovery”.

It is important to understand that you need to “discover” additional threats/vulnerabilities on the associated initial case scenario. The scenario is only an initial assessment of the organisation. Your “discovery” can be simulated, based on your simulated investigation.

Obviously, you must cover the main threats already identified in the scenario, but other threats/vulnerabilities should be “discovered” by you.

Inform the reader about what discovery techniques were used. In dot points inform the audience…..who you talked to, questions you asked – but keep this very brief…8-10 dot points max.

Imagine yourself as a consultant called in to work inside the business to discover threats.

For this assignment, business acumen and business logic in approaching threats is what is required of you.

STRIDE methodology will be used for the reports. Note carefully that the DFD itself is not the main output of the assignment. The main result of the report is a set of threats or vulnerabilities. Important points are:

• Try to map these threats/vulnerabilities as best you can against threat boundaries;
• and categorize them as best you can against STRIDE categories. The STRIDE categories are not the threats.

Do not be concerned if the threats you discover do not fit all STRIDE categories. In a full, real-world assessment with hundreds of threats, this would be the case, but with around 10 threats this will probably not be possible. Try to cover at least three.

You can make assumptions, but the report is written from the point of view of a consultant who has made “discoveries” from their investigations. In the simulation you may gather needed information from stakeholders. Assessment markers are aware that the technical information “discovered” by you might not be 100% accurate in all details. However, your discoveries should be somewhat realistic.

Reference Requirement

For A2 the requirement is a minimum of 3 references overall. You can have as many references as you like, but a minimum of 3.

At least one of the references needs to be a reference to a peer reviewed journal or conference article. (This will change for A3.)

Report Structure & Format

The report should have the following heading structure.

·        Title Page

With subject code and name, assignment title, student’s name, student number, and lecturer’s

name. Also include AI declaration.

·        Executive Summary

This should be written after the report and should briefly summarise what you did and what you found. It should be capable of being read by management generally, even those with relatively little IS experience.

·        Body of the Report

DFD

threat discovery

threat list and STRIDE categorisation

·        Conclusion

Summarise major findings or recommendations that the report puts forward.

·        References

Use only APA style for citing and referencing. Please see more information on referencing

·        Appendix

An appendix is not necessary but place it here if you intend to use one.

The report should use Arial or Calibri fonts, 11 point. It should be line spaced at 1.5 for ease of reading, and have page numbers on the bottom of each page.

Possible Later A2 Remediation

If you do not perform so well with A2 (less than 60%), you will need to fix issues noted in A2 and include this in appendix in your A3. There will be no marks for the remediation of A2.

Academic Integrity Declaration

The following must be included in the report. The report will be marked late until it is included.

I declare that, except where I have referenced, the work I am submitting for this assessment task is my own work. I have read and am aware of the Torrens University Australia Academic Integrity Policy and Procedure viewable online at.

I am aware that I need to keep a copy of all submitted material and their drafts, and I will do so accordingly.

Submission Instructions

Submit Assessment 2 via the Assessment link in the main navigation menu in MIS607 Cybersecurity. The Learning Facilitator will provide feedback via the Grade Centre in the LMS portal. Feedback can be viewed in My Grades. Any uploaded files must be in Word (.doc or .docx) format.

Tips:

You are advised to read the case study, several times. Then read through this brief and note requirements. You can also to read the rubric.

Discovery techniques can include interview, questionnaire, observation, documentation. You may have others. So, to “discover” vulnerabilities you can use one of these techniques.

Leading into A3, try to concentrate on threats with corresponding controls, e.g.

• week passwords: password policy and/or 2 factor,
• Fire: fire alarms and extinguishers and/or fire insurance,
• Theft: CCTV system.

Assessment Rubric

Criteria	Ratings	Pts
Citation practice and
engagement with relevant
literature Cited material and
citations related to
report APA citation style,	20 Pts High Distinction	15-19 Pts Distinction	13-14 Pts Credit	11-12 Pts Pass	0-10 Pts NN
At least one peer- reviewed article,	All elements met well. Also, peer-reviewed articles of good quality. Citations are relevant to the article	Almost all elements in	Most elements met	About half the	Less than half the	20 pts
3 or more references,Correct citation, correct	content. More than one citation. Citation relates to the main topic of the article, not just a side issue.	evidence		elements met	elements
referencing,
Peer-reviewed
citation(s) used more
than once.
DFD and Threat Boundaries Diagrams related to
20 Pts High Distinction All elements met well. At the highest level, DFD should be a close representation of the case business, and threat boundaries should be high quality with recognised threats against boundaries.	15-19 Pts Distinction Almost all elements in evidence
case scenario	13-14 Pts	11-12 Pts	0-10 Pts
All data flows start or end in a processAt least context diagram and level-0 diagramProperly recognised	Credit Most elements met	Pass About half the elements met	NN Less than half the elements	20 pts
entities, data stores,

Criteria	Ratings	Pts
data flows and processes All elements appropriately named, including data flowsVerbs used in processes (not in context diagram)Threat boundaries namedThreat boundaries make sense
Threat Discovery At least 10 threats clearly identifiedReal-world attack in the case scenario timeline and brief explaination,Real-world attack covered in the threat list,Threats mapped against STRIDE categoriesThreats cover vulnerabilities in management, operational, and technical processes.		35 pts
35 Pts High Distinction All elements met well. Also, threat list is very clear and easy to read for all, including stakeholders with little cybersecurity experience	26-34 Pts Distinction Almost all elements in evidence	22-25 Pts Credit Most elements met	19-21 Pts Pass About half the elements met	0-18 Pts NN Less than half the elements

Criteria	Ratings	Pts
Overall threat “discovery” techniques explained well, with a few discussed in more detail. Threats make sense in the case scenario (e.g. appropriate for the size of the organisation)List of threats
Communication &
Presentation Writing is persuasive,
logical and
communicates meaning
clearly.
Uses appropriate	15 Pts	12-14 Pts	10-11 Pts	8-9 Pts	0-7 Pts
vocabulary consistently. Spelling and punctuation completely accurate. Consistently integrates	High Distinction All elements met well. Full marks requires exceptionally clear communication.	Distinction Almost all elements in evidence	Credit Most elements met	Pass About half the elements met	NN Less than half the elements	15 pts
research and ideas from
relevant and
appropriate sources
Consistently uses
accurate references,

Criteria	Ratings	Pts
appropriately positioned. Executive summary is appropriate for a business report, is in past tense, summarises what has been done, and is not a mere covering of basic theory from classesDemonstration of topics and principles acquired from course material; use of relevant theories, concepts and frameworks to support analysis; own input, insight and interpretation.
Basic formatting and
submission requirements Captioning of all figures,
10 Pts	8-9 Pts	6-7 Pts	4-5 Pts	0-3 Pts
etc. and referred to only by caption Format of Word fileCorrect file submission and Word format	High Distinction All elements met well. Layout very clear and tidy	Distinction Almost all elements in evidence	Credit Most elements met	Pass About half the elements met	NN Less than half the elements	10 pts
Page numbers

Criteria	Ratings	Pts
Correct Title PageCorrect Heading Structure
Total points: 100

Get expert help for MIS607 Cybersecurity Threat Model Report and many more. 24X7 help, plag free solution. Order online now!