| ASSESSMENT 2 BRIEF | |
| Subject Code and Title | MIS607 Cybersecurity |
| Assessment | Threat Model Report |
| Individual/Group | Individual |
| Length | 1500 words (+/- 10%) |
| Learning Outcomes | The Subject Learning Outcomes demonstrated by successful completion of the task below include: Explore and articulate cyber trends, threats and staying safe in cyberspace, plus protecting personal and company data.Analyse issues associated with organisational data networks and security to recommend practical solutions towards their resolution.Evaluate and communicate relevant technical and ethical considerations related to the design, deployment and/or the uses of secure technologies within various organisational contexts. |
| Submission | Due by 11.55 pm AEST Sunday end of Module 4.1 |
| Weighting | 30% |
| Total Marks | 100 marks |
Task Summary
The goal of assessment 2 (A2) is to identify threats/vulnerabilities in the case scenario described in the associated file, Assessment Initial Case Scenario.docx. Not all threats/vulnerabilities you “discover” are in the initial case scenario. The scenario discusses some elements of the business that are needing mitigation, but you will need to also “discover” other threats/vulnerabilities.
The word count for this assessment is 1,500 words (±10%), not counting tables or figures. Tables and figures must be captioned (labelled) and referred to by caption (note that publishers do not guarantee tables and figures to be placed the same order or location as in your article). Caution: Items without a caption may be treated as if they are not in the report.
Be careful not to use up word count discussing cybersecurity basics. This is not an exercise in summarising your class notes, and such material will not count towards marks.
The report will not be marked without an Academic Integrity Declaration (see below).
DFD Requirements
The DFD must relate to the business described in the initial case scenario. Remember, the DFD is the first step in the risk analysis, but it is not the main output of the assessment. The main output is the categorised threats, see below.
For the DFD, you need at least a context diagram and a level-0 diagram. You can include further levels if you feel they are needed to show a threat boundary, but this is not necessary. The level-0 diagram (and further level diagrams, if needed) must not break the rules for proper DFD formation. And the DFDs (excluding the context diagram) must have labelled threat boundaries.
You must use the symbol convention shown in classes:
Threat Discovery
The main output of A2 should be a set of no less than 10 threats or vulnerabilities that need mitigation in the organisation. You will discover these with the help of the DFD and the threat boundaries.
The main threat for this assessment resembles a real-world attack. You need to develop a brief, factual overview of the real-world attack (web links can count as references here since the attack might not yet be covered academically). You are required to reference suggested mitigations, or costs in the real-world attack, this will help enormously with both A2 and A3 and will be taken into consideration when marking. Note carefully that any explanation of the real-world case is based on real information/data, not speculation or simulated “discovery”.
It is important to understand that you need to “discover” additional threats/vulnerabilities on the associated initial case scenario. The scenario is only an initial assessment of the organisation. Your “discovery” can be simulated, based on your simulated investigation.
Obviously, you must cover the main threats already identified in the scenario, but other threats/vulnerabilities should be “discovered” by you.
Inform the reader about what discovery techniques were used. In dot points inform the audience…..who you talked to, questions you asked – but keep this very brief…8-10 dot points max.
Imagine yourself as a consultant called in to work inside the business to discover threats.
For this assignment, business acumen and business logic in approaching threats is what is required of you.
STRIDE methodology will be used for the reports. Note carefully that the DFD itself is not the main output of the assignment. The main result of the report is a set of threats or vulnerabilities. Important points are:
- Try to map these threats/vulnerabilities as best you can against threat boundaries;
- and categorize them as best you can against STRIDE categories. The STRIDE categories are not the threats.
Do not be concerned if the threats you discover do not fit all STRIDE categories. In a full, real-world assessment with hundreds of threats, this would be the case, but with around 10 threats this will probably not be possible. Try to cover at least three.
You can make assumptions, but the report is written from the point of view of a consultant who has made “discoveries” from their investigations. In the simulation you may gather needed information from stakeholders. Assessment markers are aware that the technical information “discovered” by you might not be 100% accurate in all details. However, your discoveries should be somewhat realistic.
Reference Requirement
For A2 the requirement is a minimum of 3 references overall. You can have as many references as you like, but a minimum of 3.
At least one of the references needs to be a reference to a peer reviewed journal or conference article. (This will change for A3.)
Report Structure & Format
The report should have the following heading structure.
· Title Page
With subject code and name, assignment title, student’s name, student number, and lecturer’s
name. Also include AI declaration.
· Executive Summary
This should be written after the report and should briefly summarise what you did and what you found. It should be capable of being read by management generally, even those with relatively little IS experience.
· Body of the Report
DFD
threat discovery
threat list and STRIDE categorisation
· Conclusion
Summarise major findings or recommendations that the report puts forward.
· References
Use only APA style for citing and referencing. Please see more information on referencing
· Appendix
An appendix is not necessary but place it here if you intend to use one.
The report should use Arial or Calibri fonts, 11 point. It should be line spaced at 1.5 for ease of reading, and have page numbers on the bottom of each page.
Possible Later A2 Remediation
If you do not perform so well with A2 (less than 60%), you will need to fix issues noted in A2 and include this in appendix in your A3. There will be no marks for the remediation of A2.
Academic Integrity Declaration
The following must be included in the report. The report will be marked late until it is included.
I declare that, except where I have referenced, the work I am submitting for this assessment task is my own work. I have read and am aware of the Torrens University Australia Academic Integrity Policy and Procedure viewable online at.
I am aware that I need to keep a copy of all submitted material and their drafts, and I will do so accordingly.
Submission Instructions
Submit Assessment 2 via the Assessment link in the main navigation menu in MIS607 Cybersecurity. The Learning Facilitator will provide feedback via the Grade Centre in the LMS portal. Feedback can be viewed in My Grades. Any uploaded files must be in Word (.doc or .docx) format.
Tips:
You are advised to read the case study, several times. Then read through this brief and note requirements. You can also to read the rubric.
Discovery techniques can include interview, questionnaire, observation, documentation. You may have others. So, to “discover” vulnerabilities you can use one of these techniques.
Leading into A3, try to concentrate on threats with corresponding controls, e.g.
- week passwords: password policy and/or 2 factor,
- Fire: fire alarms and extinguishers and/or fire insurance,
- Theft: CCTV system.
Assessment Rubric
| Criteria | Ratings | Pts | ||||
| Citation practice and | ||||||
| engagement with relevant | ||||||
| literature Cited material and | ||||||
| citations related to | ||||||
| report APA citation style, | 20 Pts High Distinction | 15-19 Pts Distinction | 13-14 Pts Credit | 11-12 Pts Pass | 0-10 Pts NN | |
| At least one peer- reviewed article, | All elements met well. Also, peer-reviewed articles of good quality. Citations are relevant to the article | Almost all elements in | Most elements met | About half the | Less than half the | 20 pts |
| 3 or more references,Correct citation, correct | content. More than one citation. Citation relates to the main topic of the article, not just a side issue. | evidence | elements met | elements | ||
| referencing, | ||||||
| Peer-reviewed | ||||||
| citation(s) used more | ||||||
| than once. | ||||||
| DFD and Threat Boundaries Diagrams related to | ||||||
| 20 Pts High Distinction All elements met well. At the highest level, DFD should be a close representation of the case business, and threat boundaries should be high quality with recognised threats against boundaries. | 15-19 Pts Distinction Almost all elements in evidence | |||||
| case scenario | 13-14 Pts | 11-12 Pts | 0-10 Pts | |||
| All data flows start or end in a processAt least context diagram and level-0 diagramProperly recognised | Credit Most elements met | Pass About half the elements met | NN Less than half the elements | 20 pts | ||
| entities, data stores, | ||||||
| Criteria | Ratings | Pts | ||
| data flows and processes All elements appropriately named, including data flowsVerbs used in processes (not in context diagram)Threat boundaries namedThreat boundaries make sense | ||||
| Threat Discovery At least 10 threats clearly identifiedReal-world attack in the case scenario timeline and brief explaination,Real-world attack covered in the threat list,Threats mapped against STRIDE categoriesThreats cover vulnerabilities in management, operational, and technical processes. | 35 pts | |||
| 35 Pts High Distinction All elements met well. Also, threat list is very clear and easy to read for all, including stakeholders with little cybersecurity experience | 26-34 Pts Distinction Almost all elements in evidence | 22-25 Pts Credit Most elements met | 19-21 Pts Pass About half the elements met | 0-18 Pts NN Less than half the elements |
| Criteria | Ratings | Pts | ||||
| Overall threat “discovery” techniques explained well, with a few discussed in more detail. Threats make sense in the case scenario (e.g. appropriate for the size of the organisation)List of threats | ||||||
| Communication & | ||||||
| Presentation Writing is persuasive, | ||||||
| logical and | ||||||
| communicates meaning | ||||||
| clearly. | ||||||
| Uses appropriate | 15 Pts | 12-14 Pts | 10-11 Pts | 8-9 Pts | 0-7 Pts | |
| vocabulary consistently. Spelling and punctuation completely accurate. Consistently integrates | High Distinction All elements met well. Full marks requires exceptionally clear communication. | Distinction Almost all elements in evidence | Credit Most elements met | Pass About half the elements met | NN Less than half the elements | 15 pts |
| research and ideas from | ||||||
| relevant and | ||||||
| appropriate sources | ||||||
| Consistently uses | ||||||
| accurate references, |
| Criteria | Ratings | Pts | ||||
| appropriately positioned. Executive summary is appropriate for a business report, is in past tense, summarises what has been done, and is not a mere covering of basic theory from classesDemonstration of topics and principles acquired from course material; use of relevant theories, concepts and frameworks to support analysis; own input, insight and interpretation. | ||||||
| Basic formatting and | ||||||
| submission requirements Captioning of all figures, | ||||||
| 10 Pts | 8-9 Pts | 6-7 Pts | 4-5 Pts | 0-3 Pts | ||
| etc. and referred to only by caption Format of Word fileCorrect file submission and Word format | High Distinction All elements met well. Layout very clear and tidy | Distinction Almost all elements in evidence | Credit Most elements met | Pass About half the elements met | NN Less than half the elements | 10 pts |
| Page numbers |
| Criteria | Ratings | Pts |
| Correct Title PageCorrect Heading Structure | ||
| Total points: 100 |
Get expert help for MIS607 Cybersecurity Threat Model Report and many more. 24X7 help, plag free solution. Order online now!
