 So, I've returned some rough written notes for Task 1 for most of you, but we'll talk generally about, for everyone, for the feedback about Task 1, which was, list the information systems in SIT, within them they have different sets of information types, so list those information types and then do a categorization of the requirements or the impact in terms of confidentiality, integrity and availability, using that method that was described in the security risk analysis document. So most people I think are on the right track are okay, so don't spend too much more time on Task 1 if I've given you feedback, maybe just make note of what I say here on the slides. Update and then move on to Task 2. Again, there's no one solution that's quite open-ended. So, from all the submissions, some people have a lot of information systems, some have three or four. These are some of them that I saw from the different submissions, so always people said something about registration, whether they broke it into separate grades and timetable or they combined it into one, but some system in SIT keeps track of your grades. Our main purpose as an institute is to educate people and the way we evaluate is to give grades, so that's important, so that results in your degree at the end. So keeping track of student grades is an important information system, but the thing that we call registration or at least the registration website actually provides other things like a timetable, student contact information. So you could break it into one or you can break it into multiple information systems or maybe just one. I'm not too concerned, but you need to mention something about grades. There's a system that provides us internet access, including Wi-Fi access, but not just Wi-Fi, but on the labs as well or in some computers. What do you forget? The way that SIT is set up and in fact it's a generally a legal requirement inside the country that we need to track who accesses the internet. That led to one of the login systems for the internet that is you log in before you get internet access. So with a username and password. So there's a system to keep track of that. There's a lecture note system, so there's that website where some people use to post lecture notes. I don't use it, we use another one. Library, which may be broken into different parts, I think some people included that. So keeping track of books, keeping track of borrowing, borrowed books, keeping track of who needs to pay overdue fees. Student finances, that's separate than payroll. So that is, this is a fee paying institute, so you need to pay money each semester. So keeping track of who paid what is one thing. The print service, I think there's some print kiosks around. Student affairs, some people listed that has a website and a system to keeping track of what was in student affairs. Attendance check for different activities. Scholarships, scholarship information, students who are on scholarships need to do again some attendance check and perform in some activities. So there may be others, but most of these are aimed towards students, so you know about them and you know how most of them work. Fewer people mention things related to staff. We are an organization that we have students and staff or employees, better word. As much as I like teaching you, I don't do it for free. I like to get paid and therefore as with any organization, we have a payroll system. There's some computer system that keeps track of what my salary is and make sure I'm paid every month. That's important. Any organization with a moderate number of employees will have some automated payroll system. The details of it I don't even know, but I think you can guess that we need to keep track of everyone's salary and maybe that the payments made towards that salary and the information about the employee's bank, where they pay, they don't give me cash, they transfer it into a bank account and so on. I think some of you have seen we need to swipe our card as an employee to check in and check out. So there's some system that keeps track of that. Not so important, but we do things other than teach in SIT, so we need to keep track of some of the activities that we do to keep a record and report to the university and report to others to show that we're good. We also have a web mail system, an email system more generally, but also a web-based interface. There's SIT website. That is an information system in its own right. It's a system that provides information to external or to different users. Not many people mention that. I think that's an important one and maybe even other websites. Some people mention there's, I think, related to student affairs and so on, keeping track of exchange students and so on. Moodle. I don't think anyone mentioned the system that you use every week in my classes. It's separate from the others. It's separate, so you should treat it as a separate system. And I suggest you include it because, A, it's relevant to you and B, you know about the details of what information may be on there. So I think most people are okay. Some people, if you've only got four or five information systems, add a few more. If you've got 10 or so, then focus on the ones that you have. You don't have to be complete. Information types, there's not much I can say that covers everything of all those information systems. Think about the data stored. For example, in those information systems, what information or what data must be stored, say, in a database or in files? That will give you a hint as to what the information types are. Like contact information. You don't need to go into details. I think we understand that contact information includes those standard things like name, address, maybe phone number. Maybe other things as well. Oh, I forgot. You're doing this. Think that you've been employed by SIT to analyze their system. So your assignment is that SIT has brought you in as an external consultant to analyze the security of SIT. So you need to know some context about SIT. And as students, I think you know enough context to do this analysis. But in some cases, you may not have enough information. For example, I don't expect you to know the details of all the staff systems. If you don't know, then use some common sense, guess a little bit that we have a payroll system. The details are not important. In real, a real analysis, you would be able to ask the people involved and ask them, well, what is the payroll system? How does it work to learn about what the information types are? But in this assignment, you have limited resources to do that. So I think most people listed a reasonable set of information types. Many systems have logs. We may mention that today in our topic on intrusion detection. Web pages are not an information type, but think about the information in web pages, not just in databases. Many information systems, well, most will include multiple information types. I don't think there are any where there's just one information type in the information system of the ones we listed. Some people listed statistics as an information type. Well, you could, but I think if you think from a database perspective, the data stored in the database, the statistics of that data is not normally stored. It's calculated. So maybe easier to treat those statistics, not as an information type, but just as something that can be obtained from the information that we're looking at. An example was, okay, the score of a student or the grade of a student in a course may be an information type. Many people listed that. That's okay. But a statistic of those scores, like the average score for the class, doesn't necessarily need to be listed as an information type. Of course, we can obtain that from the scores quite easily. So if an attacker obtained the scores, then they can obtain the average score. So my point is that the statistics don't list all the statistics of all the different pieces of information as different information types. Information types are shared across multiple information systems. So many are reused. But I think most people went okay with that. Then you had to do the categorization. And with respect to confidentiality, integrity and availability, you need to categorize those first the information types. What's the impact on SIT if the confidentiality is compromised? Is it low, moderate or high? That's what you had to do. Here's the definitions of low, moderate and high. Not too precise, but low has a limited adverse effect on the organization. Moderate, serious, high, catastrophic or severe. What does that mean? Again, that's up to your interpretation. How do you choose the right level? Again, there's no right level. But I think in some cases, the levels that some people chose, I thought were different that I would have chose. Think about the adverse impacts. What goes wrong? If someone can read some confidential information about your grade, who cares? What's the impact of that? How does that impact upon the organization of SIT or the members of SIT? Who would be effective? Is that impact going to be for one day or for the rest of your life? Maybe the grades are compromised and you don't get your degree and you only learn about it in 10 years time. You didn't get your degree because someone changed all your grades. Well, that's a large impact. So think about who it impacts and for how long and maybe what's the cost of the loss or of the attack. So cost, you can measure in different ways, but for an organization like SIT, money is one thing. Do we lose money as an organization because of that attack? How much? Or reputation is another thing. As an educational institute, reputation is important. So again, no one answer, but think about the adverse impacts before you give those low, higher, moderate. Another way to compare or to determine what's a good value is to think about different information types and compare the impacts. So if you lose the integrity of grades, that is the system allows some grades to be modified, does that have the same impact on SIT and the members of SIT, including students, as if we lost the integrity of the library book records. Which one has more impact? Anyone want to have an idea? If someone goes in and change your grades from A's down to F and you find out in one year time, or someone goes in and change the title of a library book from C programming to D programming, which one has the most impact on SIT? The grades. So therefore think about when you give the integrity rating for grades and library books, should they be the same? Well, I would think not. I would think that the grades would have a higher level than library books. Many people end up, especially with integrity, I think ended up with high, high, high, high, high. Everything was very important to them, which ideally would be nice that, of course, we'd like confidentiality, integrity and availability to be considered, but what's the impact of them? So just be careful when you categorise. And these are some guidelines for how to help you categorise. That's all I want to say about task one. I think consider this, update what you've done, and that's it. I think we're not... Don't spend too much more time on task one, other than just doing one single update for an hour or two of the current one, and move on to task two. Any questions about task one? What is task two? The risk analysis. So now you know something about the different information systems. Now let's look, okay, at some individual risks. What can go wrong? So the task is to perform a risk analysis, producing a risk register, and I've taken the methodology from some standards and summarised it in the overview of security risk analysis. So I've summarised a step for this, and I've tried to make it simple so that you can do it with the limited information you have about SIT. And to help, I've created a template, a spreadsheet that you can use, and you're just filling the fields. So let's have a look at that template to explain what you need to do. There's a number of columns. Let's just go through them. So at the top, so the columns indicate the information you need to fill in, and for each row represents a risk. So here's your group number, because later I may combine the submissions from all groups into one, so everyone can see. So your group number, which is always the same for you. The risk number, just increment, easy. Some description of the asset. So we think about risks to assets, the information to software, hardware, communication networks. So what is this risk to? What is this threat on? So for example, I give two examples, or partial examples here. The asset may be student grades. We represent it. We found out from the previous task, student grades are important. So that's an asset. That's something we want to protect. What are the risks against the student grades? What can go wrong in terms of confidentiality, integrity, and availability? So that's your task. Think about, well, what are the assets? And then what are the threats or vulnerabilities of those assets? So an example here, some student who's in SIT intercepts grade information of all students in the class as that grade information is being sent from my computer to some server. Okay, so I've calculated your grades on my computer. I upload that information to the information system for grade storage. While I do that, some student intercepts that and learns the grades of all students in the class. That's, I think, a threat or a potential thing that can go wrong with respect to grades. So a short description of the threat in this case. And then do that for other threats on the same asset. So there may be multiple threats on that one asset. Think of confidentiality, integrity, availability. There may be another threat that somehow student changes the grades or external user changes the grades. So that will be separate. They'll have a different impact. So there may be multiple threats against the same asset. And then there are other assets in SIT. This list could become very long. I don't know how long it will be. There's no again right answer. But it's going to be more than 20. I don't need you to go into cover every asset and threat, but try and think of the main ones, the ones that you know about at least. Then you do some analysis of, well, what's the likelihood of occurring? Like likelihood of occurrence for that threat? And what's the impact? To work out what's the risk? That's what we're trying to achieve. For this particular threat, what's the risk? The risk level. And you fill in these columns and we'll explain them. So we have some likelihood, which we split into occurrence, impact, and then some overall likelihood. And then the consequence, if the threat does happen, if someone does learn the grades, what's the consequence? What's the bad thing that happens? And again, give it some level. And from that, we can determine the risk level, because the risk level comes from what's the likelihood of that happening? And what's the consequence of that? So if it has a very high chance of happening, that threat, and there's a very high consequence, if it does happen, then the risk will be very high. That's the concept here. Now, where do you get these values from? High, moderate, moderate, low, low here? Well, this, the other document that I've given you gives the explanation of these values and how to go through these steps. And usually they're broken into five levels, very low, low, moderate, high, and very high. Let's look at some of them. So in the spreadsheet, I give you the tables that explain those. Okay, so you look up those tables to find the value that you think is relevant for this threat on this asset. Again, it's your interpretation. So let's have a look. It's hard to see on the screen, but we'll tables eight and nine is the first thing. Let's go to them. So table the likelihood of a threat event initiation, and the likelihood of a threat event occurrence. What's the difference? One is related to what if a deliberate attack takes place? This security analysis actually also considers what if a mistake happens, which leads to the threat taking place? An example is what if I send an email to the secretary saying, here are the grades for the students for ITS 335, but I accidentally include the CC to the whole student email list. And therefore I've accidentally released that confident, confidential information to everyone. So that's not a deliberate attack, but it may lead to the same consequence as if there was a deliberate attack. So in fact, we do consider malicious attacks and accident accidents. And the difference is, if you go through the previous tables, the threat event initiation is regard to deliberate attacks. And this threat event occurrence is that what you think is the likelihood of that an error or an accident occurring. And the previous tables give examples of these. So you can see examples, active nature, a flood that shuts down the campus for two months. Okay, what's the likelihood of that happening? What's the consequence? Well, I think you can guess that. Well, you know it. So say for a deliberate attack, then you need to give a rating. Well, give some some numbers here as the some percentage of it's almost certain to initiate the threat event. You're not necessarily can be successful, but to try it. It's almost certain that a student's going to try and intercept the data being sent from me to the server. Or it's very, very unlikely that someone's going to do that attack. So you need to give some judgment there of one of these five levels. Similar, the likelihood of the accident occurring less than once every 10 years of flood is likely to shut down the campus. Okay, so very low likelihood. Or it's very, it's highly likely that faculty member would send the email to the wrong address. Okay, so you'd give it a high rating. So you give a rating for the likelihood of occurrence. That's from table eight or nine. Then the impact table 10, again, very high to very low. If it is initiated or occurs, or if the attack is initiated or the accident occurs, what's the likelihood of having negative impacts, adverse impacts? Almost certain through to highly unlikely. So even if it's someone tries to listen in, what's the likelihood of having some negative impact on the organization? Give it a ranking. And then the next one, the overall likelihood is just a combination of those two. And you just look up in a table. So we have high occurrence, moderate impact, table 11, we just do a look up high occurrence, moderate impact, sorry, high occurrence, moderate impact, moderate overall likelihood. So it just gives us some guide as, okay, if we know the chance of it happening, and we know the likelihood of a the impact, then we can get an overall likelihood. So look up the values in this table to get that next value. So that's easy. So your task really is to, to choose, think about the values for these. Then next, the consequence, if it does take place, table 13, some other tables give examples. If you want to know what some typical impacts are, have a look at the examples. The impact of threat events. So again, this is looking, okay, it takes place. What what is the impact? What's the consequence of this? And this is similar to what you thought about with your task one, think about the impact of the threat from severe or catastrophic multiple severe. Well, this one's quite extreme, adverse impacts or catastrophic on the organization or even the nation, down through to negligible. So almost nothing. A very small impact. Similar that you're doing, or did in task one, try and classify and look at the impact of different threats. Once you have the overall overall likelihood, and the consequence, then you can determine the level of risk. Again, the risk is a combination of what's the chance of it happening, and how bad will it be if it does happen? Table 14, you just look up again. You look at the overall likelihood. If it's low, and the level of impact is high, then this table suggests that the risk level will be low. Even though the impact is high, the chance of it happening is quite low. So as with any risk analysis, we look at the probabilities. This just simplifies by breaking into five different levels. We cannot often give numbers to what is the probability, what's the impact. Therefore, this procedure breaks it into five general levels. And you get your level of risk. And you're done. You go through those steps for each asset and threat. The risk priority is once you've done them all, then try and rank them. One through to end. Highest priority down to the lowest. In practice, the risk priority should, of course, include the risk level. High risk level, very high, or very high risk level should be highest priority. But in practice, with an organization, we need to also consider the cost of doing something about it. So the priority is really, okay, we know of all the risks now. We need to now take actions and step past three is about what actions to take to prevent those threats. So the risk priority is supposed to say maybe to the boss of the organization that these are the risks we think you should focus on this one as number one because it's very high risk level. And the cost of fixing it is manageable. It's not so much. If we had a risk which was very high, but the cost to fix it we estimated was be billions of dollars, then maybe the priority to fix it will be lower. Because it's just not practical to expend that cost. But in your case, I think the risk priority is not so important because it's hard to estimate how much it will cost. You can try, but get to the risk level was the main thing. Questions. You need to start on that, which involves a bit of reading those tables. There's some examples in there. And just thinking in your group, assets and threats. Okay. When should we set the deadline for task two? Any suggestions? This Friday? Maybe a week, a bit over a week. So say you get started today over, maybe I'll I'll suggest that by next week, next Tuesday, next Thursday, I won't set a specific deadline, but you should be have done some of these within a week from now. Okay. So get going on it so that the next task, task three would be doing a little bit more detailed analysis of individual threats and how you could carry them out as the malicious user. So start maintaining your list and you build it over time. What are the red dots? These are just some comments that explain this template. So for you, don't modify the first two rows. The next two rows are just examples. So when you get this template, delete these two rows, or use them as examples, but delete them in your submission, that's all. And then submit the the spreadsheet. And the tables or the table numbers, sorry, refer to that other document this overview of security risk analysis, which is on the website as well. Any other questions?