 Okay, so now that we've discussed the the timing when to do security assessment what to look at We'll look and we zoom in a bit more on the assets that I have been discussing and What you generally want to do is you want to identify which assets you have and what the potential threats are and What how severe the the result is so one way of doing that and that's what the the book mentions is To have a tabular format where you basically say what's our asset? what's the value of this asset and what's the consequence if the asset gets exposed or gets somehow attacked and This is essentially a brainstorming activity where you need to sit down with different stakeholders that know about the business and also the technical People that know about the different systems for example I need to think about which assets do you have so you might for example have the overall The hospital case again, you have the overall information system Well this has a very high value because it's needed to run the hospitals most hospitals nowadays Rely on this if you don't have it you can't take up new patients for example So this is a serious thing Actually recently a couple of weeks ago happened in Germany that one hospital system got attacked got hacked And they could for several days not take in new patients at all. So this is a serious thing The value is high and well if it gets exposed if someone intrudes and for example makes it unavailable The consequences are quite severe in the worst case. So what's given in the book? You can't take up new patients as I mentioned You can't maybe give your existing patients the right medication because you don't know what they need and so on So this is obviously a high High value and high risk asset that you need to protect. Whereas you might for example have a single patient record And It's still not a good thing if it gets exposed But the value is maybe not as high You don't need a single patient record to run the entire hospital For example, of course, it might be problematic for that one patient But comparably that's not the worst thing you have and similarly if it gets exposed the books as low I would actually say medium It doesn't threaten your operation but at least you Might for example lose reputation you might get into lawsuits because sensitive data gets exposed and What you look at here is essentially are there any values that are Very high that we need to look at us or definitely we need to protect our information system somehow because that's high and high Here, maybe we don't want to protect as much, but we still want to think about is there a good way of protecting this So that we can lower the risk that this actually happens And that's them in a way a second table where you start thinking about what different threats are we having? What different attack possibilities are there? What is the probability that they are happening? So what's the likelihood? How do can we control this threat? So what can we do against it and then you can also think about how feasible is this actually so? I've mentioned before the threat that we have Unauthorized access so someone Get success to the system and if you think about a hospital if it's large enough There's probably quite a high chance that at some point for example someone writes down the password or there is a security hole somewhere in the network Someone gets success. So the probability is reasonably high that this happens And then you can think about what are the possibilities we can use to control this and so you could for example say We need to use two-factor authentication So you don't only have a password, but if you enter your right password you also get an SMS and you need to confirm Or the book mentions biometric access so you have for example an iris or a fingerprint scanner and There might be other ways there might for example be procedures as I mentioned before so it doesn't own doesn't always have to be software It could also be that you say well You have to change your password often enough that this risk is not as high that someone finds the paper with your old password for example and Then there are always a lot of possibilities what you could do, but then you get into is this actually feasible so Two-factor authentication nowadays is quite standard, but if we're talking about a hospital you maybe get into the issues that People might think okay. Are we can we actually require our employees to use their private phones for two-factor authentication? Because in a hospital not everyone has a work phone probably so can we actually do this if not we might have to give them telephones That might be costly This might be an issue From a technical perspective that maybe if we have very non-technical staff. They might struggle with this Of course, I'm making some things up here, but it might be there is a trade-off Similarly in bio-mattery for example, you might have the cost you actually and all the devices you need to have some kind of scanner You might have issues with the user acceptance. So people might not want that Depending on this depends heavily on the countries for example. So there are always trade-offs There is usually not a perfect solution, but this is the kind of Brainstorming activity you would go through Probably more on the planning level so very early But you really need to think about what are actually the different assets we have Do we need to protect them? If not, we should maybe not spend any time on that because it's just Effort and well, what's the result of this? Ideally you get some kind of strategies what to do and in terms of System development that's essentially new Requirements so we end up with new requirements that Relate to the security. What do we need to implement? For example, the system shall support two-factor authentication Just to mention it there are of course other ways to do that So you don't always have to do tables. A common one is to use so-called misuse cases So you are familiar with the use case diagram where you have somehow an Actor like a nurse and the nurse can read the patient record And in contrast to regular use cases in misuse cases you would then start thinking about What happens if we have a potential attacker? What could that person do and then you come up for each use case you start thinking about what are potential? Misuse cases so how can someone try to misuse that for example the attacker might? Interfered a network Basically read the network communication and maybe find the password Read Network I Don't have colors here that are very readily readable But usually in a misuse diagram this one is a circle with a white or an empty background This one is usually then drawn as black or shaded. So this is some kind of misuse case that relates to a regular use case and You basically do this kind of activity for each use case are their potential misuse cases and then you get into a similar Discussion as down here. Are there any ways to avoid them? For example encrypt the network traffic? That's pretty much standard nowadays That could be one option or only allow communication with patient records within the hospital You can't access it from outside. So different strategies and you again need to think about how feasible are they? As for use cases, there's also a textual format for misuse cases That goes into similar Dimensions as here so when you start writing down the misuse cases, of course you start writing down What is actually happening? What's the scenario? But also? What's the asset? We are dealing with patient record What's the probability that it happens? What's the value of the asset and so on? So it's quite similar to this is just a slightly different way of doing this and Similar to this there are lots and lots of different techniques to identify this to think about the threats the assets But this is something that is very common actually so It's not only about doing secure programming or having encrypt the network traffic But it's very much also these kind of planning activities