Cooperative Model For IS Security Risk Management

EER diagram

Kevin’s Music is an organization that operates out of Burwood and was started by Kevin to book his band for live performances. Due to limited profits, Kevin also started to teach music. Kevin also started to book the performances of other bands for live music in several states of Australia. There has been a lot of expansion in the business that has been done since its inception. The management of the business tasks and operations is now becoming troublesome with the use of manual set of practices. Kevin has decided to implement an automated system for the purpose of bookings and their management. These information systems offer several benefits to the users in terms of faster processing and speed, elimination of the manual errors, efficient storage and management of the data sets, and better accuracy.    However, there are also a few issues that come up with these information systems. The primary sets of issues that may get involved are the security threats and attacks. There may be various attacks on the security of the data sets that may emerge which may adversely impact the information properties, such as confidentiality, integrity, availability, and privacy of data.

Note: The diagram is made in MS Visio. All primary keys are to be underlined but in the picture format “Underline” is not displayed. Hence Primary keys are written below:

• STUDENT – studentID
• CLASS – classID
• MUSICIAN – musicianID
• BAND – bandID
• MUSIC_BAND – (musicianID, bandID)
• BOOKING – bookingID
• VENUE – venueID
• STUDENT_CLASS – (studentID, classID)

1. count(st.studentID) from STUDENT st WHERE st.sRegDate = ’01-07-2018’ GROUP BY st.studentID;

1. SELECT * FROM MUSICIAN ms WHERE ms.age <=18 ORDER BY ms.musicianFirstName;

1. SELECT ms.musicianFirstName, ms. musicianLastName, ms.cardExpDate, ms.age FROM MUSICIAN ms WHERE ms.cardExpDate < sysDate() AND m.isMusicianTeacher = ‘Yes’ order by sysdate();

1. SELECT bd.styleMusic, bk.bookingDate FROM BAND bd, BOOKING bk, MUSIC_BAND bm, MUSICIAN ms WHERE ms.musicianID = bm. musicianID AND bm.bandID = bd.bandID AND b.bandID = bk.bookingID AND month(bk.bookingDate) = month(sysDate()) ORDEr BY bk.bookingDate;

1. SELECT s.studentID, s.studentFirstName, s. studentLastName, c.classMusicStyle, m.musicianFirstName, m.musicianLastName FROM STUDENT s, MUSIC-CLASS c, MUSICIAN m, STUDENT_CLASS ms WHERE ms.studentID = s.studentID and ms.classID = c.classID AND c.teacher = m.mID AND m. isMusicianTeacher = ‘Yes’ AND month(c.classDate)=month(sysDate());

The information systems that are developed are exposed to the breaching of data. This is because there are several access points that are involved in these information systems. Also, different users may use these systems on different platforms and networks. For instance, one of the employees of Kevin may choose to access the system on public network connection. As a result, the attackers may gain the ability to gain unauthorized access to the data sets. They may capture the information contents or information properties and in both of these cases, the impact will be negative for the organization (Tsohou et al., 2006).

The information system that will be developed for Kevin’s music will be exposed to various security risks and attacks. One such security attack that may take place is malware attack. Malware is the malicious code or program that is deliberately developed by the attacker to cause damage to the system that it is launched upon. The launching of the malware in the information system can be done through corrupted files, external devices, emails, networks, and others. There are various malware types that have been developed, such as viruses, ransomware, logic bombs, adware, worms, Trojan horses, spyware, and many more. These different types of malware may be injected and may replicate on their own or may also require a trigger to be launched and multiply. The mode of attack for each will be different from the other. For example, ransomware is the malware attack in which the users of the information system developed for Kevin’s music will be asked to pay a ransom as the access to the system will be blocked. The ransom will be demanded in the form of any of the cryptocurrencies, such as Bitcoins and others (El Hadi, 2014).

SQL queries

The availability of the information system will be impacted in this security threat that may take place on the information system developed for Kevin’s Music. There will various network connections that will be involved and these will give space to the network access points involved. The attackers may misuse these connections and may launch the unwanted and garbage traffic to block the access. This may result in the deterioration of the quality of service and the overall service breakdown may also come up. These are also known as flooding attacks as there is a flooding of garbage traffic that is done.

The information system that will be developed for Kevin’s Music will use network connections for the sharing, communication, and transmission of information. There may be attacks that may be launched using these connections. Network-based security attacks may be given shape in the form of man in the middle attacks. In these attacks, attacker will capture the network activity in an unauthorized manner by sitting in between the client and the server. There may also be other forms of attacks that may get involved, such as eavesdropping attacks. The mode of these attacks may be active or passive (Park and Lee, 2014).

There are various properties of the data sets that are critical and must be protected. One such property is the integrity of the data sets. It refers to the prevention of unauthorized modification or alteration of the contents or properties of the data sets. The negative impact on the integrity of the information sets may be carried out by the attackers. This may be done by altering the contents or properties of the data packets comprising of message or media contents.    

There are injection attacks that are common to the databases. These are the attacks that will make use of SQL queries and the malicious queries will be used to gain access to the data sets in an unauthorized manner. For instance, in the information system that is being developed for Kevin’s music, there will be access rights and permissions that will be granted to the users. However, the use of malicious queries may be done to violate these access rights and misuse the access provided to the other users.

The probability and impact matrix for the six security threats has been prepared and illustrated above. The scale used for providing the scores for probability and impact has been chosen as 1 to 5 in which 1 is lowest and 5 is highest value.

Security Threats

The highest probability out of the six security threats has been assigned to the malware attacks. It is because the malware can make use of different forms of attacking agents to be launched. There are also different types of malware present which may be launched in the system. Data breaches have been assigned with a probability as 4 as there are controls set up to avoid the risk; however, the information will pass through different channels and there may be certain vulnerabilities in one of these channels which may be misused. Man in the middle, SQL injection attacks, and denial of service attacks are assigned with a probability score as 3 as there are controls and processes that may minimize the likelihood of the attacks. The lowest probability is given to the message and media alteration attacks as it is not easy to disturb the integrity of the information sets and packets (Bernik and Prislan, 2016).

The impact that is associated with all the six security threats is assigned with either a score of 4 or 5. It indicates that the occurrence of these risks will have major or critical impact. This is certain as the occurrence of any of these security events will lead to the adverse implication on the information properties, such as integrity, confidentiality, and availability. It is necessary to protect these information properties since an adverse implication on the same may bring up legal obligations and punishments as well. For instance, if the information of any of the customer or business partner gets exposed then the victim will have the right to file a legal suite against the organization (Feng and Zheng, 2014).

The security risks that have been identified and analysed above will be required to be controlled. The strategy that will be applied for controlling these risks will be risk mitigation and avoidance. One of the techniques that shall be used for controlling the security attacks shall be encryption of the data sets.

Data breaches are a security risk that will be controlled by applying the security control as access control and authentication. There are several access control tools and mechanisms that have been defined in accordance with the latest technology. Multi-path encryption based access control and role-based access control shall be used to avoid the issue. There shall also be use of multi-fold authentication. There are enhanced forms of authentication that shall be used for the users to provide them with the access to the system. The use of biometric recognitions for unique identification must be done combined with passwords and session management.

Malware Attacks

There are technical controls and tools that have been developed which can be used to avoid and control most of the security risks and threats. Malware attacks shall also be avoided with the use of such technically advanced tools. There is anti-malware tools that have been developed that come with ransomware protection. These tools shall be installed, implemented, and integrated with the information system developed for Kevin’s music. It shall also be made sure that the tool is updated regularly and there are regular scans made for installing the updates and patches.

Numerous technical controls and tools that have been developed which can be used to avoid and control most of the security risks and threats. Denial of service attacks shall also be avoided with the use of such technically advanced tools. There is anti-denial tools that have been developed that come with automated scanning. These tools shall be installed, implemented, and integrated with the information system developed for Kevin’s music. It shall also be made sure that the tool is updated regularly and there are regular scans made for installing the updates and patches.

The information system that will be developed for Kevin’s Music will use network connections for the sharing, communication, and transmission of information. There may be attacks that may be launched using these connections. Network-based security attacks may be given shape in the form of man in the middle attacks. There are different technical controls that have been developed to control and mitigate the network-based attacks. These include the installation of network-based intrusion detection and prevention systems, installation of firewalls, network scanners, network monitors, and likewise.

Message and media alteration attacks are also the attacks in which the network plays the role of the key attacking agent. There are different technical controls that have been developed to control and mitigate the network-based attacks. These include the installation of network-based intrusion detection and prevention systems, installation of firewalls, network scanners, network monitors, and likewise. Apart from these technical controls, the data and information sets must be encrypted at all times. The encryption of the data sets will make sure that the cipher form of the message or media content is transmitted over the network which will mitigate the risk and will control the damages as well.

SQL injection attacks shall be controlled with the use of access control measures for the database and the associated users. Multi-path encryption based access control and role-based access control shall be used to avoid the issue. There shall also be use of multi-fold authentication. There are enhanced forms of authentication that shall be used for the users to provide them with the access to the system. The use of biometric recognitions for unique identification must be done combined with passwords and session management.

Denial of Service Attacks

Most of the controls that have been listed above make use of the technical tools and devices for avoiding and mitigating the security threat. Apart from these, the users must be provided with the information on the security threats that may occur and the practices that the end-user may utilize to prevent the occurrences. Kevin and other members in the management committees must carry out security audits at regular intervals so that any of the security gaps may be identified (Bozkus Kahyaoglu and Caliyurt, 2018).

Conclusion 

Kevin has decided to implement an automated system for the purpose of bookings and their management. These information systems offer several benefits to the users in terms of faster processing and speed, elimination of the manual errors, efficient storage and management of the data sets, and better accuracy.    However, there are also a few issues that come up with these information systems. The primary sets of issues that may get involved are the security threats and attacks. The security threats that may occur on the information system for Kevin’s Music may include data breaches, malware attacks, denial of service attacks, man in the middle attacks, SQL injection attacks, and message & media alteration attacks. There are control measures that may be used to avoid and mitigate these attacks. Multi-path encryption based access control and role-based access control shall be used to avoid the issue. There shall also be use of multi-fold authentication. There is anti-malware tools that have been developed that come with ransomware protection. These tools shall be installed, implemented, and integrated with the information system developed for Kevin’s music. Anti-denial tools must be installed for protection from denial of service attacks. Network-based security attacks may be given shape in the form of man in the middle attacks. There are different technical controls that have been developed to control and mitigate the network-based attacks. These include the installation of network-based intrusion detection and prevention systems, installation of firewalls, network scanners, network monitors, and likewise.

References

Bernik, I. and Prislan, K. (2016). Measuring Information Security Performance with 10 by 10 Model for Holistic State Evaluation. PLOS ONE, 11(9), p.e0163050.

Bozkus Kahyaoglu, S. and Caliyurt, K. (2018). Cyber security assurance process from the internal audit perspective. Managerial Auditing Journal, 33(4), pp.360-376.

El Hadi, M. (2014). Assessing Information Security Risk Management in Organizations. Compunet ( The Egyptian Information Journal ), 13(14), pp.18-32.

Feng, N. and Zheng, C. (2014). A Cooperative Model for IS Security Risk Management in Distributed Environment. The Scientific World Journal, 2014, pp.1-6.

Park, S. and Lee, K. (2014). Advanced Approach to Information Security Management System Model for Industrial Control System.

Tsohou, A., Karyda, M., Kokolakis, S. and Kiountouzis, E. (2006). Formulating information systems risk management strategies through cultural theory. Information Management & Computer Security, 14(3), pp.198-217.

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order