ISYS326: Information Systems Security

Assignment 2, Semester 2, 2019

(Weighting 35%)

Assignment Description:

In this assignment, you have to choose an Information System or IT system to write a reflective report on security analysis. You can choose a system from the following list or your own. If you select your own topic, it must be based on a peer reviewed journal paper (e.g., published by IEEE, ACM, Springer and Elsevier). The report would be based on two security models: STRIDE and DREAD. First, you need to identify 5 common security threats to your selected system. Then, you should list the security requirements to deal with those threats using STRIDE model. In the second part of your report, you have to analyse the risk of each threat on your system using DREAD model. You also need to measure the overall risk of the system and propose the appropriate security measures to overcome the threats. The assignment is a group assignment and each group may have 2 members at best.

List of IS or IT Systems:

  1. Enterprise Resource Planning
  2. Data Warehousing
  3. Office Automation
  4. Global Information Systems
  5. Library Management Systems
  6. Online Ticket Reservation Systems
  7. Hotel Management System
  8. Banking System
  9. Healthcare System
  10. Supply Chain Management System

Report Structure:

You should use the IEEE conference paper template to write the report like assignment 1. The template can be downloaded from the unit LEO site. The report should not exceed 3000 words in total including bibliography and appendix.

Abstract: An abstract (a short summary of the report) needs to convey a complete synopsis of the paper, but within a word tight limit. Writing an abstract includes brief introduction to the general topic of the work and then explanation of the exact research strategies, including the aims. It should then highlight the outcomes.

Introduction: In the Introduction, you are attempting to inform the reader about the rationale behind the work. The introduction does not have a strict word limit, unlike the abstract, but it should be as concise as possible. It can be a tricky part of the paper to write, so many scientists and researchers prefer to write it last, ensuring that they miss no major points. The introduction gives an overall view of the report but does address a few slightly different issues from the abstract. An introduction should emphasize on background, importance, limitations, and assumptions. You should provide a short overview of the chosen system in this section.

Identify Five Common Security Threats: In this section, you will be identifying five common security threats that might have significant impacts on your system. You have to choose specific security attack on different security services such as attacks on integrity, data confidentiality, availability, authentication, non-repudiation and so on.

Analyse Security Requirements using STRIDE model: Now you need to analyse the security requirements using STRIDE model and also map the requirements with respect to security attacks (known as STRIDE threat classification). An explanation should be provided whether the chosen system can defend the security threats classified by the STRIDE model.

Risk Rating Using DREAD Model: In this section, you have to calculate risk values for each threat. Using DREAD model, you have to quantify the risk factor for each category and then calculate the overall risk value to evaluate the severity of risks on your information or IT system. You also need to describe some mitigation techniques to overcome the risks.

Conclusion: This is really just a more elaborate version of the abstract. In a few lines you should summarize your findings and recommendations. Your abstract will do most of this for you but, as long as you do not get carried away, especially for longer reports, it can help the reader absorb your findings a little more.

References: All papers that are used in the report must be cited in the reference section. Your report should include at least 4 peer reviewed conference and/or journal papers. Please ensure that you reference properly and acknowledge all sources using the Harvard (AGPS) style (check LEO site for guidelines). Don’t use IEEE referencing style.

Marking Scheme: Please check the marking rubric on the next page.

A report template has been uploaded on the LEO site for your reference.

A research report on STRIDE and DREAD model can also be downloaded from the unit LEO site.

Rubric – Assessment 2: Information Systems Security Analysis and Planning (Total marks = 35)

ILO

Criteria

Standards

Below Expectations

Meets Expectations

Exceeds Expectations

Level 1 (e.g. F)

Level 2 (e.g. P)

Level 3 (e.g. C)

Level 4 (e.g. D)

Level 5 (e.g. HD)

L5

A report which evaluates the security risk of a system in an organisation using standard risk assessment models. (20 Marks)

No submission or submission containing little or no material relevant to risk assessment.

Some omissions and/or inconsistencies such that an incomplete risk assessment report is submitted.

Minor omissions and/or inconsistencies which might raise some concerns such as incorrect evaluation of a security threat

Sufficient detail such that comprehensive risk assessment and analysis that demonstrates that the student is aware of and understands all obvious relevant issues.

All relevant information provided including risk scores, severity and potential consequences.

L4

A well-structured and understandable report that implements appropriate security measures to minimise the risks. (15Marks)

No submission or material in the submission related to mitigation techniques.

Submitted late and/or much too long or too short and/or illogical structure or inconsistent style.

Inappropriate security measures are recommended.

Submitted on time but lacking successful integration of different security measures to overcome the threats

All possible mitigation techniques are discussed, and the right security measures have been selected to minimise the impacts

A clear, concise, wellstructured report identifying all mitigation techniques, implementation costs of those techniques, and justification of selecting the right one