Approaches of risk analysis

Weekly Essay Questions

Week 1

Question 1

Risk analysis can be conducted following two approaches: quantitative assessment and qualitative assessment. Following the quantitative perspective, monetary value is assigned to the components that define the risk, including asset value, impact, threat frequency, uncertainty, and probability (Gregg, 2005). The key steps in assessing risk following the quantitative approach start with conducting potential estimate losses. The action entails the determination of the single loss expectancy (SLE) which is calculated with the following formula:

Single loss expectancy x Asset value = Exposure factor

The second step is to undertake a threat analysis, which is concerned with determining the chances of occurrence of an unwanted event. The ultimate purpose of this step is to estimate the annual rate of occurrence (ARO) (Gregg, 2005). Finally, the determination of the annual loss expectancy (ALE) is carried out. This step focuses on combining possible loss and rate per year to establish the vastness of the risk, which is completed using the following formula:

Annualized loss expectancy (ALE) x Single loss expectancy (SLE) = Annualized rate of occurrence (ARO)

In qualitative assessment, the seriousness of threats is analyzed, and no numeric values are assigned. Ranks are attached to the assets that constitute the perceived threats. The grades of sensitivity could be classified on various measures of scale, such as low, medium, and high (Gregg, 2005). Mostly, risk assessment based on this approach is derived from personal opinions and instincts of experts.

Question 2

In risk assessment, vulnerability is the point of weakness that makes a system or business more susceptible to threat. On the other hand, threat refers to an adverse event the potential to result in undesirable outcomes, including damage to an asset (Miessler, 2019). Further, a threat agent encompasses the actors that initiate or facilitate the given threat event such as a hacker in the case of a data loss scenario. Risk can be defined as the probability of an undesired event happening with a combination of the extent of impact in case it happened. Moreover, exposure constitutes a situation by which there is no protection against something terrible. Control is the undertaking of measures that prevent or detect errors for risk mitigation or reduction.

In assessing risk, there are various control types, including detective, preventive, and corrective. Preventive controls are those that seek to deter an undesirable event from happening. An example of this is the use of system controls like passcodes that prevent unauthorized access. Detective controls seek to identify adverse events and could include management reviews. Corrective controls are measures put in place to reduce the impact of an undesired event that has occurred. An example of this includes software modifications (Reciprocity, 2020).

Question 3

Risk can be handled through four basic approaches, including avoidance, reduction, transfer, and retention. Risk avoidance comprises of a situation whereby measures are put in place to avoid potential adverse events. The approach ensures the elimination of the problem presented by the aspect of risk. Risk reduction focuses on reducing the impact of adverse conditions created by unwanted events and also minimizing the likelihood of occurrence. It is facilitated through contingent actions that are pursued after an event and mitigative actions taken before an adverse incident (Tomlin & DeLoach, 2015). Risk transfer entails moving risk to a totally different entity (PACE, 2020). It is a way of handling risk by making it another person’s problem, such as an insurance firm. On the other hand, risk retention comprises of embracing risks that cannot be avoided.

Week 2

Question 1

Commercial organizations have data classification levels that are dependent on the general sensitivity of data. Data in business entities could be classified as sensitive, confidential, private, proprietary, or public (Bragg, 2002). Data classified as sensitive is that which demands an enormous degree of integrity as it has the potential to cause the most substantial damage to the organization. On the other hand, data classified as confidential comprises that which is less restrictive but can result in incurred losses if disclosed. Private data encompasses information with minimal ability to cause damage to the organization, but other concerns prompt them to be restricted from being openly available to unauthorized parties such as human resource data. Further, proprietary data encompasses information that is rarely disclosed outside the organization. Such data include the technical specifications of new products (Bragg, 2002). Public data comprises information that is not sensitive enough to result in damage if revealed, such as the number of employees.

In military levels, data is classified into top-secret, secret, confidential, sensitive, and unclassified. Top secret data entails information that only specific people are allowed to know or have access. Secret data is that which a larger group within the military is aware of but should not be shared to outside parties. Confidential data is team-wide information whose sharing is not permitted. Sensitive data is one that is sensitive and can cause damage if disclosed. Moreover, unclassified data is that which can be disseminated to persons without the need for clearance.

Question 2

In asset security and data protection, various layers of responsibility exist. The data owner has the burden of formulating the data’s security classification and can delegate multiple duties. The role of the data custodian is to implement necessary controls. They are responsible for controlling access and overall management of data (Gregg, 2017). Further, senior management has the ultimate responsibility for the security policies in the company. Also, the security advisory group assumes the responsibility of discussing and making recommendations on security issues in the organization.

Moreover, the role of a chief security officer is purposed to facilitate the day-to-day security of the firm and its vital assets (Gregg, 2017). Users also have an integral role in asset security and data protection by complying with the requirements presented in the policies and procedures. Also, developers have the responsibility of ensuring they implement the appropriate security controls within the programs and applications they develop. Furthermore, the role of an auditor is to carry out evaluations on the security measures implemented by the organization and issue an independent comment on the effectiveness of the company’s security controls (Gregg, 2017).

Question 3

The concept of a trusted computing base (TCB) encompasses the entire set of hardware, software, and firmware elements that are crucial for creating and sustaining the security of a computer system (Finjan, 2017). TCP comprises an operating system characterized by in-built security controls and clearly laid out security procedures and protocols. Various elements are incorporated in a TCB to enhance security, including user control, user authentication support, protection against viruses, and data back-up (Finjan, 2017).

TCB is tasked with the maintenance of confidential and integrity aspects of data on a system and facilitating the enforcement of the security policies in place. It is critical to test or verify the trusted computing base since any existence of flaws could result in the whole system being compromised. Moreover, the trusted computing base is charged with overseeing various operations, including input and output operations, execution domain switching, memory protection, and process activation (Finjan, 2017).

Week 3

Question 1

Symmetric key cryptography uses only one key in both encryption and decryption of the data. Various advantages exist regarding symmetric key cryptography. First, it is considered to be very fast and with an exceptional level of efficiency in dealing with vast amounts of data. It provides vital performance in reading and writing of the encryption elements that are characterized by complicated mathematics (Lander, 2020). Also, it is incredibly secure as it utilizes password authentication to confirm the identity of the receiver. The critical disadvantage of the system is that it cannot issue digital signatures. Also, the possibilities of tapping into the communication channels of the systems from electronic communication form a more significant share of the weakness.

On the other hand, the asymmetric key is a public key that eliminates the concern of distribution. The advantages of the system include increased security, and it can facilitate digital signatures. The downside of using public-key cryptography entails speed, whereby it is slower when compared to private-key encryption (Uobabylon, n.d).

Question 2

Cryptanalysis is the evaluation of procedures for acquiring the meaning of encrypted information, with limited accessibility to the secret information that is primarily needed to do so (Simplilearn, 2019). Basically, it encompasses knowledge regarding how the system functions and finding a private key. It can be considered as cracking the code, and various techniques are used to facilitate attacks.

Ciphertext-only attack (COA) is a cryptanalytic technique that intercepts encrypted communication and purposes to identify the plaintext and the key. In this attack approach, there is an assumption that the attacker has the reach to a set of ciphertexts (Sadkhan, 2012). Known-plaintext attack (KPA) is another technique that is used in attacks involving the acquisition of ciphertext and having knowledge of the corresponding plaintext with the aim of deriving the key. Moreover, the chosen-plaintext attack (CPA) is a cryptanalytic technique with the assumption that the attacker can select arbitrary plaintexts for encryption and acquire the particular ciphertexts (Sadkhan, 2012).

Question 3

Crime Prevention Through Environmental Design (CPTED) is a discipline that is integrated to deter criminal behavior by focusing on altering how places are structured and how they appear and feel (NTTAC, 2014). Ideally, the concepts are based on the assumption that the behavior of individuals can be altered by making changes to the design of a place with the focus on reducing crime and improving quality of life. Among the basic principles include the aspect of natural surveillance that is focused on increasing the awareness by residents regarding who exits and enters the property. The fundamental purpose of this principle is to make it easier to observe intruders.

Territoriality is another fundamental principle of CPTED that creates a sense of the users’ proprietorship. It is focused on compelling intruders to perceive a territorial influence through physical design, such as the use of fences to limit free access (NTTAC, 2014). Natural access control is another primary principle that exploits the use of symbolic and physical barriers set to decrease opportunities for participating in unwarranted acts. It accomplishes this by placing restrictions on vulnerable targets.

Week 4

Question 1

The Address Resolution Protocol (ARP) is an internet layer arrangement that enables components from a computer network to discover other nearby devices (CNN, 2018). It facilitates the establishment of end-to-end connectivity of devices within the same broadcast domain. Further, the Dynamic Host Configuration Protocol (DHCP) is a protocol used to manage networks exploited for automation of device configuration processes on computer networks. As a result, it allows the devices to utilize network services based on the Transmission Control Protocol or User Datagram Protocol.

Internet Control Message Protocol (ICMP) is an internet layer protocol that reports errors on network devices and performs network diagnostics (Cloudflare, 2020). On the other hand, the Simple Network Management Protocol (SNMP) is a protocol that monitors various elements within a computer network, including behavior and traffic (CNN, 2018). Finally, Domain Name Service (DNS) is a computer network component that eases the identification of a host by a domain name, and its servers translate numerical IP addresses.

Question 2

The term bastion host represents the organization’s public presence on the internet with considerable exposure to potentially hostile aspects. In firewall architecture, it is regarded as the system that outsiders have to be in connection with to gain accessibility into a service protected by the firewall (Chapter5, n.d). Moreover, a DMZ is a demilitarized zone functioning as a screened subnetwork that enhances the security of an organization’s local area network. It is meant to provide an extra layer of protection to detect and mitigate security threats before reaching the internal interfaces (Barracuda, 2020).

A Dual-homed firewall is a firewall type that acts as the primary means of protection against security breaches. It utilizes more than one network interface, with one connection being an internal network and the second being to the internet. Also, a screened host comprises a firewall router functioning at the fore-core of a proxy server. Screening is done by the router to discourage access that is not permitted to a closed network. Finally, a screened subnet is a component in firewall architecture that makes attacks more difficult by utilizing a single firewall along with three network interfaces that connect to the internet, DMZ, and an intranet.

Question 3

Point to Point Tunneling Protocol (PPTP) is the fastest tunneling protocol that facilitates data encryptions in packets and sends them using a created channel through an underlying network connection. It is the simplest to set up as it only requires a username, passcode, and server address to gain a connection to the server (Athow, 2020).

Another primary tunneling protocol is the collaborative use of the Layer 2 Tunneling Protocol (L2TP) with Internet Protocol Security (IPSec). The two protocol measures are used together to establish enhanced security than PPTP. Moreover, a Secure Socket Tunneling Protocol (SSTP) is used by organizations since it facilitates the secure transportation of internet data through the Secure Sockets Layer (SSL). Moreover, SSTP is unavailable on other operating systems other than Windows (Athow, 2020).

OpenVPN is the other primary tunneling protocol that can be configured on Windows, Mac, Android, and iOS. It uses AES 256-bit encryption to facilitate the protection of data packets, and it undergoes thorough vetting for possible security issues on a regular basis since it is open source. Also, it presents a robust and vast range of cryptographic algorithms that enhance internet data security (Athow, 2020).

Week 6

Question 1

Post-mounted PIDS are barrier-oriented systems that are charged with detecting and deterring attackers. An example of this is electrified fence systems that use high voltage, low current, and short duration pulses to prevent an intruder (CPNI, 2012).

Radiofrequency (RF) radiating field systems is a ground-based PIDS that uses electromagnetic energy and emission of RF radiation to detect intruders. Changes in the electric field would result in changes in the magnetic field, and so will the changes in the magnetic field cause changes to the electric field (CPNI, 2012). The system has numerous advantages since they are not easily detectible even by knowledgeable attackers.

PIDS can also comprise of video-based detection systems (VBDS) that rely on video analysis to detect intruders. An example of this is the use of CCTV systems to aid the detection of unusual activities within the organization (CPNI, 2012). VBDS analyzes captured videos for the automatic recognition of attackers.

Question 2

The hot site method of facility recovery encompasses an active backup site that allows for a seamless continuation of normal organizational activities after a disastrous even. It is integral that the hot site is immediately available and equipped with all the essential hardware, software, network, and internet connectivity (OmniSecu, 2019). It is run at extremely high costs, unlike the other methods.

On the other hand, a warm site recovery method entails a backup site that is less equipped than the hot site but configured with vital components of the organizational network. The site is set up with telephone networks, power, and could have servers, but it is not structured to facilitate an immediate switch over (OmniSecu, 2019). Setting up a warm site is attractive due to the minimal cost involved.

In facility recovery, the cold site comprises of fewer resources than warm site and takes more time than the other methods to switch operations. However, it is the cheapest option available, and it contains features such as office furniture and basic technical facilities (OmniSecu, 2019).

A rolling hot site is a mobile facility that can be delivered to a particular location on demand (Gyarmathy, 2019). On the other hand, in facility recovery, a reciprocal agreement encompasses an agreement undertaken by two organizations to utilize each other’s resources at the time of a catastrophe that hampers the normal operations of a firm.

Question 3

For evidence to be legally admissible in court, it should be relevant. The aspect of relevance means that the evidence should be able to prove or refute a vital fact outlined in a criminal case. If the evidence presented does not have any relation to a specific fact, it is regarded as “irrelevant,” making it not admissible (Tran, 2018).

Also, evidence has to be reliable. The concept of reliability seeks to address the element of credibility of the source that is relied on for the evidence especially in witness testimony.

Also, the evidence must not be from privileged sources or communications (Tran, 2018). For instance, privileged communications between lawyers and clients are protected by the law and are excluded from the court as they are deemed inadmissible.

Hearsay evidence comprises of any statement that is presented in a non-court setting that is provided to evidence in support of the truth of the aspects affirmed. For instance, an individual could say to another, outside the court premises, that the defendant committed a murder, and the assertation was being introduced as evidence. Hearsay is inadmissible due to the fact that the elements of the court cannot establish an opinion on the reliability of the individual making the out-of-court statement (Justia, 2020).

Week 7

Question1

Software security can be enhanced through concept and planning. This practice entails the definition of security and compliance objectives and pursuing security requirements. Also, security awareness training advances the knowledge of the best practices to maintain software security by all participants. In the architecture and design, threat modeling and secure design are various elements that could be given focus (PT, 2020). Threat modeling comprises the identification of potential attack scenarios and instigating appropriate countermeasures against threats.

In the implementation stage in software development, it is vital to consider secure coding and static scanning. Secure coding consists of guides and checklists that help programmers avoid mistakes that could induce vulnerability. On the other hand, static scanning is concerned with reviewing newly written code to uncover possible weak points (PT, 2020).

Dynamic scanning, fuzzing, and penetration testing are some best practices that are essential in testing and bug fixing. Dynamic application scanner tools (DAST) assist in discovering vulnerable features through hacker-attack stimulations (PT, 2020). Fuzzing can also be undertaken to generate random inputs and gauge the appropriateness of the software, making protection against attacks possible.

Question 2

View-based access control is a concept that drives the implementation of database security policies. It is charged with ensuring that the desired security policy is integrated effectively in the database components. The database administrate defines the structure of the concerned data subsets then issues privileges to those views to the specific users (Rosenthal & Sciore, 2011).

Polyinstantiation is a computing mechanism whereby various components of a shared resource are established to deter the contamination of data by other single users or processes. For instance, it is applied in operating systems through the creation of a couple of cases of virtual memory for the maintenance of system security when used by more than one party.

Data warehousing entails the process of collecting and grouping data into a common database with enormous data storage capacity while data mining comprises the extraction of relevant and appropriate data from the databases (JavaTpoint, n.d). On the other hand, Online Transaction Processing (OLTP) entails multiple computerized systems that enable and manage the transaction-focused application.

Question 3

The concept of atomicity in the ACID test outlines that you are either fully committed to the underlying transaction or having no transaction at all. This is based on the fact that transactions facilitated in multiple pieces of information can only be completed if all the tiny components collectively finish.

Consistency refers to the maintenance of data integrity elements in that no violation of defined constraints is undertaken. Basically, the aspect assumes that the saved data cannot be in violation of the specified integrity elements of the database.

Isolation is an aspect that guides the independent facilitation of transactions that prevents the occurrence of conflict within the database. Finally, durability in the ACID mechanism seeks to facilitate the efficiency of changes undertaken on the database with permanency even if system issues arise (Watts, 2020). Ideally, system breakdowns or reboots have zero effect on transactions already in play.

Get professional assignment help cheaply

Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?

Whichever your reason may is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.

Our essay writers are graduates with diplomas, bachelor, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college diploma. When assigning your order, we match the paper subject with the area of specialization of the writer.

Why choose our academic writing service?

  • Plagiarism free papers
  • Timely delivery
  • Any deadline
  • Skilled, Experienced Native English Writers
  • Subject-relevant academic writer
  • Adherence to paper instructions
  • Ability to tackle bulk assignments
  • Reasonable prices
  • 24/7 Customer Support
  • Get superb grades consistently

Get Professional Assignment Help Cheaply

fast coursework help

Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?

Whichever your reason may is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.

Our essay writers are graduates with diplomas, bachelor's, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college diploma. When assigning your order, we match the paper subject with the area of specialization of the writer.

Why Choose Our Academic Writing Service?

  • Plagiarism free papers
  • Timely delivery
  • Any deadline
  • Skilled, Experienced Native English Writers
  • Subject-relevant academic writer
  • Adherence to paper instructions
  • Ability to tackle bulk assignments
  • Reasonable prices
  • 24/7 Customer Support
  • Get superb grades consistently

How It Works

1.      Place an order

You fill all the paper instructions in the order form. Make sure you include all the helpful materials so that our academic writers can deliver the perfect paper. It will also help to eliminate unnecessary revisions.

2.      Pay for the order

Proceed to pay for the paper so that it can be assigned to one of our expert academic writers. The paper subject is matched with the writer’s area of specialization.

3.      Track the progress

You communicate with the writer and know about the progress of the paper. The client can ask the writer for drafts of the paper. The client can upload extra material and include additional instructions from the lecturer. Receive a paper.

4.      Download the paper

The paper is sent to your email and uploaded to your personal account. You also get a plagiarism report attached to your paper.

 

smile and order essaysmile and order essayPLACE THIS ORDER OR A SIMILAR ORDER WITH GRADE VALLEY TODAY AND GET AN AMAZING DISCOUNT

order custom essay paper

Leave a comment

Your email address will not be published. Required fields are marked *