| Category |
Assignment |
Subject |
Management |
| University |
Ravensbourne University London (RUL) |
Module Title |
Cyber Security Risk Management |
| FHEQ Level: |
7 |
Assignment type: |
write a report report |
| Date of Issue: |
May 30, 2025 |
Count words: |
2000-word |
| Submission Method: |
VLE submission |
Deadline:
|
August 4, 2025 |
Assignment:
This assignment provides an opportunity to deepen your understanding and expand your knowledge of a specific topic covered in the module. You are required to write a 2000-word report based on the provided synopsis. SYNOPSIS In this assignment, you are tasked with writing a comprehensive report that analyzes the risks associated with a cybersecurity project. You will need to identify and apply relevant policies and strategies to effectively mitigate these risks, with the goal of strengthening the overall security of the project. Furthermore, you will assess the business implications of increased security investments and how they might affect business returns.
The report will consist of the following sections:
- Provide a brief yet thorough analysis of the risks related to various components of an information system, such as people, data, processes, hardware, software, and network infrastructure. This should be done while considering the current threat landscape. Detail the specific security risks and outline an appropriate incident management approach.
- Discuss the different types of threats and vulnerabilities that information systems face, targeting a range of audiences including senior management, users, and both technical and non-technical experts, with a critical analysis.
- Conduct a managed vulnerability and risk assessment for the organization’s project, ideally within a hypothetical scenario.
- Design an effective security policy to mitigate the identified risks, analyzing the economic impact of a security-related incident on the business as discussed in the previous section.
Please note, you are not permitted to use a real organization without express written permission from a senior official within the organization, and this written consent must be appended to the report. If you decide to use a real organization, ensure that no confidential information is included in your coursework and consult the module leader to arrange for any additional precautionary measures.
Your report must be realistic and tailored to reflect a document that could feasibly be used in a real organization. Be mindful of the distinct audiences for each section, as outlined above. Additionally, ensure your report includes a cover page containing your name, student ID number, and a description of the assessment.
Section 1: Risk Analysis of the Information System → 20 Marks
In this section, you are required to conduct a brief but thorough analysis of the risks associated with various components of an information system. This includes understanding and assessing the following elements: people, data, processes, hardware, software, and network components. The goal is to gain a comprehensive understanding of the information system in the assumed scenario, identify potential threats and vulnerabilities, and assess the impact of these risks.
- Assess Each Component: (7)
- People: Evaluate risks associated with human error, insider threats, and lack of cybersecurity awareness.
- Data: Identify risks concerning data integrity, privacy, and unauthorized access.
- Processes: Consider vulnerabilities in organizational processes, including inadequate security protocols or outdated procedures.
- Hardware and Software: Assess risks related to outdated or unpatched hardware/software and vulnerabilities within the system’s technical infrastructure.
- Network: Examine network-related risks, such as insecure connections, potential data leaks, and external attacks like DDoS.
- Identify Threats and Vulnerabilities: (7)
- Evaluate both internal (employee negligence, mismanagement) and external (hacking, phishing, cyber-attacks) factors.
- Stay informed on the current threat landscape and the possible impact on system security.
- Risk Level Assignment: (6)
- Assign risk levels based on the likelihood of each threat occurring and its potential consequences on the system. Prioritize risks that have a higher chance of occurrence and greater impact
Section 2: Detailed Communication for Diverse Audiences → 20 Marks
This section requires a customized communication approach for different audience groups within the organization. You must understand the backgrounds, knowledge levels, and priorities of these groups to tailor your message effectively.
- Identify Audience Groups: (4+4+4)
- Top Management: High-level overview focusing on business continuity, legal compliance, and potential financial losses.
- Users: Focus on awareness and education on safe usage, security practices, and incident prevention.
- Technical Experts: Provide a detailed, in-depth analysis of vulnerabilities, including specific technical details, methodologies, and risk assessment tools.
- Non-Technical Experts: Provide simple, clear explanations of threats, risks, and their relevance to business operations.
- Communication Strategy: (8)
- Use language and examples appropriate to each audience’s expertise.
- Link the relevance of security to the responsibilities of each group (e.g., for management, focus on the bottom line; for users, emphasize safe practices).
- Provide a critical analysis of the threats and vulnerabilities identified in Section 1. Section 3: Vulnerability and Risk Assessment → 30 Marks – (7.5 *4)
In this section, you will perform a managed vulnerability and risk assessment for the organization's project.
- Specify the systems, projects, and components to be assessed.
- Outline the goals of the assessment, which may include identifying vulnerabilities, evaluating their impact, and recommending mitigation measures.
- Choose an appropriate cybersecurity framework (e.g., NIST, ISO/IEC 27001) for conducting the assessment.
- Explain the rationale behind your choice and describe any tools or methodologies used.
- Vulnerability Identification:
- Identify and document vulnerabilities in the system, considering technology, processes, and personnel.
- Assess the likelihood and impact of each risk, prioritizing them based on severity.
- Propose Mitigation Strategies:
- Based on your risk assessment, propose strategies to address the identified vulnerabilities.
- Provide a prioritized list of actions and recommendations for improving security.
Section 4: Designing a Security Policy → 25 Marks (3.5 *7)
This section focuses on designing a security policy to mitigate the risks identified in the previous sections.
- Summarize the economic impact of security incidents on the business, including direct financial losses and indirect costs such as reputational damage.
- Define Security Objectives:
- Clearly state the goals of the security policy (e.g., protecting sensitive data, ensuring system availability, preventing unauthorized access).
- Align with Legal and Regulatory Requirements:
- Ensure the policy is compliant with relevant laws and regulations (e.g., GDPR, HIPAA, industry standards).
- Security Countermeasures:
- Propose appropriate security measures (e.g., encryption, access controls, employee training) to address the identified risks.
- Justify these countermeasures based on the risks and vulnerabilities in the system.
- Return on Security Investment (ROSI):
- Develop a method for calculating ROSI, comparing the costs of security measures against the potential savings from reduced risk and incident cost avoidance.
- Conduct a cost-benefit analysis to justify the investment in security measures.
- Implementation and Review:
- Develop an implementation plan, ensuring effective communication to all stakeholders.
- Establish a schedule for regular reviews and updates to ensure the policy remains effective as threats evolve.
- Integrate incident response plans into the security policy to ensure preparedness for security incidents.
- Emphasize the importance of continuous improvement by incorporating feedback from security incidents, audits, and reviews to refine the security policy over time.
Additional Guidelines
- Organization Choice: The organization can be fictitious or real. If using a real organization, written permission from a senior official is required, and confidential information must be excluded from the report.
- Consultation and Feedback: You may consult the coursework setter for feedback during the coursework briefing session and within one week after the second teaching week. Report Structure → 5 Marks Please ensure that the report is written in Arial, 11pt font throughout. The total length of the report should be 2000 words, including references. Only essential sources, such as conference and journal papers or white papers, should be referenced to further document the security framework(s) you have chosen.
References should follow the format outlined below:
- Full list of authors (do not use 'et al.')
- Title of the paper/book
- Title of the journal (or publisher if referencing a book)
- Year of publication
- Volume number, and first and last page numbers.
- For Web references, the full URL must be provided along with the date of access. References should be listed at the end of the report but should be integrated into the text and identified by a reference number in square brackets, following the Vancouver referencing style.
The report should follow the structure outlined below:
- Cover Page
- Abstract
- Main Body of the Report (divided into subsections)
- Conclusion
- References
