Cloud Operations and Management

Threats vs. Vulnerabilities
Threats and vulnerabilities are foundational concepts in cybersecurity. A threat is any circumstance or event with the potential to cause harm to a system or organisation, such as a cyberattack or natural disaster. A vulnerability, on the other hand, is a weakness in a system that can be exploited by a threat. Effective risk management involves identifying vulnerabilities and mitigating potential threats to reduce the overall risk (Whitman & Mattord, 2019).

The Threat Modelling Manifesto

• Set of guiding principles aimed at improving the practice of threat modelling
• Developed by a group of security experts
• Emphasizes the importance of understanding the system
• Proactive approach to security
• Iterative threat modelling throughout the software development lifecycle (Shostack, 2020)

STRIDE & DREAD

• Developed by Microsoft and used in threat modelling
• STRIDE categorizes threats into six types
• Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege
• DREAD evaluates threats based on five factors
• Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability (Herman, 2018)

CVSS (Common Vulnerability Scoring System)

• Common Vulnerability Scoring System
• Rating the severity of security vulnerabilities
• Range from 0 to 10 based on factors such as exploitability, impact, and complexity
• Ensuring that the most critical vulnerabilities are addressed first (Mell et al., 2007)

Attack Trees

• Conceptual tool used to analyze the security of systems
• Represents potential attack scenarios as a tree structure
• Attack trees help in understanding the paths an attacker might take and identifying where defenses should be strengthened (Schneier, 1999)

OCTAVE Methodology

• Operationally Critical Threat, Asset, and Vulnerability Evaluation
• Emphasizes a self-directed evaluation process
• Focuses on the assets, threats, and vulnerabilities specific to the organisation (Alberts & Dorofee, 2003)

QTMM (Quantitative Threat Modelling Methodology)

• Combines qualitative and quantitative methods
• Assesses threats by assigning numerical values to various risk factors
• Particularly useful in complex environments (Xiong & Lagerström, 2019)

PASTA (Process for Attack Simulation and Threat Analysis)

• PASTA is a risk-centric threat modelling methodology
• Aligns business objectives with technical requirements
• Seven stages
• Provides a comprehensive understanding of threats and vulnerabilities
• Enabling organisations to make informed decisions about security investments (UcedaVelez & Morana, 2015)

OWASP (Open Web Application Security Project)

• OWASP is a nonprofit organisation dedicated to improving software security
• Provides free tools, resources, and guidelines
• OWASP Top Ten, which lists the most critical web application security risks
• Cornerstone of modern web security practices (OWASP, 2021)

NIST Overview
The National Institute of Standards and Technology (NIST) is a U.S. federal agency that develops and promotes standards and guidelines to enhance the security and resilience of the nation’s cybersecurity infrastructure. One of its most widely recognized contributions is the NIST Cybersecurity Framework (CSF), which provides a risk-based approach to managing cybersecurity risks, widely used across various industries to improve their security postures.

Positive Points of NIST

• Comprehensive and flexible nature
• Adaptable to organisations of all sizes and across different sectors
• Helps express cybersecurity risk both internally and externally
• Aligns cybersecurity efforts with business objectives
• Makes it a practical tool for decision-makers

Negative Points of NIST

• Can be overwhelming for smaller organisations
• Requires a significant investment of time and expertise
• Flexibility can also lead to inconsistent adoption and application

Reflection:

In Week 3, I gained insights into various threat modeling frameworks, including STRIDE, DREAD, CVSS, Attack Trees, PASTA, and OWASP. These frameworks enhanced my understanding of how to assess risks systematically. During our group assignment, I completed my first hands-on risk assessment for a brick-and-mortar store, where I was responsible for selecting the appropriate risk assessment approach. This task allowed me to apply what I had learned in a practical context. Additionally, I wrote my summary post for the collaborative discussion.

Reflecting on the group work, I encountered challenges in working with team members who had different levels of experience and varying work ethics. It was a learning experience to navigate these differences while still moving towards a shared goal. The diversity of know-how in the group was both a strength and a challenge. Some members brought technical expertise, while others excelled in strategic thinking, and balancing these perspectives required strong communication and compromise.

In my summary post, I discussed key risks associated with Industry 4.0, as outlined by Kovaite and Stankevičienė (2019), such as technical, data security, and financial risks. However, I critically reflected on their lack of emphasis on human and organisational factors, which are crucial for successful digital transformation. This resonates with Bresciani et al. (2018), who emphasise the importance of organisational culture and leadership, especially for SMEs. I also explored the role of workforce retraining to mitigate job displacement risks, aligning with Frey and Osborne's (2017) concerns, and stressed the need for transparency and trust in AI adoption, as highlighted by Cabiddu et al. (2022).

• Jump to my work

• Jump to Unit 1-3 Discussion Forum

References

• Alberts, C.J. and Dorofee, A. (2002) Managing Information Security Risks: The OCTAVE approach. Available from: http://ci.nii.ac.jp/ncid/BA60132783 [Accessed 12 August 2024].
• Bresciani, S., Ferraris, A. and Del Giudice, M. (2017) The management of organisational ambidexterity through alliances in a new context of analysis: Internet of Things (IoT) smart city projects. Technological Forecasting and Social Change 136: 331–338. DOI: https://doi.org/10.1016/j.techfore.2017.03.002.
• Cabiddu, F., Moi, L., Patriotta, G., & Allen, D. G. (2022). Why do users trust algorithms? A review and conceptualization of initial trust and trust over time. European Management Journal 40(5): 685-706 DOI: https://doi.org/10.1016/j.emj.2022.06.001
• Frey, C.B. and Osborne, M.A. (2016) The future of employment: How susceptible are jobs to computerisation? Technological Forecasting and Social Change 114: 254–280. DOI: https://doi.org/10.1016/j.techfore.2016.08.019.
• Kovaitė, K. and Stankevičienė, J. (2019) Risks of digitalisation of business models. Contemporary Issues in Business Management and Economic Engineering [Preprint] DOI: https://doi.org/10.3846/cibmee.2019.039.
• Mahn, A. et al. (2021) Getting started with the NIST Cybersecurity Framework DOI: https://doi.org/10.6028/nist.sp.1271.
• Mell, P., Scarfone, K. and Romanosky, S. (2006) Common vulnerability scoring system. IEEE Security & Privacy 4(6): 85–89. DOI: https://doi.org/10.1109/msp.2006.145
• OWASP Top 10 (2021). Available from: https://owasp.org/Top10 [Accessed 12 August 2024].
• Schneier, B. (1999) Attack trees : Modeling security threats. Dr. Dobb’s Journal 24(12): 21–29. Available from: https://ci.nii.ac.jp/naid/10026184285 [Accessed 12 August 2024].
• Shostack, A. (2014b) Threat modeling: Designing for Security. John Wiley & Sons.
• Stouffer, K. et al. (2015) Guide to Industrial Control Systems (ICS) Security. NIST. DOI: https://doi.org/10.6028/nist.sp.800-82r2.
• Threat modeling manifesto (no date). Available from: https://www.threatmodelingmanifesto.org/ [Accessed 12 August 2024].
• Uceda Velez, T. and Morana, M.M. (2015) Risk Centric threat modeling: process for attack simulation and threat analysis. DOI: http://doi.wiley.com/10.1002/9781118988374.
• Whitman, M.E. and Mattord, H.J. (2002) Principles of information security. Available from: https://works.bepress.com/herbert_mattord/37/ [Accessed 12 August 2024].
• Xiong, W. and Lagerström, R. (2019) Threat modeling – A systematic literature review. Computers & Security 84: 53–69. DOI: https://doi.org/10.1016/j.cose.2019.03.010.

Shostack (2018, Chapters 3-5) delves into the practical aspects of threat modelling, emphasising the importance of understanding system components, potential threats, and the design of security controls. The chapters highlight the application of STRIDE, the integration of attack trees, and the need for continuous updates to threat models as systems evolve.

Spring et al. (2021) builds on foundational cybersecurity concepts, exploring more advanced threat intelligence and the role of causality in understanding cyber incidents. The book critiques traditional risk assessment frameworks like CVSS (Common Vulnerability Scoring System), pointing out their limitations in predicting real-world impacts and their failure to account for complex, multi-faceted threats. It highlights the need for more dynamic and context-aware assessment methods.

Pia (Practical Impact Analysis) offers a more nuanced approach to assessing risks, focusing on the real-world implications of vulnerabilities rather than just theoretical scores. The critiques of CVSS mentioned by Spring et al. are further supported by Pia, which highlights the system's shortcomings in capturing the true scope and severity of security risks. The book argues for a more holistic approach to vulnerability management that considers causality and the broader impact on systems.

Reflection:

In preparation for this week's seminar, I studied several resources on threat modelling frameworks. Specifically, I explored the Threat Modelling Manifesto, the OWASP Threat Modelling Cookbook, and the ATT&CK framework. These resources provided a foundation for understanding how to identify and mitigate security threats in a variety of systems. I applied the knowledge gained from these frameworks to various practical examples, demonstrating how theoretical concepts translate into real-world scenarios.

In addition, we held our weekly group meeting. During this session, we reviewed each team member’s progress, discussed the challenges encountered, and delegated tasks for the upcoming week. For me personally, those meetings are critical to maintain alignment and ensure that we are collectively moving towards our project goals in a timely manner. As I was unable to attend the live seminar session, I watched the recorded lecture. This allowed me to review the material thoroughly, rework the exercises, and integrate the content into my e-portfolio. These activities contribute to my ongoing development in cybersecurity, reinforcing both individual research and collaborative skills in practical settings. The academic literature on threat modelling, such as Shostack's (2014) Threat Modelling: Designing for Security, further reinforces the importance of structured methodologies when assessing potential vulnerabilities in systems.

• Jump to my work

References

• MITRE ATT&CK® (no date). Available from: https://attack.mitre.org/ [Accessed 20 August 2024].
• Shevchenko, N. et al. (2018) Threat Modeling: A Summary of Available Methods. Software Engineering Institute S[Preprint]. Available from: https://apps.dtic.mil/sti/pdfs/AD1084024.pdf [Accessed 20 August 2024].
• Shostack, A. (2018) Threat modeling: Designing for security. Available from: http://ci.nii.ac.jp/ncid/BB16065709 [Accessed 20 August 2024].
• Spring, J. et al. (2021) Time to change the CVSS? IEEE Security & Privacy 19(2): 74–78 DOI: https://doi.org/10.1109/msec.2020.3044475.
• Threat Modeling | OWASP Foundation (no date). Available from: https://owasp.org/www-community/Threat_Modeling [Accessed 20 August 2024].

GDPR, PCI-DSS, ISO 27000, and NIST: Data Protection and Security

In the digital age, protecting sensitive information is crucial. The General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI-DSS), ISO 27000, and the National Institute of Standards and Technology (NIST) framework are key frameworks that guide organisations in safeguarding data.

GDPR (Barafort et al., 2018)

• Protecting Personal Data
• Enforced in May 2018
• Protecting the personal data of EU citizens
• Requires organisations to obtain explicit consent, ensure data minimization, and provide individuals with rights to access and erase their data

PCI-DSS (Kirvan, 2021)

• Securing Payment Card Information
• Standard focused on safeguarding payment data
• Applies to any organisation handling card transactions
• Mandates measures like encryption and access control
• Reduces the risk of data breaches and helps build customer trust

ISO 27000 (Barafort et al., 2018)

• Globally recognized framework for managing information security risks
• Systematic approach to securing sensitive information
• Aligned with GDPR and PCI-DSS

In summary, integrating GDPR, PCI-DSS, ISO 27000, and NIST into an organisation's security strategy is essential for compliance and data protection.

Reflection:

This week’s unit focused on analysing a case study related to the mishandling of personal data, with focus on GDPR. I developed a better understanding of the GDPR regulations by conducting an analysis of the legal and ethical implications of non-compliance (Voigt & Von dem Bussche, 2017). During our weekly group call, we assigned new tasks and reviewed the progress of our project. Most tasks are now complete, and we have shifted to merging our contributions into a single document. I took the lead in drafting the first version of this team document, ensuring that all sections were cohesive and aligned with our goals. This stage has emphasised the importance of clear communication and collaboration within the group.

Additionally, I revisited my e-portfolio to update its content and reviewed the lecture materials. The variety of topics this week, from GDPR compliance to project management, made it challenging to draw connections, but it reinforced the value of integrating diverse information into both individual and group work. Completing the first draft of our team document is a significant step toward finalizing the project, and I will continue refining it based on group feedback and alignment with academic expectations.

• Jump to my work

References

• Barafort, B., Mesquida, A.-L. and Mas, A. (2016) Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards & Interfaces 54: 176–185 DOI: https://doi.org/10.1016/j.csi.2016.11.010
• Barney, N. (2024) What is PCI DSS (Payment Card Industry Data Security Standard)? Avaiable from: https://www.techtarget.com/searchsecurity/definition/PCI-DSS-Payment-Card-Industry-Data-Security-Standard [Accessed 25 August 2024].
• The EU General Data Protection Regulation (GDPR) (2020) Oxford University Press DOI: https://doi.org/10.1093/oso/9780198826491.001.0001.

Businesses today must adapt to various data protection regulations, such as GDPR, PCI-DSS, and HIPAA, to secure sensitive information. Each framework focuses on specific industries and data types.

HIPAA: Safeguarding Health Information

In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) mandates protecting personal health information (PHI). Covered entities must secure electronic PHI (ePHI) through encryption, access controls, and breach notification procedures. Violations can result in severe penalties (HIPAA, 2020).

Mitigations for Compliance

• GDPR: Appoint a responsible DPO, perform regular internal and external audits, and integrate privacy into data handling processes.
• PCI-DSS: Encrypt payment data, implement robust access controls, and conduct regular vulnerability scans.
• HIPAA: Train employees on data protection, implement encryption and establish breach notification protocols.

Reflection:

This week, I focused on reviewing and making the final adjustments to our team document. Despite some challenges, such as a team member deleting my initial draft, I am proud of how well the project turned out, but I have a gut feeling that my initial draft met the requirements better. One of the most challenging aspects during the team assignment was shortening our paper while maintaining key content, but I managed to condense it without losing important points. As part of my individual task, I deepened my understanding of key regulatory frameworks, including GDPR, PCI DSS, and HIPAA. These regulations play a crucial role in ensuring data privacy and security across various sectors and in several countries such as the European Union (Voigt & Von dem Bussche, 2017), PCI DSS focuses on securing credit card information, and HIPAA protects health information in the healthcare sector. Finally, I completed the peer evaluation, providing constructive feedback on my team member's contributions. Overall, this week has strengthened my skills in teamwork, problem-solving, and regulatory compliance, while reinforcing my understanding of critical data protection laws.

• Jump to my work

References

• HIPAA for Dummies – HIPAA guide (2020). Available from: https://www.hipaaguide.net/hipaa-for-dummies/ [Accessed 2 September 2024].
• ICO (2020) Information Commissioner’s Office (ICO). Available from: https://ico.org.uk/ [Accessed 2 September 2024].
• Kirvan, P. (2023) Top 12 IT security frameworks and standards explained. Available from: https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one?vgnextfmt=print%20 [Accessed 30 August 2024].
• PCI Security Standards Council (2024) PCI Security Standards Council – Protect Payment Data with Industry-driven Security Standards, Training, and Programs. Available from: https://www.pcisecuritystandards.org/. [Accessed 2 September 2024].
• Voigt, P. and Von Dem Bussche, A. (2017) The EU General Data Protection Regulation (GDPR): A Practical Guide. Springer.

In this chapter, we explored three powerful analytical tools—Monte Carlo Simulation, Multi-Criteria Decision Analysis (MCDA), and Bayes' Theorem—and their applications in decision-making and risk analysis.

Monte Carlo Simulation (MCS)

• Models uncertainty by simulating a wide range of possible outcomes based on random inputs
• Useful for risk analysis, forecasting, and optimizing decision-making under uncertain conditions
• Outputs a probability distribution, helping to identify the most likely or extreme outcomes
• Commonly applied in financial modeling, supply chain management, and engineering

Multi-Criteria Decision Analysis (MCDA)

• A decision-making tool that evaluates options based on multiple criteria or factors
• Helps prioritize alternatives when decisions involve trade-offs across conflicting objectives
• Typically uses scoring, ranking, or weighting systems to assess choices systematically
• Widely used in resource allocation, project management, and strategic planning

Bayes' Theorem

• A statistical method used to update the probability of an event based on new evidence
• Helps refine decision-making by incorporating prior knowledge and new data
• Often applied in machine learning, medical diagnostics, and risk assessment
• Useful in probabilistic reasoning, especially when dealing with incomplete or uncertain information

Reflection:

Week 7 was a productive and reflective period as I worked towards completing key tasks and refining important aspects of my academic journey. Our team assignment was due, and the collaborative effort involved in wrapping up the project underscored the importance of communication and time management. I actively participated in discussions about CVSS (Common Vulnerability Scoring System), where we explored both its utility and limitations. The critique of CVSS was informed by the work of Spring et al. (2021), which raised key issues in their paper, Time to Change the CVSS? They highlighted the challenges in accurately scoring vulnerabilities across diverse systems, leading us to reflect on how improvements might be made to the scoring model in real-world applications. This deepened my understanding of the nuances in vulnerability assessments. Another significant milestone was figuring out how to link my work to my e-portfolio, a process that required not only technical understanding but also an organisational strategy. By creating seamless links between my assignments, reflections, and projects, I was able to enhance the navigability and cohesiveness of my e-portfolio, making it a more user-friendly and professional platform. Additionally, I dedicated time to rewriting and perfecting the style of various modules within my e-portfolio. While the content was already in place, this revision allowed me to refine the tone and clarity, ensuring that each section accurately reflected both my knowledge and personal voice. Lastly I worked on Allen Downey’s Think Bayes 2 exercises, please see the whole code here, below is a snipped

	
		import pandas as pd

		gss = pd.read_csv('gss_bayes.csv')
		
		banker = (gss['indus10'] == 6870)
		male = (gss['sex'] == 1)
		female = (gss['sex'] == 2)
		liberal = (gss['polviews'] <= 3)
		democrat = (gss['partyid'] <= 1)
		young = (gss['age'] < 30)
		old = (gss['age'] >= 65)
		conservative = (gss['polviews'] >= 5)
		
		
		def prob(A):
			"""Computes the probability of a proposition, A."""
			return A.mean()
		
		
		def conditional(proposition, given):
			"""Probability of A conditioned on given."""
			return prob(proposition[given])
		
		#1.6 Conjunction
		print(prob(banker & female & liberal & democrat))
		
		#1.7 Conditional Probability
		print(female[banker])
		print(conditional(liberal, given=female))
		
		#1.8 Conditional Probability Is Not Commutative
		print(conditional(female, given=banker))
		print(conditional(banker, given=female))
		
		#1.9. Condition and Conjunction
		print(conditional(female, given=liberal & democrat))
		print(conditional(liberal & female, given=banker))
		
		#1.10. Laws of Probability
		
		#1.10.1. Theorem 1
		print(female[banker].mean())
		print(conditional(female, given=banker))
		print(prob(female & banker) / prob(banker))
		
		#1.10.2. Theorem 2
		print(prob(liberal & democrat))
		print(prob(democrat) * conditional(liberal, democrat))
		
		#1.10.3. Theorem 3
		print(conditional(liberal, given=banker))
		print(prob(liberal) * conditional(banker, liberal) / prob(banker))
		
		#1.11. The Law of Total Probability
		print(prob(banker))
		print(prob(male & banker) + prob(female & banker))
		
		#1.13. Exercises
		print(conditional(liberal, given=democrat))
		print(conditional(democrat, given=liberal))
		
		print(conditional(banker, given=female))
		print(conditional(banker & liberal & democrat, given=female))
		
		print(prob(young & liberal))
		print(conditional(liberal, given=young))
		print(prob(old & conservative))
		print(conditional(old, given=conservative))
	
	

Overall, Week 7 was marked by a balance of teamwork, technical problem-solving, and self-improvement, all of which contributed to the long-term goal of curating a well-rounded and professional e-portfolio.

• Jump to my work

• Jump to Unit 7-9 Discussion Forum

References

• Bayes, T., Price, R. and Canton, J. (1763) An essay towards solving a problem in the doctrine of chances. 53rd edn. Philosophical Transactions of the Royal Society of London.
• Belton, V. and Stewart, T. (2012) Multiple criteria decision analysis: An Integrated Approach. Springer Science & Business Media.
• Keeney, R.L. and Raiffa, H. (1993) Decisions with Multiple Objectives: Preferences and Value Trade-Offs. Cambridge University Press.
• Kroese, D.P., Taimre, T. and Botev, Z.I. (2013) Handbook of Monte Carlo Methods. John Wiley & Sons.
• Metropolis, N. (1945) THE BEGINNING of the MONTE CARL0 METHOD. Los Alarnos Science. Available from: https://mcnp.lanl.gov/pdf_files/Article_1987_LAS_Metropolis_125--130.pdf [Accessed 10 September 2024].
• Murphy, K.P. (2012) Machine Learning : A Probabilistic Perspective. Available from: http://cds.cern.ch/record/1981503 [Accessed 10 September 2024].
• Spring, J. et al. (2021) Time to change the CVSS? IEEE Security & Privacy 19(2): 74–78. DOI: https://doi.org/10.1109/msec.2020.3044475.

Common Vulnerability Scoring System (CVSS)

• Standardized framework for assessing the severity of software vulnerabilities
• Generates a numerical score (0-10) based on various metrics such as exploitability, impact, and environment
• Helps organisations prioritize and address vulnerabilities based on their risk level
• Widely used in cybersecurity to measure the potential risk and impact of security flaws

The Law of Probability

• Provides the foundational rules for determining the likelihood of an event occurring
• Includes basic principles like the addition and multiplication rules of probability
• Helps quantify uncertainty and predict outcomes in various fields like finance, insurance, and engineering
• Forms the basis for more complex probability models and decision-making frameworks

Probability Distribution

• Describes how probabilities are distributed over a set of possible outcomes
• Key types include normal, binomial, and Poisson distributions
• Used to model real-world processes such as stock market returns, customer behavior, or system failures
• Helps estimate the likelihood of different outcomes and supports risk management decisions

Game Theory

• A mathematical framework for analyzing strategic interactions between individuals or groups
• Explores decision-making where the outcome depends on the actions of multiple participants
• Key concepts include Nash equilibrium, dominant strategies, and zero-sum games
• Widely applied in economics, business, political science, and cybersecurity to optimize strategic choices

Reflection:

Week 8 was an important week as we received feedback on the team assignment, offering valuable insights for future projects. The grade we received highlighted that we should have focused on two well-fitting models and provided a more critical analysis, rather than incorporating too many models. This feedback will guide me to prioritize depth over breadth in future assignments.

In parallel, I began working on quantitative risk modelling, which proved to be quite challenging. This area demands a more advanced mathematical approach, making it less intuitive for me. I successfully carried out the work in Python but faced difficulties with the Yasai add-on. While I was able to install it, I couldn’t get it to function properly yet, which caused some delays. This experience was a reminder of the importance of troubleshooting and persistence when working with complex tools.

Additionally, I continued to actively participate in the ongoing discussion about CVSS and prepared the Unit 8 seminar . I contributed new perspectives, citing recent resources. One such source was Scip AG. (2023), CVSS v4.0 – Better than v3.1?, which examined the improvements in the updated version of CVSS. I also referred to the podcast by Spring et al. (2020), which introduced SSVC (Stakeholder-Specific Vulnerability Categorization) as an alternative framework to CVSS. These insights enriched the discussion, pushing us to think critically about the future of vulnerability scoring and assessment frameworks. Overall, Week 8 was a mix of learning from feedback, grappling with technical challenges, and expanding my contributions to critical discussions, all of which enhanced my learning and problem-solving skills.

• Jump to my work

• Jump to Unit 7-9 Discussion Forum

References

• Andrade, E. et al. (2017) Availability modeling and analysis of a disaster-recovery-as-a-service solution. Computing 99(10): 929–954 DOI: https://doi.org/10.1007/s00607-017-0539-8.
• Feller, W. (1968) An Introduction to Probability Theory and its Applications, Volume 1. John Wiley & Sons.
• Introduction to Monte Carlo simulation in Excel - Microsoft Support (no date). Available from: https://support.microsoft.com/en-us/office/introduction-to-monte-carlo-simulation-in-excel-64c0ba99-752a-4fa8-bbd3-4450d8db16f1 [Accessed 18 September 2024].
• Mell, P., Scarfone, K. and Romanosky, S. (2007) The common vulnerability scoring system (CVSS) and its applicability to federal agency systems. DOI: https://doi.org/10.6028/nist.ir.7435.
• Myerson, R.B. (1991) Game theory: Analysis of conflict. Harvard University Press.
• Osborne, M.J. (2000) An introduction to game theory. Available from: https://mathematicalolympiads.files.wordpress.com/2012/08/martin_j-_osborne-an_introduction_to_game_theory-oxford_university_press_usa2003.pdf. [Accessed 18 September 2024].
• Ross, S. (2009) A first course in probability. Prentice Hall.
• Scip AG. (2023) CVSS v4.0 – Better than v3.1? Available from: https://www.scip.ch/?labs.20240314 [Accessed 19 September 2024].
• Spring, J., Hatleback, E., Householder, A. (2020) A Stakeholder-Specific Vulnerability Categorization. [Podcast]. Available from: https://insights.sei.cmu.edu/library/a-stakeholder-specific-vulnerability-categorization/ [Accessed 22 September 2024]

Business Continuity and Disaster Recovery (BC/DR)

• BC/DR focuses on ensuring a company’s critical functions continue during and after disruptive events
• Business continuity (BC) plans are proactive strategies to maintain operations, while disaster recovery (DR) involves restoring systems after a disruption
• BC/DR plans help minimize downtime, protect data, and ensure organisational resilience
• Includes risk assessments, data backups, and recovery protocols to mitigate the impact of disasters like cyberattacks, natural disasters, or system failures

Recovery Point Objective (RPO)

• RPO refers to the maximum tolerable period of data loss in the event of a disaster
• Helps define how often data should be backed up to minimize loss
• Ensuring an appropriate RPO reduces the impact on business operations by ensuring data is up-to-date upon recovery
• A critical factor in determining acceptable downtime and backup frequency in disaster recovery planning

Recovery Time Objective (RTO)

• RTO refers to the targeted time period for the recovery of IT and business functions after a disaster
• Defines how quickly systems should be restored to minimize operational disruption
• A shorter RTO may require more expensive recovery resources, while a longer RTO reduces costs but increases downtime
• RTO is essential for maintaining business continuity by ensuring timely restoration of services

Disaster Recovery as a Service (DRaaS)

• Cloud-based service offering disaster recovery, enabling otganisations to back up their systems and data in a remote environment
• Provides rapid failover and recovery in case of system failures or disasters
• Reduces the need for on-premise disaster recovery infrastructure, lowering costs and increasing flexibility

Reflection:

This week was a mix of challenges and accomplishments. I continued working with Yasai, which I had struggled with previously. However, by the end of the week, things started to come together. A significant part of the progress was figuring out that setting Excel to English resolved some of the issues I was facing. We also had a group meeting this week to discuss our struggles with Yasai and other parts of our work. The meeting was productive, and it was reassuring to know that others were experiencing similar challenges.

During the week, I reflected on vulnerability assessment frameworks, particularly the limitations of the Common Vulnerability Scoring System (CVSS), as discussed in our forum. I noted that CVSS’s reliance on static metrics can oversimplify complex risks, making it difficult to capture evolving threats (Spring et al., 2021). Additionally, I explored the Stakeholder-Specific Vulnerability Categorization (SSVC) as a more tailored and flexible alternative for risk management, which could address some of the shortcomings of CVSS (Spring et al., 2021).

Another key task this week was improving the layout and formatting of my e-portfolio. I focused on ensuring that it displayed well on different devices, which I believe is essential for accessibility and professionalism. Finally, I spent time reviewing the requirements for Assignment 2, which gave me a clearer idea of what needs to be done moving forward. Overall, despite the initial difficulties with Yasai, this week was productive, and I feel more prepared for the upcoming tasks.

• Jump to my work

• Jump to Unit 7-9 Discussion Forum

References

• Snedaker, S. (2011)Business continuity and disaster recovery planning for IT professionals. Butterworth-Heinemann.
• Spring, J. et al. (2021b) Time to change the CVSS? IEEE Security & Privacy 19(2): 74–78. DOI: https://doi.org/10.1109/msec.2020.3044475.
• Venkataramanan,V. et al. (2029) Measuring and Enhancing Microgrid Resiliency Against Cyber Threat, IEEE Transactions on Industry Applications 55(6): 6303-6312. DOI: 10.1109/TIA.2019.2928495.
• Wallace, M. and Webber, L. (2017) The Disaster Recovery Handbook: A Step-by-Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets. AMACOM.
• What is the Difference Between RPO and RTO? Druva Explains (2021). Available from: https://www.druva.com/blog/understanding-rpo-and-rto. [Accessed 25 September 2024].
• Windsor, C. (2006) Business continuity – is it expensive and hard? ITNOW 48(2): 12–13. DOI: https://doi.org/10.1093/itnow/bwi0156.

Vendor Lock-in

• Vendor lock-in occurs when a business becomes overly dependent on a specific vendor for products or services, making switching difficult or costly
• Lock-in can result from proprietary technology, incompatible systems, or restrictive contracts that limit flexibility
• Risks include limited innovation, increased prices, and decreased control over infrastructure or services
• Mitigation strategies include negotiating flexible contracts, adopting open standards, and diversifying vendors

Traditional On-Premises Disaster Recovery

• Involves maintaining a secondary physical site where critical systems are backed up and can be restored in case of disaster
• Offers high control and security, but can be expensive due to hardware, infrastructure, and staffing costs
• Requires constant updates, maintenance, and periodic testing to ensure readiness
• Best suited for large enterprises with significant resources and high data sensitivity

Cloud-Based Disaster Recovery

• Utilizes cloud infrastructure to back up data and systems, enabling fast recovery without needing a physical secondary site
• More cost-effective than traditional DR solutions, as resources are scalable and used only when needed
• Reduces hardware costs and increases flexibility, but may involve potential security concerns related to cloud providers
• Popular solutions include Disaster Recovery as a Service (DRaaS), offering automation and simplified recovery processes

Hybrid Disaster Recovery

• Combines both on-premises and cloud-based disaster recovery solutions, providing a balance of control and flexibility
• Critical data can be stored locally for immediate access, while less urgent systems are backed up in the cloud
• Offers redundancy and multiple layers of protection, though complexity and management requirements increase
• Suitable for organisations with varying data criticality and diverse operational requirements

Reflection:

This week, I continued working on the python code for the executive summary. I found Python much easier than Yasai for Monte Carlo simulations, which was a relief after my earlier struggles, please see my Python code below:

	
	import random
	from collections import Counter
	
	iterations = 1000
	
	
	risks = {
		"Supply_Delays": {"probability": 0.25, "impact": 4}, 
		"System_Downtime": {"probability": 0.15, "impact": 3}, 
		"Inaccurate_Forecasting": {"probability": 0.30, "impact": 4}, 
		"Transport_Disruptions": {"probability": 0.20, "impact": 3}, 
		"Supplier_Reliability": {"probability": 0.10, "impact": 2}, 
		"Data_Integrity_Issues": {"probability": 0.10, "impact": 3}, 
		"Product_Contamination": {"probability": 0.05, "impact": 5}, 
		"Defective_Packaging": {"probability": 0.05, "impact": 3}, 
		"Inconsistent_Ingredient_Quality": {"probability": 0.15, "impact": 4}, 
		"Cybersecurity_Threats": {"probability": 0.07, "impact": 5}
	}
	
	
	availability_risks = ["Supply_Delays", "System_Downtime", "Inaccurate_Forecasting", "Transport_Disruptions", "Supplier_Reliability"]
	quality_risks = ["Data_Integrity_Issues", "Product_Contamination", "Defective_Packaging", "Inconsistent_Ingredient_Quality", "Cybersecurity_Threats"]
	
	availability_results = []
	quality_results = []
	
	for i in range(iterations):
		availability_impact = 0
		quality_impact = 0
		
		
		for risk in availability_risks:
			if random.random() < risks[risk]["probability"]:
				availability_impact += risks[risk]["impact"]
		
		
		for risk in quality_risks:
			if random.random() < risks[risk]["probability"]:
				quality_impact += risks[risk]["impact"]
		
		
		availability_results.append(availability_impact)
		quality_results.append(quality_impact)
	
	
	def calculate_mean(results):
		return sum(results) / len(results)
	
	
	def frequency_distribution(results):
		return dict(Counter(results))
	
	
	availability_mean_impact = calculate_mean(availability_results)
	quality_mean_impact = calculate_mean(quality_results)
	
	print(f"Average Availability Risk Impact: {availability_mean_impact}")
	print(f"Average Quality Risk Impact: {quality_mean_impact}")
	
	
	print("\nAvailability Risk Impact Frequency Distribution:")
	availability_dist = frequency_distribution(availability_results)
	for impact, freq in availability_dist.items():
		print(f"Impact: {impact}, Frequency: {freq}")
	
	print("\nQuality Risk Impact Frequency Distribution:")
	quality_dist = frequency_distribution(quality_results)
	for impact, freq in quality_dist.items():
		print(f"Impact: {impact}, Frequency: {freq}")
	
	

Alongside this, I began developing a DR strategy for "Pampered Pets," concentrating on minimizing downtime and ensuring effective data recovery. I also spent considerable time refining my e-portfolio, working to improve the layout and format across different devices. Balancing the technical content with design has been challenging, but I’m pleased with the progress. However, with the upcoming deadline, I’ve been feeling a bit pressured, especially as I aim to complete everything to a high standard. Despite these challenges, I remain determined to finish all the work on time,ensure that my portfolio reflects my best efforts an I am well prepared for seminar 10.

• Jump to my work

References

• Casalicchio, E. and Silvestri, L. (2012) Mechanisms for SLA provisioning in cloud-based service providers. Computer Networks 57(3): 795–810. DOI: https://doi.org/10.1016/j.comnet.2012.10.020.
• Bopara-Martins, J., Sahandi, R. and Tian, F. (2016) Critical analysis of vendor lock-in and its impact on cloud computing migration: a business perspective. Journal of Cloud Computing Advances Systems and Applications 5(1) DOI: https://doi.org/10.1186/s13677-016-0054-z.
• Snedaker, S. (2011)Business continuity and disaster recovery planning for IT professionals. Butterworth-Heinemann.
• Wallace, M. and Webber, L. (2017) The Disaster Recovery Handbook: A Step-by-Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets. AMACOM.

This week, we explored various topics related to security and risk management:

Real Options Theory & Options Pricing Theory

• Explored these theories for managing reputational risk in decision-making under uncertainty.
• The article by Pineiro-Chousa et al. (2017) discussed how environmental management and reporting can mitigate risks, with a focus on sustainability.

Operations Management & Supply Chain Risk Management

• Analysed the role of Behavioural Operations in influencing operational decision-making, especially in dynamic supply chains.
• The review by Fahimnia et al. (2019) highlighted the significance of behavioural factors in optimizing supply chains to minimize risk.

Adversarial Machine Learning (ML) & Attack Vectors

• Studied adversarial ML attacks, focusing on defence mechanisms to protect ML models.
• Ridley et al. (2018) and Varshney (2016) emphasised the growing need for securing cyber-physical systems against adversarial threats in autonomous defence systems.

DevSecOps

• Highlighted the importance of embedding security into every phase of the software development lifecycle through DevSecOps practices.
• This approach is becoming increasingly crucial for improving both security and risk management.

Reflection:

This week, I focused on finalising Assignment 2, making key touch-ups, and adding more critical analysis. I revisited certain sections, particularly in risk assessment, to enhance the depth of my arguments. The revisions not only improved the content but also reinforced my understanding of the module, leaving me confident about the submission. Alongside the assignment, I reviewed the remaining tasks for my e-portfolio, summarising the final to-dos. These include refining specific sections like the skills matrix and incorporating new insights from this week. I have also structured the upcoming week to focus on completing the e-portfolio and making any necessary adjustments. With the assignment and most of the portfolio work nearing completion, I feel well-prepared for the final submission. Below my recommended disaster recovery strategy for the business:

References

• Fahimnia, B., Pournader, M., Siemsen, E., Bendoly, E., & Wang, C. (2019) Behavioral Operations and Supply Chain Management–A Review and Literature Mapping. Decision Sciences 50(6): 1127–1183. DOI: https://doi.org/10.1111/deci.12369
• Pineiro-Chousa, J., Vizcaíno-González, M., López-Cabarcos, M., & Romero-Castro, N. (2017) Managing Reputational Risk through Environmental Management and Reporting: An Options Theory Approach. Sustainability 9(3): 376. DOI: https://doi.org/10.3390/su9030376
• Ridley, A. (2018) Machine Learning for Autonomous Cyber Defense. Next Wave 22(1) Available from: https://www.nsa.gov/portals/75/documents/resources/everyone/digital-media-center/publications/the-next-wave/TNW-22-1.pdf [Accessed 16.10.2024]
• Varshney, K. R., & Alemzadeh, H. (2017) On the Safety of Machine Learning: Cyber-Physical Systems, Decision Sciences, and Data Products. Big Data 5(3): 246–255. DOI: https://doi.org/10.1089/big.2016.0051

This week we prepared for the "Great Debate" and studied the document "Science of Security Hard Problems: A Lablet Perspective", which outlines five key "hard problems" in cybersecurity that are crucial for research and advancement.

• Scalability and Composability: This focuses on developing methods to build secure systems from secure components without reanalyzing every part when assembling them into larger systems. The challenge is ensuring security at scale, particularly as systems grow in complexity and incorporate components from diverse sources.
• Policy-Governed Secure Collaboration: This problem involves creating frameworks to enforce security policies when sharing data across different domains and authority levels. The goal is to ensure secure, policy-driven collaboration across various users and systems.
• Security Metrics-Driven Design and Evaluation: Researchers are tasked with creating reliable security metrics that can predict and verify if a system meets its security goals. These metrics would guide the design, development, and deployment of secure systems.
• Resilient Architectures: This problem aims to design systems that continue functioning even when parts are compromised. The focus is on ensuring that system architectures can maintain essential operations despite attacks or failures.
• Understanding and Accounting for Human Behaviour: This problem explores how to model both user and adversary behaviour to design systems that can anticipate and mitigate human-related security risks, including social engineering and insider threats.

Reflection:

This week, I focused on preparing for the final lecture, which will be a debate on security and risk management trends over the next five years. I researched emerging trends to ensure I can contribute meaningfully to the discussion. In parallel, I enhanced the design and content of my e-portfolio based on my lecturer's informal feedback. These updates helped me better showcase my skills and learning progress. Reflecting on the entire module, I feel proud of how much I’ve learned, especially in overcoming challenges with MTC and Yasai. I struggled initially, but with persistence, I now have a solid grasp of these key concepts. Overall, I’m happy with my progress and looking forward to the final debate.

• Jump to my work

References

• Nicol, D. M., Sanders, W. H., Scherlis, W. L., & Williams, L. M. (2012) Science of Security Hard Problems: A Lablet Perspective. Available from https://sos-vo.org/sites/sos-vo.org/files/sos_files/Science_of_Security_Hard_Problems_A_Lablet_Perspective.pdf [Accessed 16.10.2024]