MBARARA UNIVERSITY OF SCIENCE AND TECHNOLOGY

FACULTY OF COMPUTING AND INFORMATICS

BACHELOR OF SCIENCE COMPUTER SCIENCE

COURSE NAME: INFORMATION AND CYBER SECURITY

COURSE CODE: CSC2203

LECTURER: DR FRED KAGGWA

ADRIKO PATRICIA LAWURI 2022/BCS/023/PS

Assignment Three-RISK ASSESSMENT

 Solutions

(i)Assets Model Identification

Asset Form Location People accountable Valuation

2 Web servers Hardware Physical Server room System Administrators High

3 GPU servers Hardware Physical (John, Mercy) High
2 Firewalls Hardware Physical High
1 Proxy server Hardware Physical High
VoIP system Network infrastructure High
Wireless network Network infrastructure High
Samsung TV Tangible Common Room No specification Medium
Seating Tangible furniture Medium
Microwave Tangible Low
Fridge Tangible Medium
Utensils Tangible Low
3 HP computers Tangible Reception 3 receptionists. High
3 dot matrix printers Tangible High
32-inch LG TV Tangible High
Posh Seating Tangible furniture Medium

valuables Tangible Storage room Store Manager High

1 high-capacity generator Tangible Power Room Company electrician High

3 solar converters Tangible High
3 backup batteries Tangible High

Premium amenities Tangible Restrooms Sherinah, the chief Low

cleaner.
Lenovo computer Tangible Managerial office Joshua High
Multifunction laser jet Tangible High
printer Tangible Medium
Photocopier Tangible High
MacBook laptop Tangible Medium
Luxury furniture Tangible Low
Water dispenser
IBM desktop computer Tangible HR Manager’s HR manager High
HP printer Tangible Office High
File cabinets Tangible Low
Employee records Tangible High
Money safe Tangible Accountant’s Accountant High
IBM desktop computer Tangible Office High
Financial ledgers Tangible High
Cheque books. Tangible Medium
Tangible
15 high-end chairs Tangible Boardroom
office assistant (John) Medium
Company vehicles Tangible Secure Parking
Area security guard High
(Mpuuga)

(ii)Threat Model

ASSET SOURCES OF MOTIVE ACTS RESULTS POSSIBLE

THREAT AND LOSSES SOLUTIONS TO
THREATS

Web Servers Unauthorized Data Theft Hacking Data Breach Access Control
Access Sabotage Social Engineering Financial Loss
Insider Threats DOS Sabotaging power DOS Authentication
Power outages Accidental supply. System
Equipment failure. Financial gain Installing malware. downtime Backup Systems
Natural disasters Breaking into Data Loss
physical premises Install locking doors
Accidental (Natural and limit distribution
Disaster) of keys.

Install CCTV and

remote-control locks

Install “Authorized
admittance only” signs

Develop and test

disaster recovery plans
to address natural
disasters.

Company vehicles Burglars Financial gain Stealing Vehicle loss Require wearing of
Insider Threats Sabotage equipment. authorized access
Equipment failure DOS badges
Irrational
behavior Post guards at
entrances

GPU Servers Burglars Financial gain Stealing Asset Loss Access Control,
Insider Threats Sabotage equipment. DOS Surveillance
Power outages DOS Sabotaging power Financial loss
Equipment failure. supply Reputation
 Installing malware Install CCTV and
remote-control locks

Install “Authorized
admittance only” signs

Firewalls Insider Threat Data Theft Hacking Security Breach Regular Updates
Data breaches Sabotage Installing malware Loss of privacy
Human Error DOS Stealing equipment Modification Proper Configuration
Malware and and Management
viruses.
Equipment failure Deploy robust
Unauthorized access antivirus and firewall
by hackers solutions
Proxy Server Unauthorized access Revenge Hacking System Traffic Filtering
by Hackers Sabotage Stealing equipment downtime
Insider Threat Curiosity Manipulating data Data Loss Rate Limiting
Malware and viruses Political activism Financial loss
Equipment failure Conduct regular
security training for
employees to mitigate
insider threats.

VoIP System Data Theft Eavesdropping Data Loss, Encryption

Hackers Sabotage Hacking System
Insider Threat Stealing equipment compromise Access Control
Power outages Sabotaging power Financial loss
supply Use UPS systems and
surge protectors to
safeguard against
power issues
Wireless Network Hackers Data Theft Hacking Data Loss Access Control
Insider Threat Sabotage Social Engineering Financial,
Equipment failure Eaves dropping Reputation Authentication
Data breaches Privacy
Power outages compromise Deploy robust
antivirus and firewall
solutions

Use UPS systems and

surge protectors to
safeguard against
power issues
Samsung TV Burglars Financial gain, Stealing equipment Asset Loss Install mantrap double
32-inch LG TV Insider Threat Sabotage Sabotaging power Denial of access doors or turnstile with
Equipment failure Vandalism. supply electronic locks
Power outages DOS
 Install CCTV for
Surveillance

Microwave Insider Threat Financial Gain, Negligence Asset Loss. Install Intrusion alarms
Fridge Power outages Sabotage Theft, Stealing Financial loss
Utensils Equipment failure Vandalism. equipment Install CCTV for
Sabotaging power Surveillance
supply
Burglar proofing

HP Computers Hackers Data Theft Hacking Data Loss Access Control

Lenovo Computer Insider Threat Sabotage Social Engineering Data
MacBook Laptop Power outages Vandalism. Stealing equipment Manipulation Deploy robust
IBM Desktop Unauthorized access Installing malware Financial loss antivirus and firewall
Computer by hackers Manipulating data solutions
Malware and viruses
Install locking doors
and limit distribution
of keys

Use UPS systems and

surge protectors to
safeguard against
power issues

Dot Matrix Printer Burglars Financial gain, Theft Stealing Asset Loss Access Control
HP Printer Insider Threat Sabotage equipment Denial of use
Laser jet printer Sabotaging power Financial loss Install CCTV for
Photocopier supply Surveillance

Regular security
awareness campaigns

Generator Natural Disaster, Negligence System Regular Maintenance

Solar Converters Human Error Financial Gain, Theft Stealing Downtime
Backup Batteries Insider Threat Sabotage equipment Productivity Install CCTV for
Burglars Vandalism. reduction Surveillance
Equipment failure Financial loss
Asset loss

Financial Ledgers Burglars, Insider Financial Gain, Theft Asset Loss, Access Control
Cheque Books Threat Sabotage Manipulating data Financial loss
Money Safe Privacy breach Install CCTV for
Surveillance

Install Intrusion alarms

Posh Seating Burglars, Insider Financial Gain, Theft, Vandalism Asset Loss, Install CCTV
Luxury furniture Threat Sabotage Surveillance
High-end chairs
Install Intrusion alarms

(ii) Tangible (Server room) Asset Model

- Key considerations: Servers, Computers, Network infrastructure
Security measures:
Access controls (e.g., passwords, authentication)
Encryption
Firewalls and intrusion detection/prevention systems
Regular software updates and patching
Backup and disaster recovery plans
Network segmentation and isolation
- Physical barriers and fencing
- Regular maintenance and inspections
Personnel Model
Focuses on role of personnel in safeguarding assets and mitigating threats
Key considerations: Employee responsibilities, accountability, Training, awareness programs,
Access controls and authorization
-Security measures:
- Employee orientation and training programs
- Regular security awareness campaigns
- Access control policies and procedures

References
Balachandra, R.; Ramakrishna, P.; and Rakshit, A. “Cloud Security Issues.” Proceedings,
2009 IEEE International Conference on Services Computing, 2009.
BARK91 Barker, W. Introduction to the Analysis of the Data Encryption Standard (DES). Laguna
Hills, CA: Aegean Park Press, 1991.
BARK05 Barker, E., et al. Recommendation for Key Management—Part 2: Best Practices for Key
Management Organization. NIST SP800-57, August 2005.
BARK09 Barker, E., et al. Recommendation for Key Management—Part 3: Specific Key
Management Guidance. NIST SP800-57, December 2009.
BARK12a Barker, E., et al. Recommendation for Key Management—Part 1: General. NIST
SP800-57,
June 2012.