INFS 5929: Cybersecurity

Leadership & Risk Management

Chung-Li Tseng
Shesha Maheshwari
 Instructors
LIC: A/Prof Chung-Li Tseng
Office: 2087 Quad
Phone: 9385-9704
E-mail: [email protected]
Consultation: Tuesday and Friday 2:00 – 3:00 (or by
appointment)
I am mostly accessible. Chat and call me on Teams during
the consultation hours or just stop by my office.
Co-Instructor: Ms. Shesha Maheshwari
E-mail: [email protected]
Consultation: TBA
 Cybersecurity: What & Why
• “Cybersecurity is a part of information security that
relates to the protection of computers, networks,
programs and data against unauthorized access.”
• “The security objectives of confidentiality (C),
integrity (I) and availability (A) are of paramount
importance to both elements of information
security.”
• “Cyber resilient businesses are able to operate
while under persistent threats and sophisticated
attacks, enabling them to embrace disruption
safely, strengthen customer trust and boost
shareholder value”.
Q: In many parts of Asia, where public security seem fine, why are
there so many windows with grilles or bars, even in high-rise
buildings?
 Challenges

Also see 10 most common types of cyber attacks

 Major Cybersecurity Incidents
• Optus – the compromise of private information for
over 10 million customers – Sep 2022
Identity crime
– Information stolen included names, addresses, email,
phone numbers, and date of birth. For some, the
information included identification numbers such as driver
license, Medicare and passport numbers.
• Medibank – the compromise of private information
for up to five hundred thousand customers – Oct
2022 Privacy invasion
– In addition to personally identifiable information, the data
stolen can reveal even more sensitive information than
those stolen at Optus, such as service providers, patient
diagnoses and procedures.
• Optus breach
– “Optus’ customer identify database was exposed through
an application programming interface – or API – which let
them in without requiring authentication”.
– “If unauthorised API access was indeed the source of the
Optus data breach, it’s wrong to even call its data breach
a hack, …”
– “It was an epic and unthinkable blunder of monumental
proportions, one that a high-school student shouldn’t
make, much less a multinational holding sensitive
customer information.” - The Australian Financial Review
• Medibank breach
– “In the immediate aftermath of the hack The Australian
Financial Review revealed that the breach happened
after a criminal stole the login credentials of someone
with high-level systems access, and sold them to a
separate hacker on a Russian language online forum.”
– Medibank revealed that the criminals “found the login
credentials for a single support desk worker at the health
insurer that did not have two-factor authentication” … and
used that to gain “access to virtually the entire contents
of the company’s business.”
• Latitude Financial - March 2023
– “On March 16, first announcing the attack, it said more
than 330,000 personal records had been impacted. Less
than two weeks later it upgraded the damage to 14
million records, including 7.9 million Australian and New
Zealand driver licences, 53,000 passport numbers and a
small number of monthly financial statements.”
– “The consumer lender, which offers personal loans and
credit to customers shopping at stores including JB Hi-Fi,
The Good Guys and Harvey Norman, said in a statement
on Monday that some of the documents date back to at
least 2005.” A further 6.1m customer records were also
stolen, of which 5.7m were provided before 2013.
– This raises questions about how companies store data
and why many businesses hold on to old customer
records.
 What can we Learn?
• By taking only a few simple steps, a business can
reduce the likelihood of falling victim to the same
sort of cyber attacks.
• Optus breach – it’s not about having better
infrastructure but having proper authentication and
access control built into applications.
• Medibank breach – A standard two-factor
authentication and other standard security policies
may have prevented the attack.
 What can we Learn? (cont)
• Latitude Financial breach – If Latitude had its own
data retention policy following any existing
regulations, the damage would have been smaller.
• See some existing data retention requirements
– FISMA – at least 3 years
Is there a need to keep data
– ISO 27001 – at least 3 years longer than the requirements?
– NERC – 3 to 6 years Shouldn’t they be archived
after meeting the requirements.
– Basel II– 3 to 7 years …
• One of the 7 data processing principles of GDPR
states “Data Minimization” such that companies
should “only gather and keep the exact amount of
data that is needed”.
 What can we Learn? (cont)
• Cybersecurity is a business risk, not just an IT
problem. “Businesses need an approach that
integrates cyber protection into all aspects of the
organization, from the IT department, to employee
training to security policies” (Forbes 2017)
• Developing a cyber secure environment requires
input from governments, leaders, businesses and
consumers. Can we learn how FAA guards airline safety to
make flying the safest mode of transportation?
• It may not be possible to avoid attacks; but one can
reduce the risks associated with targeted attacks by
implementing risk management.
 What is Risk Management
• “It is an integral part of good management practice.
It’s an iterative process consisting of steps, which,
when undertaking in sequence, enable continual
improvement in decision-making.”
• The risk management approach (next slide) can be
applied at all stages in the life of an activity,
function, project, product or asset. The maximum
benefit is usually obtained by applying the risk
management process from the beginning.
• Risk management is as much about identifying
opportunities as avoiding or mitigating losses.
 Risk Management Overview
The goal, objectives,
strategies, scope and
Establish the context parameters of the
activity, or part of the
Communicate and consult organization

Identify risks

Monitor and review

Analyze risks

Evaluate risks

• Identify treatment options Assess risks

• Evaluate treatment options
• Select treatment options Treat (or Control)
• Prepare treatment plans risks
• Implement plans or best
practices
 Example 1: Financial RM
Following Basel II, a public
traded bank needs to
determine the minimum
Establish the context capital that it should hold to
guard against its financial and
Communicate and consult operations risks.

Identify risks
• Credit risk

Monitor and review

• Operational risk (e.g.,
fraud, security, privacy
protection, legal risks)
Analyze risks • Market risk (price volatility,
interest rate risk, currency
risk, etc.)

Evaluate risks

Assess risks
• Maintain minimum capital
requirements Treat (or Control)
• Install supervisory review risks
process
• Implement internal market
discipline policies.
 Example 2: Project RM
A construction company is
expected to complete building
a bridge with the cost, time,
Establish the context and specification (e.g.,
quality) specified in the
contract.

• Cost overrun (e.g., due to

Communicate and consult

Identify risks delay and market

uncertainties)

Monitor and review

• Time overrun (e.g., due to
delay, weather, force
majeure)
Analyze risks

Evaluate risks

Assess risks
• Buy insurance
• Sign contracts for some key
Treat (or Control)
materials to fix price
• Use qualified contractors risks
• Transparent performance
indicators and monitoring
 Cybersecurity Context
Standards,
frameworks, and
compliance (Week
Establish the context 5)

Leadership
Assets (Week 2)
Communicate and consult

(Week 7) Identify risks

Monitor and review

Analyze risks

Risk assessment
(Week 3)

Evaluate risks

• Risk responses (Week 4) Assess risks

• Risk management plan
(Assessment 1) Treat (or Control)
• Incident preparedness risks
(Week 8)
• Continuity plan (Week 9)
 Cybersecurity RM Career
• Depending on your interest in cybersecurity,
different types of jobs can be available to you, e.g.,
a cyber and security compliance officer.
• You can also further consider to obtain the
following certificates:
• CISSP (Certified Information Systems Security
Professional)
• CISA (Certified Information Systems Auditor)
• CISM (Certified Information Security Manager)
• For details, ask Shesha and guest speakers.
 Course material
Textbook
Darril Gibson and Andy Igonor
(2022), Managing Risk in
Information Systems, 3rd ed. Jones
& Bartlett Learning.
Available at UNSW Bookshop
https://www.bookshop.unsw.edu.au/de
tails.cgi?ITEMNO=9781284183719
 Assessment
Participation (individual; including peer 10%
evaluation)
Two individual assignments 20%
Project report / presentation (group) 25%
Final exam 45%
TOTAL 100%
 Group Project
Your group can choose a cybersecurity topic
(approved by the LIC) for further research.
The deliverable includes a report and a
presentation in Week 10, which accounts for
25% of your grade.
Sample topics:
Third party risk / supply chain risk
Contemporary privacy practices
Cloud security or mobile security
IoT, ChatGPT, etc.
 Syllabus
Week Topic Note
Week 1  Course introduction
31 May  Cyber Risk Management Fundamentals (Ch 1, Ch 2)
Instructor: Chung-Li Tseng
Week 2  Assets and Activities to be Protected (Ch 7)
7 June Instructor: Chung-Li Tseng

Week 3  Performing Risk Assessments (Ch 5, Ch 6, Ch 8)

14 June Guest Speaker: Dr. Stephen Smith (Macquarie Uni)
Instructor: Chung-Li Tseng
Week 4  Determine Risk Responses (Ch 4, Ch 9, Ch 10, Ch Assignment 1
21 June 11) (risk
Instructor: Shesha Maheshwari management
plan) handed out
Week 5  Compliance Requirements and Frameworks (Ch 7) Project statement
28 June Guest Speaker: Ms. Kathy Xu (Commonwealth Bank) handed out
Instructor: Shesha Maheshwari
 Week Topic Note
Week 6 Flexibility Week (or Recharge Week) – No Class
5 July

Week 7  Cybersecurity Leadership Assignment 1

12 July Guest Speaker: Sascha Hess (former Chief Security due
& Operations Officer at Tyro Payments)
Instructor: Shesha Maheshwari and Chung-Li Tseng
Week 8  Security Incident Preparedness Assignment 2
19 July Guest Speaker: TBA (Simulation
 Cybersecurity Simulation reflection)
Instructor: Shesha Maheshwari and Chung-Li Tseng handed out
Week 9  Cybersecurity Simulation Debriefing Assignment 2
26 July  Business Continuity Planning (Ch 12, Ch 13, Ch 14) due
Instructor: Shesha Maheshwari
Week 10  Project 2 Presentation Project report
2 Aug  Course Review due
Instructor: Chung-Li Tseng
 Advices
Read Course Outline
Read or prepare for cases before coming to class
Check on Moodle often (or set email notification, or
email forwarding)
Use the Q&A forum on Moodle to ask questions that
may also be of interest to other students or comment
on other students’ inquiries. More personal inquires
should be handled by emails to the LIC.