2024 EXAMINATIONS
Part II
COMPUTING AND COMMUNICATIONS - On-line Assessment
Available Time [2.5 Hours]
Recommended Completion Time [2 Hours]
SCC.363 Security and Risk
Question 3
3.a The CIA triad is a respected model designed to guide policies for information security within an organisation.
i. Provide the three principles that the three letters CIA stand for and provide a definition for each of them. [3 marks]
ii. A message is transmitted from Alice to Bob. For each of the CIA properties, provide one possible technique that Alice and Bob can use to achieve that property. [3 marks]
3.b The Plan Do Check Act Cycle (also known as the Deming Cycle) provides a simple concept to unde rstand what information security management is. Provide the objective of each of the four phases. [4 marks]
3.c Explain the key sources of uncertainty in risk management. [4 marks]
3.d Ideas from economics can help us understand cyber security issues in a broader context.
i. Use an example to describe the concept of lock in cost (Not restricted to cyber security examples) . [2 marks]
ii. Use the concepts of hidden information and hidden action to explain potential reasons for the phenomenon that sometimes users who have purchased powerful antivirus products suffer more from virus attacks. [2 marks]
iii. Briefly explain why so much online information is free and zero is a fair price. [2 marks] Total 20 marks
4.a Assume that X, Y and Z are three independent discrete random variables. Their distributions are provided by the following three tables.
|
xi
|
1
|
4
|
8
|
15
|
20
|
|
P(X=xi)
|
0.20
|
0.25
|
0.15
|
0.36
|
0.04
|
|
yi
|
-5
|
-3
|
0
|
3
|
6
|
|
P(Y=yi)
|
0.30
|
0.11
|
0.16
|
0.25
|
0.18
|
|
zi
|
-1
|
0
|
2
|
6
|
8
|
|
P(Z=zi)
|
0.05
|
0.15
|
0.20
|
0.33
|
0.27
|
i. Find the standard deviation of the random variable T = 2X+4Y+6Z. [4 marks]
ii. Find the probability that Y is strictly larger than Z. [2 marks]
iii. Find the probability that X+Y lies in the range of [0, 10]. [2 marks]
4.b Suppose a cybersecurity analyst is tasked with assessing the risk of a potential data breach in a company’s network. The analyst knows that 5% of all emails received by the company contain malicious attachments. Additionally, the company’s email filtering system is 95% effective at correctly identifying and blocking emails with malicious attachments, but it also incorrectly flags 3% of legitimate emails as malicious. Now, if the analyst receives an alert from the email filtering system indicating that an email has been flagged as containing a malicious attachment, what is the probability that the email actually contains a malicious attachment? [5 marks]
4.c A cybersecurity firm needs to allocate limited resources effectively to mitigate cybersecurity risks across multiple client networks. The firm must optimize resource allocation to minimize the overall cybersecurity risk while staying within budget constraints.
Consider the following scenario:
The cybersecurity firm offers four primary services to its clients: network monitoring, vulnerability assessments, intrusion detection, and incident response. Each service requires a certain amount of resources, including financial cost, manpower and software licenses, and contributes differently to reducing cybersecurity risk.
Network monitoring: Requires £3000, 5 manpower resources and 10 software licenses. It reduces cybersecurity risk by 20 units.
Vulnerability assessments: Requires £5000, 8 manpower resources and 15 software licenses. It reduces cybersecurity risk by 30 units.
Intrusion detection: Requires £9000, 10 manpower resources and 20 software licenses. It reduces cybersecurity risk by 40 units.
Incident response: Requires £11000, 12 manpower resources and 25 software licenses. It reduces cybersecurity risk by 50 units.
The firm has a total budget of £100000, 300 available manpower resources in total, and 1000 available software licenses in total. Also notice that the allocation of resources cannot be negative.
Develop a linear optimization model to help the cybersecurity firm allocate resources effectively and minimize cybersecurity risk. Express the formulation in the following canonical form.
Identify the parameters C, A, and b, but do not solve the problem. [5 marks]
ii. Now the firm wants to investigate whether it should include a new service, firewalls and network segmentation. This service incurs £10000, 15 manpower resources and 22 software licenses, and it reduces cybersecurity risk by 35. Help the firm determine whether it should include this new service. Justify your answer. [2 marks] Total 20 marks