April 2000
SC223 : COMPUTER SECURITY

QUESTION 5

Total Marks: 15 Marks

Click here to access other questions

SUGGESTED SOLUTIONS
Solutions and allocated marks are indicated in green.
Return to Question 5

(a) Your senior management hold the view that network security is a waste of time and money, and is merely a distraction from the main aim of your organization. How would you go about persuading them otherwise? [4 marks]
First, you should define the value to your organization of its information assets, and categorize these assets according to importance and sensitivity (1 mark). Then you should describe the threats that exist against these assets (1 mark), and quantify the potential losses and damage to your organization (1 mark). Finally, you could provide example of similar organizations, and especially of those that have experienced security breaches (1 mark). [4 marks]

 

(b) What is the purpose of sensitivity assessment in network risk analysis, and what information is needed for this process? [3 marks]
Sensitivity assessment is used to define the value and criticality within the overall mission of the network of all information types and hardware and software assets (1 mark). It depends on the value of all information, hardware and software components (1 mark), and the value of the services provided by the network. (1 mark). [3 marks]

 

(c) One aspect of the economic assessment phase of network risk analysis is computing residual risk.

(i) What is residual risk? [1 mark]

(ii) What information is needed to compute the residual risk? [2 marks]

(iii) Complete the following table for computing residual risk. (Don’t forget to include row and column headings.)

?

?

High

Moderate

Low

High

     

Moderate

     

Low

     

[2 marks]
Residual risk:

(i) Residual risk is the remaining risk value after counter-measures have been applied. [1 mark]

(ii) Residual risk is determined by comparing the initial risk level (1 mark) against the utility of the selected counter-measures (1 mark). [2 marks]

(iii) Computing residual risk:

Counter-measure effectiveness

Degree of risk

High

Moderate

Low

High

2

1

1

Moderate

3

2

1

Low

3

2

1

(1 mark for filling in these numbers from the study guide, or for any other reasonable numbers – they should be decreasing along each row and up each column. 1 mark for filling in row and column headings.) [2 marks]

(d) Identify three benefits of including security design activities in the system design process. [3 marks]
Benefits of including security design activities in the system design process:

  • effective implementation of security features;

  • less performance overhead, manpower and time needed;

  • use of commercial networking products with inherent security features.

(1 mark each; other reasonable answers should receive credit.) [3 marks]