COMP0056人类与安全分析

COMP0056 People and Security

Coursework 1
Date Announced: 10.08.2022
Submission Date: 30.08.2022 (16:00 UK time, via
Moodle) Version 1.2 r>

Instructions

This assignment is part of the mandatory assessment of the COMP0056: People andSecurity module and will count 25% towards your finaloverall mark.Assignment submission is due via Moodle through the TurnItIn interface on August30, 2022 at 16:00 UK time. Latesubmissions will be accepted with deductionsaccording to UCL’s late submission policy.Only PDF submissions will be accepted.
This assignment is open note, open book, and open course resources. You mustidentify sources as accurately and fully as possible. UCL plagiarism policies will bestrictly enforced. For more details, see http://www.ucl.ac.uk/current-students/guidelines/plagiarism.You are not allowed to consult other people (outside of course staff) on this work.Each student has to work on the assignment individually.Your answers will be judged in terms of their quality, the depth of understanding,and also their brevity. Explain your answers clearly, but succinctly. Partial credit maybe awarded.The assignment has an upper limit of 20 pages.This assignment has a maximum of 100 marks allocated as follows:Q1 Q2 Q3 Q4 TotalMarks 50 10 20 20 100

CISO for Spiffington

General. The CIO had been pushing of board for some time to appoint a CISO because sherealised the hospital was not meeting basic security and data protection standards. The “biggoal” she has set to you is that within 2 years, the hospital should meet the NCSC’sCyberEssentials and the General Data Protection Regulation (GDPR) requirements. She hasallocated you a fairly generous budget for the next 2 years to buy equipment and services.
Please answer the following questions in writing, by applying the concepts from Lectures 1-4and the CyberBoK Human Factors Chapter and the Spiffington General Scenario. You may ofcourse use information from peer- reviewed research papers. If you cite vendor information
(on performance or cost) you should state how you could test theirveracity.

Question 1 (50%)

Jason’s first goal is to ensure access to medical records is properly secured. Given that hehas a budget to purchase some new equipment, he is considering a number of 2Factor/multi-factor solutions. These are listed below; your task for each solution is to:
A) Estimate the workload for each alternative and say which proposal would have ahigher workload.
B) Identify any other usability issues that would affect the use of the solution.
C) Identify possible acceptability/user satisfaction issuesassociated with the solution.
D) Identify security vulnerabilities that an attacker looking to copy patient medical datamight exploit.For Administrative Staff (using desktop computers in admin offices, and laptops in meetingswith medical staff on the wards):

• a 2FA solution consisting of a token (YubiKey) and a 12-digit, complexity 3 password(at least 3 of the following 4: numerical, lowercase, uppercase and specialcharacters).- fingerprint recognition, combined with a 7-digit OTP generated via an app on theirmobile phone.- an NFC chip contained in their staff pass,combined with face recognition.
  For medical staff (doctors and senior nursing staff using the tablets):- face recognition, combined with a 6-digit OTP generated on their phone.- an NFC chip contained in their staff pass, combined with face recognition.- a passphrase combined with voice recognition biometric.

  Question 2 (10%)

  Jason’s previous employer is a member of the Information Security Forum (ISF). During his
  time there, he came across their briefing paper on Human-Centred Security, with thefollowing statement:“Miller’s Magic Number Theory of Memory is an established psychological theory that explores the human mind’s capacityto store data in the short-term memory – the average human mind is capable of holding seven short pieces of information(+ or – two) at one time.12 Studies also suggest that humans forget approximately 50% of new information within an hour of
  learning it, and 70% within 24 hours.13 This reinforces the need to frequently deliver and repeat security messages,education and training.A) Are the statements about human memory correct/relevant in this context?B) If Jason were to follow the recommendation “to frequently deliver and repeatsecurity messages, education and training” at Spiffington General, how do youexpect medical staff to respond, and why?

  Question 3 (20%)

  The procurement department in the Spiffington administration has been targeted withinvoices that seem to come from genuine suppliers, but their bankdetails have beenaltered. Since the fake accounts were immediately emptied, the money was lost.
  A) Apply the Human Error concept to explain why staff made this mistake.
  B) The Chief Financial Officer demands that Jason immediately introduces securitymeasures to stop this happening again. Jason considers requiring all suppliers to
  send digitally signed invoices, but Spiffington does not have theinfrastructure toreceive encrypted emails. What measures could Jason introduce at short notice tostop this happening again?

  Question 4 (20%)

  Many Spiffington staff use WhatsApp groups to communicate with each other abouthospital business – for instance to swap shifts, ask each other questions about patient careor ask the pharmacy to send urgent medications. An attacker managed to steal a doctor’sphone in a cafe close to the hospital. After going through the WhatsApp messages, he
  requested some controlled drugs and snatched them from the porter who was dispatchedto deliver it. Jason considers introducing a policy that staff are only allowed to use hospitalsystems for work related communications – which would mean the internal email system.
  A) What impact would the policy have on hospital business?
  B) What impact would it have on staff?
  WX：codehelp