Security and Risk Management

Initial Post – Unit 3

Discussion Topic

1. How could the use of data and technology introduce or aggravate risks to fairness and accountability within human rights investigations, as suggested by Hancock et al. (2024)?
2. What specific risks arise when technological solutions are developed without direct input from the communities they aim to protect, and how these risks can be mitigated in the design phase?

This initial post discusses how digital technologies can strengthen transparency, but also introduce risks to fairness and accountability in human rights investigations if they fail to incorporate local context or community input.

View Initial Post - Unit 3

Peer Response – Unit 3

This peer response presents feedback I received on my Unit 3 initial post. The feedback highlights my extension of the original case study by introducing the role of private digital infrastructure, and discusses how control over connectivity can affect fairness, accountability, and governance in human rights investigations.

Reflection (3W Model)

What: This feedback made me realise that I had taken it for granted that improved digital connectivity would mainly have positive effects. It pushed me to think more critically about the possible downsides, especially the risk of creating new dependencies on private infrastructure providers and increasing existing inequalities.

So what: This was important because it showed that technical solutions do not automatically lead to fairer outcomes. Even when access to technology improves, questions about ownership, control, and governance still matter. It changed how I approach similar topics, as I now pay more attention to unintended side effects and long-term consequences instead of focusing only on immediate benefits.

What next: Going forward, I will be more careful when presenting technology-based solutions in both academic and professional work. I will aim to consider who controls the infrastructure, who benefits from it, and what new risks might be introduced.

View Peer Response - Unit 3

Summary Post – Unit 3

This summary post reflects on my learning across Units 1–3, focusing on fairness, accountability, and the role of digital technologies in human rights investigations. It highlights how peer feedback strengthened my understanding of private infrastructure risks and how Unit 3’s threat-modelling frameworks, particularly STRIDE, supported a deeper connection between technical security issues and organisational decision-making.

View Summary Post - Unit 3

Initial Post – Unit 7

This initial post critically examines the limitations of the Common Vulnerability Scoring System (CVSS), focusing on scoring inconsistency and interpretability issues identified in recent academic studies. It also evaluates Stakeholder- Specific Vulnerability Categorisation (SSVC) is a more decision-oriented alternative to CVSS for vulnerability prioritisation.

View Initial Post - Unit 7

Peer Response 1 – Unit 7

This peer response shows feedback I gave on a discussion about CVSS limitations and the use of EPSS for vulnerability prioritisation, with a focus on probabilistic and uncertainty-based risk analysis.

Reflection (3W Model)

What: Writing this peer response helped me get better at explaining the differences between CVSS and EPSS and how they can be used together in vulnerability prioritisation.

So what: This was useful because risk work often involves discussing priorities with other people and justifying why certain vulnerabilities should be handled first. It also made me think more clearly about how probability-based data can support more realistic decisions.

What next: In future group work and professional settings, I will continue to focus on giving clear and practical feedback that helps improve technical and risk-related decisions.

View Peer Response 1 – Unit 7

Peer Response 2 – Unit 7

This peer response presents feedback I provided on a discussion about CVSS limitations and the use of SSVC as an alternative decision-based vulnerability prioritisation approach, with a focus on practical data and implementation challenges.

Reflection (3W Model)

What: Writing this peer response helped me think more clearly about the practical limits of decision-based frameworks such as SSVC, especially when reliable data about exploitation status and mission impact is missing.

So what: This was useful because it showed that even strong frameworks depend on good input data. It also reinforced the idea that vulnerability prioritisation always involves trade-offs and cannot be fully automated or solved by a single model.

What next: Going forward, I will pay more attention to data quality and organisational context when evaluating or recommending vulnerability management frameworks.

View Peer Response 2 – Unit 7

Summary Post – Unit 9

This summary post reflects on the discussion of CVSS limitations and alternative approaches to vulnerability prioritisation. It synthesises insights from the initial post, peer feedback, and module content, highlighting the role of CVSS as a preliminary tool and the value of decision-based frameworks such as SSVC in supporting consistent and context-aware prioritisation.

View Summary Post – Unit 9

Seminars

This section contains seminar preparation and workshop activities completed throughout the module.

Unit 4 – Risk Identification and Modelling

Seminar preparation based on Jbair et al. (2022), focusing on CPS threat modelling, interdependencies and scenario-based risk assessment.

A. What are the key elements and interdependencies in a cyber-physical system that must be captured in a comprehensive threat model, and why are they critical for accurate risk analysis?

A comprehensive CPS threat model must capture both cyber and physical components, including sensors, actuators, PLCs, networks, software and human interaction, as well as the dependencies between them. Interdependencies are critical because failures or attacks in one layer can propagate across the system and cause wider operational or physical impact. Unlike traditional IT systems, CPS risk analysis must also include safety, not only confidentiality, integrity and availability. This is important because cyber incidents in CPS can directly affect physical processes, equipment and human safety, making incomplete modelling likely to underestimate risk.

B. How can threat modelling help identify attack entry points and system vulnerabilities in cyber-physical energy systems, and what are the challenges in doing so effectively?

Threat modelling supports the identification of attack entry points by mapping the architecture and data flows across IT, OT and the physical process. When components such as sensors, PLCs, HMIs, networks and external connections are modelled together, typical entry points become visible, for example, remote access paths, engineering workstations, insecure industrial protocols or interfaces between IT and OT networks.

By linking the system architecture to known attacker tactics, techniques and procedures (TTPs), such as those described in MITRE ICS ATT&CK, threat modelling highlights realistic attack paths and vulnerabilities that would not be captured through a traditional IT-focused assessment.

The main challenges are the complexity of CPS environments, limited or outdated system documentation, the presence of legacy systems that were not designed with security in mind, and the dynamic nature of physical processes. In addition, effective threat modelling often requires coordination between IT, OT, safety and operational teams, which can be difficult to achieve in practice.

C. In the context of CPS threat modelling, how can scenario-specific metrics and risk assessment methodologies be used to prioritise vulnerabilities and guide the development of targeted security countermeasures?

Scenario-specific metrics allow risk to be assessed based on the actual CPS context rather than generic assumptions. By combining attack likelihood, system exposure and impact, including safety impact in addition to traditional CIA considerations, vulnerabilities can be ranked according to their real operational significance.

This prioritisation enables security efforts to focus on vulnerabilities that are both realistically exploitable and capable of causing the most serious consequences. As a result, countermeasures can be targeted, for example, through network segmentation, tighter access control, or protection of specific control logic, instead of applying broad and inefficient security controls.

Overall, scenario-based risk assessment ensures that mitigation efforts are directed towards reducing real-world risk rather than theoretical risk.

Reference

Jbair, M., Ahmad, B., Maple, C. and Harrison, R. (2022) Threat modelling for industrial cyber physical systems in the era of smart manufacturing. Computers in Industry, 137, 103611. https://doi.org/10.1016/j.compind.2022.103611

Unit 6 – Seminar: Security Standards

This seminar preparation focused on identifying and evaluating which security and compliance standards would apply to an EU-based online pet store operating an e-commerce platform.

Which of the standards discussed in the sources above would apply to the organisation discussed in the assessment?

The analysis identified GDPR and PCI-DSS as the primary applicable standards. GDPR applies because the organisation collects and processes personal data relating to EU customers, including account details, delivery information and order history (ICO, 2020). PCI-DSS applies because the organisation accepts online card payments and must ensure secure handling of cardholder data, even when using a third-party payment provider (PCI Security Standards Council, 2020). ISO/IEC 27001 was also considered as a relevant best-practice framework to support structured information security management, although it is not legally required.

Evaluate the company against the appropriate standards and decide how you would check if standards were being met.

At a low security maturity level, the organisation meets only basic expectations of these standards. Under GDPR, documentation of data processing activities is limited, access controls are weak and retention practices are unclear, which indicates gaps in meeting accountability requirements (ICO, 2020). While the use of a third-party payment provider reduces direct PCI-DSS scope, the organisation lacks documented procedures, regular security scanning and strong administrative access controls (PCI Security Standards Council, 2020). Against ISO/IEC 27001, there is no formal risk assessment, asset listing or defined security roles, with only ad hoc technical controls in place (Sutton, 2021).

Compliance would be assessed by reviewing the organisation’s privacy notice, any internal records of data processing and the implementation of basic technical controls such as access control and encryption (ICO, 2020). Payment security would be verified by confirming the compliance status of the payment provider and ensuring that no cardholder data is processed internally (PCI Security Standards Council, 2020). Foundational ISO/IEC 27001 practices would be assessed through the presence of asset lists, basic risk awareness and assigned security responsibilities (Sutton, 2021).

What would your recommendations be to meet those standards?

Recommended improvements include documenting data processing activities, strengthening access controls, applying consistent encryption, enabling multi-factor authentication for administrative access and introducing basic vulnerability scanning. To support longer-term maturity, the organisation should establish a simple asset inventory, assign security responsibility and conduct an initial risk assessment aligned with ISO/IEC 27001 principles (Sutton, 2021).

What assumptions have you made?

This analysis is based on the assumption that the organisation operates within the EU, processes customer personal data, uses a third-party payment provider for online card payments and currently has a low security maturity level with no formal ISO/IEC 27001 framework in place.

References

ICO (2020) Guide to the General Data Protection Regulation (GDPR). Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/ (Accessed: 7 December 2025).

PCI Security Standards Council (2020) PCI Security Standards Overview. Available at: https://www.pcisecuritystandards.org/ (Accessed: 7 December 2025).

Sutton, D. (2021) Information Risk Management. 2nd edn. London: Routledge.

Reflection (3W Model)

What: I developed a clearer understanding of how different regulatory and industry standards apply depending on organisational context, and how security maturity affects an organisation’s ability to meet those requirements in practice.

So what: This is important because compliance cannot be treated as a checklist exercise. Without adequate documentation, ownership and technical controls, organisations remain exposed to regulatory and operational risk even when external providers are used to reduce scope.

What next: In future risk assessments, I will evaluate not only which standards apply but also whether the organisation has the operational capability to meet them. I will place greater emphasis on defining responsibilities, validating controls through evidence and aligning security practices with recognised frameworks.

Unit 8 – Seminar: Quantitative Risk Modelling

Seminar preparation based on Aijaz and Nazir (2024), focusing on quantitative modelling of social engineering threats using attack trees and Markov models.

What are the main challenges in modelling and evaluating the outcomes of Social Engineering Threats, and how does this study attempt to address them?

Social engineering is hard to model because human behaviour is unpredictable, and data on persuasion is limited.

The study addresses this by using attack trees to model the frequency of attacks and Markov chains to model the likelihood of their success (Aijaz and Nazir, 2024).

How do persuasion principles and modalities contribute to the success of SETs, and why is it important to analyse them systematically?

Persuasion principles (authority, reciprocity, etc.) and modalities (email, phone, face-to-face) strongly influence whether victims comply (Aijaz and Nazir, 2024).

Systematic analysis matters because SETs succeed mainly through psychological manipulation rather than technology.

What role do the Attack Tree Model and Markov Chain Model play in estimating the Attack Occurrence Probability (AOP) and Attack Success Probability (ASP) of SETs?

The attack tree calculates the probability that an attack occurs (AOP) (Aijaz and Nazir, 2024).

The Markov chain calculates the probability it succeeds (ASP) (Aijaz and Nazir, 2024).

Together they give a full risk picture.

In what ways can the findings of this study support the development of effective policy frameworks for mitigating social engineering threats in information systems?

The results help organisations focus training and policies on the most common and most effective SET techniques, making defences more targeted and evidence-based (Aijaz and Nazir, 2024).

References

Aijaz, M. and Nazir, M. (2024) ‘Modelling and analysis of social engineering threats using the attack tree and the Markov model’, International Journal of Information Technology, 16(2), pp. 1231–1238.

Unit 10 – Seminar: DR Solutions Design and Review

Seminar preparation based on Kumar (2024) and Corbari et al. (2024), focusing on cloud vendor lock-in, disaster recovery design and mission-critical dependencies.

What are some of the main vendor lock-in issues the authors identify? How would you mitigate them?

Kumar (2024) describes vendor lock-in as dependency on cloud-provider-specific services such as proprietary APIs, platforms and management tools, which can reduce flexibility and make migration or recovery outside a single provider more difficult.

From my perspective, vendor lock-in becomes problematic when it effectively acts as a single point of failure. Even if systems are technically resilient within one cloud platform, recovery options are still constrained by reliance on a single provider and control plane.

In this context, vendor lock-in should be understood as a trade-off rather than a design failure. A controlled level of dependency may be acceptable where it supports availability and recovery objectives, as long as the risk is recognised and actively managed. Corbari et al. (2024) do not argue against cloud dependencies, but provide a way to identify which dependencies actually matter for critical operations. This makes it possible to focus mitigation efforts where vendor lock-in would have real mission or business impact.

What are some security concerns with the modern cloud? How can these be mitigated?

When considering security concerns in the modern cloud, the main issue is not a lack of security mechanisms, but how easily misconfigurations and unclear responsibility can scale their impact. Because cloud platforms rely heavily on centralised control planes and shared services, relatively small configuration errors or access issues can affect multiple systems at once.

From my perspective, the challenge is therefore less about adding more security controls and more about understanding which failures would actually have meaningful operational consequences. While Mission Thread Analysis (MTA) offers a structured way of reasoning about critical dependencies and mission impact (Corbari et al., 2024), it is primarily developed for military and highly structured operational environments.

In a more typical organisational context, the underlying idea remains relevant, even if the framework itself is not directly adopted. Security and disaster recovery decisions should be guided by an understanding of which systems and services matter most, rather than applying the same controls across all cloud resources.

References

Kumar, A. (2024) Cloud vendor lock-in: Identify, strategies and mitigate.

Corbari, G.I., Khatod, N., Popiak, J.F. and Sinclair, P. (2024) ’Mission Thread Analysis: Establishing a Common Framework’, The Cyber Defense Review, 9(1), pp. 37–54.

Unit 12 – Seminar: The Great Debate – Epistemic Risk and the Future of SRM

Seminar presentation focusing on epistemic risk and the role of Artificial Intelligence in future Security and Risk Management decision-making.

How does epistemic risk affect organisational security understanding and decision-making?

The presentation explored how increasing system complexity and automation make it more difficult for organisations to maintain an accurate and reliable understanding of their own security posture. This creates a gap between perceived security and actual operational risk.

From my perspective, this challenge is not only technical, but also organisational. Decision-makers increasingly rely on abstract risk models and automated outputs, which can reduce visibility into real system behaviour and underlying assumptions.

Can Artificial Intelligence help reduce the epistemic gap in Security and Risk Management?

AI-based risk modelling and automated analysis were presented as important tools for improving security insight and supporting faster, data-driven decision-making. However, the analysis also highlighted that AI should be used as a decision-support mechanism rather than a replacement for human judgement.

Effective risk governance, therefore, requires a balanced approach, where AI enhances organisational security understanding while human oversight remains responsible for interpretation, accountability, and final decision-making.

Key reference

Coeckelbergh (2026) served as the primary theoretical framework for discussing epistemic risk and its relevance to AI-supported security decision-making.

Full academic references are included within the presentation slides.

Watch seminar presentation (MP4)

GDPR Case Study – Unit 5

This case study examines a pre-GDPR decision by the Data Protection Commission concerning the handling of a data subject access request. The analysis highlights organisational accountability, documentation practices, and the role of information security controls in supporting compliant data protection processes.

View Case Study (PDF)

Reflection (3W Model)

What: I developed a clearer understanding of how effective handling of subject access requests depends on an organisation’s ability to identify, document, and justify the processing of personal data across both manual and electronic systems.

So what: This learning is important because weaknesses in documentation and traceability can create regulatory risk and undermine trust, even where access is eventually provided. The case demonstrates that compliance relies on operational capability rather than policy statements alone.

What next: In future organisational contexts, I would support access request handling through defined ownership, request tracking, and technical controls such as logging and access control, aligned with GDPR accountability and security principles.

Unit 6 – Wiki Submission

This wiki summarises the applicable frameworks and recommended tests for different organisational contexts.

View Wiki (PDF)

Group Project – Pampered Pets Risk Assessment (Unit 6)

This report assesses the security implications of Pampered Pets’ transition from the current status quo system to a digitalised version that introduces online booking and customer management. Using ISO 27005 and ISO 31000, the analysis identifies key assets, threats and vulnerabilities affecting both environments. While the digitalised version supports several economic objectives such as reduced administrative effort, improved efficiency and the potential for increased revenue, it also introduces new risks related to customer data, access control, system availability and online interactions. The report proposes security controls to mitigate these risks and ensure that the financial benefits of digitalisation can be achieved safely.

This group project contributed to my understanding of applying formal risk management frameworks collaboratively and aligning technical analysis with organisational context.

View Group Report

Unit 11 – Executive Summary: Supply Chain and Quality Risk

This executive summary evaluates the impact of digitalisation, international supply chains, and automation on product quality and availability at Pampered Pets. A Monte Carlo simulation is used to model uncertainty in demand, lead times, and quality variation, providing probabilistic estimates of stockout events and quality degradation under operational uncertainty.

The analysis supports risk-informed decision-making by linking quantitative modelling results to business impact, reputational risk, and continuity requirements. It also considers disaster recovery and business continuity requirements, including strict RTO and RPO targets, and evaluates the trade-offs associated with cloud-based resilience and vendor lock-in.

Reflection (3W Model)

• What: I learned how to use a Monte Carlo simulation to model uncertainty in a realistic supply chain and availability context, and how probabilistic outputs can be linked to business risk.
• So what: This is important because it shows that availability issues can occur frequently, even if they are short-lived, while quality issues are rarer, but have higher reputational impact. It reinforced the need to state assumptions and limitations clearly.
• What next: I will continue using quantitative methods where they add value, but will also test alternative assumptions and scenarios to understand sensitivity better and support stronger business decision-making.

View Executive Summary

Tutor and Peer Feedback

This section presents formal tutor and peer feedback received for assessed group work during the module. The feedback is presented as supporting evidence and is not analysed or reflected upon in this section.

Unit 6 – Group Risk Project

• Peer review score: 93%
• Tutor grade: 83

• Knowledge and understanding: Excellent understanding of risk across both assessment stages and mitigation advice.
• Application: Additional case examples and more recent technical sources were recommended.
• Criticality: Clearer acknowledgement of limitations and gaps in proposed mitigation plans was advised.
• Structure and presentation: Strong structure and effective visualisation.