Assessment Brief: BIS3004 IS Security and Risk Management
Trimester-1 2024
Assessment Overview
Assessment Task
Type Weighting Due Length ULO
Assessment 1: Case Study
Write a report to discuss recent
types of information security
attacks, protection mechanisms and
risk management.
Individual
30% Week 6 2500
words
ULO-2
ULO-3
ULO-4
equiv. – equivalent word count based on the Assessment Load Equivalence Guide. It means this assessment is
equivalent to the normally expected time requirement for a written submission containing the specified
number of words.
Note for all assessment tasks:
• Students can generate/modify/create text generated by AI. They are then asked to
modify the text according to the brief of the assignment.
• During the preparation and writing of an assignment, students use AI tools, but may
not include any AI-generated material in their final report.
• AI tools are used by students in researching topics and preparing assignments, but
all AI-generated content must be acknowledged in the final report as follows:
Assessment 1: Case Studies (Use case analysis, Risk Identification and
Assessment)
Due date: Week 6
Group/individual: Individual
Word count / Time provided: 2500
Weighting: 30%
Unit Learning Outcomes: ULO-2, ULO-3, ULO-4
Format
I acknowledge the use of [insert the name of the AI system and link] to [describe how it was
used]. The prompts used were entered on [enter the date in ddmmyyy:] [list the prompts
that were used]
Example
Tools
I acknowledge the use of ChatGPT to create content to plan and
brainstorm ideas for my assessment. The prompts used were entered on 18 March 2023:
• What are some key challenges in running an online business?
Justification
There is a noticeable increase in the occurrence of data intrusions within the financial and healthcare
sectors in Australia. The Australian government is currently revising its cybersecurity frameworks and
policies to strengthen resilience against nation-state threat actors and thereby disrupt this adverse
trend.
In the past 4 years, numerous data breaches have occurred in Australia. Several of them affected many
users. Table 1 is a comprehensive compilation of noteworthy instances of data breaches that have
transpired in recent years.
Table 1: Major Data Breach Incidents in Australia
Company Name Date of Impact
Latitude March 2023
Medibank December 2022
Optus September 2022
Eastern Health March 2021
Northern Territory Government February 2021
Canva May 2019
Australian Parliament House February 2019
Approach Analysis
You are required to choose one of the data breaches from the list above in Table 1 and create a report
on it. Your report must include the following information.
1. Detail of the Attack:
This section of your report should include the elements below.
• What was the attack? What vulnerability was exploited?
• Was the vulnerability already known? When did it happen?
• Were there any controls implemented against the vulnerability and yet it was
exploited?
2. Analysis and Action:
This section of your report should include the elements below.
• When and how did the target figure out about the attack?
• For how long, the risk was not actioned?
• Did the organisation have a risk assessment policy and procedure?
• Did the organisation maintain a risk register?
• Was the vulnerability included in the risk register?
• How was the risk perceived (critical/non-critical/high/medium/low)?
• What the attacker(s) did, stole, and wanted?
• Did the organisation pay anything because of the attack?
• What action did they adopt to avoid further damage?
3. Risk assessment
a. Risk Identification
b. Risk Analysis
c. Risk Evaluation
Risk Identification and Assessment
In this section, you need to identify risks and conduct an analysis of the selected use case. Regarding
the selected scenario, reasonable assumptions can be made if they are adequately documented and
supported. To perform risk identification and analysis, you can choose either of the following tools or
a combination of them.
• Factors Analysis in Information Risk (FAIR)
• NIST Privacy Risk Assessment Methodology (PRAM)
• NIST CyberSecurity Framework (CSF)
Assessment Description
Assume you have been recruited as a cybersecurity specialist by the client organisation (the use case
you chose). You are responsible for conducting a security risk assessment and preparing this report
for the board members. In most organisations, board members have minimal levels of computer
literacy and risk-related knowledge. Include the following information in your report preparation:
1. Introduction
2. Details of the attack
3. Analysis and action
4. Risk Assessment
a. Risk Identification
b. Risk Analysis
c. Risk Evaluation
5. Conclusion
6. References
Note: Your responses to the above questions must be supported by APA-style citations and
references.
Additional Information
When conducting research, you may find the following URLs or research tools useful:
✓
✓
✓
Marking Criteria and Rubric: The assessment will be marked out of 100 and will be weighted 30%
of the total unit mark.
Marking
Criteria
Not satisfactory
(0-49%) of the
criterion mark
Satisfactory
(50-64%) of the
criterion mark
Good
(65-74%) of the
criterion mark
Very Good
(75-84%) of the
criterion mark
Excellent
(85-100%) of the
criterion mark
Introduction
(10 marks)
The introduction lacks
clarity, and an engaging
hook, and disorganised,
lacks originality
The introduction is
generally clear,
includes a moderately
engaging opener,
presents a well-
articulated statement,
about the topic,
provides some
pertinent context, is
adequately organised,
and lacks significant
originality.
The introduction is
clear, contains an
engaging hook,
presents a well-
articulated statement,
about the topic,
provides relevant
context, and is well-
organized.
The introduction is
well written with a
clear discussion about
the case analysis, Risk
Identification and
Assessment
The introduction is
exceptionally clear,
contains a highly
engaging hook,
presents a well-
articulated topic,
provides pertinent
context, is flawlessly
organised, and
demonstrates
originality.
Details of the
Attack (15)
The report lacks clarity
and detail, providing
little to no information
about the details of the
attack and its various
aspects.
The report provides a
basic overview of the
details of the attack,
covering some of the
necessary details but
lacking depth in one
or more areas, such as
what vulnerability was
exploited.
Generally, good
discussion about the
details of the attacks
, including clear
identification, a
thorough explanation
of the attack
Very clear discussion
about the details of
the attack. The answer
is supported with
reference and in-text
citations
In-depth and very
clear discussion about
the details of the
attack. Accurate
answers are
supported with
reference and in-text
citations
Analysis and action
(10)
Poor discussion with
irrelevant information
A brief discussion
about the analysis and
action. The analysis
provides a basic
impact assessment
but lacks
comprehensive
details.
Generally, good
discussion regarding
the analysis and
action. The impact
assessment is
reasonable but may
lack some depth
Very clear discussion
about the analysis and
action. The answer is
supported with
references and in-text
citations
In-depth and very
clear discussion about
the analysis and
action. The report
provides a complete
strategy of how the
target found out
about the attack and
the way they dealt
with it with accurate
answers supported
with references and
in-text citations.
Risk Identification
(15)
Poor discussion with
irrelevant information
A brief discussion
about risk
identification.
Displayed a basic
understanding of the
threat landscape but it
lacks depth. One of
the provided tools was
not utilised correctly.
Generally good
discussion about
risk identification.
Shows a good grasp of
the threat landscape
but may overlook
using one of the given
tools.
Very clear discussion
regarding risk
identification.
Properly use one of
the given tools.
The answer is
supported by the
reference and in-text
citation
Using one of the
provided tools
demonstrates an
exceptional
understanding of the
threat landscape with
accurate responses
supported by
references and in-text
citations.
Risk Analysis
(15)
Poor risk assessment. No
assets were mentioned,
A brief discussion
about risk analysis.
Some relevant assets
were identified, but
Most relevant assets
are identified with
A very clear and
in-depth
nor were any threats
evaluated.
Few threats are
evaluated.
important ones are
missing. Some threats
were assessed but
lacked detail or
accuracy.
minor omissions or
inaccuracies. Well-
documented threats
with minor omissions
or inconsistencies.
The answer is
supported with
reference and in-text
citation
Comprehensive
identification of all
relevant assets,
including data,
systems, and
applications. A
thorough assessment
of potential threats,
their likelihood, and
potential impact. The
answer is supported
with reference and in-
text citation
Risk Evaluation
(20)
Poor evaluation of risk.
There are no identified
threats or vulnerabilities.
A brief discussion
about risk evaluation.
Few threats and
vulnerabilities are
identified.
Most threats are
identified, but some
important ones are
missing.
Some vulnerabilities
were identified, but
important ones are
missing.
Comprehensive threat
identification with
minor omissions. Most
vulnerabilities were
identified and
assessed with minor
omissions.
The answer is
supported with
reference and in-text
citation
Thorough
identification of
potential threats,
including emerging
and known threats.
Comprehensive
identification and
evaluation of
vulnerabilities.
The answer is
supported with
reference and in-text
citation
Conclusion
(10)
The conclusion is
unclear, fails to
summarize key points,
has little to no impact,
lacks coherence, and
lacks originality
The conclusion is
somewhat unclear,
lacks a thorough
summary of key
points, has a limited
impact, struggles with
coherence, and lacks
originality.
The conclusion is
generally clear,
summarizes key points
adequately, has a
moderate impact,
maintains satisfactory
coherence, and lacks
significant originality.
The conclusion is
clear, effectively
summarizes key
points, has a positive
impact, maintains
good coherence, and
shows some
originality.
The conclusion is
exceptionally clear,
effectively
summarizes key
points, has a
significant impact,
maintains excellent
coherence, and
demonstrates
originality.
Formatting and
referencing
(5 marks)
Includes misspelt words,
incorrect language,
incorrect punctuation,
improper formatting,
and reference citation
based on applicable
standards; satisfies
minimum page length
requirements
Few spelling,
grammatical, and
punctuation problems
are present. A few
formatting or citation
problems according to
proper standards;
fulfils minimal page
requirements.
Few spelling,
grammatical, and
punctuation problems
are present with a few
citation problems
Few spelling,
grammatical, and
punctuation problems
are present.
There are no spelling
or grammar mistakes.
The paper’s format
and citation of sources
conform to applicable
criteria; the minimum
number of pages is
met.