CORAS Risk Analysis Case Study

Questions and Answers

What is the primary focus of the risk assessment in this case study?

• The LMS's security aspects. (correct)
• The LMS's aesthetic design.
• The LMS's user interface.
• The LMS's marketing strategy.

The CORAS approach is not suitable for risk analysis in software systems.

False (B)

What is the first step in applying the CORAS approach to risk analysis, as outlined in the case study?

Set the scope and focus

One of the security requirements for the LMS focuses on the ________ of educational data.

confidentiality

Match each component with its function within the LMS:

Authentication Server = Manages user access and ensures secure logins Local Database = Stores courses, user information, and system data Cloud Storage Services = Provides additional storage for system data User Management = Handles user accounts, permissions, and roles

Which diagram is used to display the risk assessment results and the selected risk treatment strategies?

Risk Treatment Diagram (A)

The 'Target' in CORAS risk assessment refers to the specific threat being analyzed.

False (B)

Aside from confidentiality, what other key aspect of educational data is a security requirement for the LMS?

Integrity

The LMS integrates with ________ _________ for interactive sessions.

video conferencing

Which of these is an example of a third-party tool integrated with the LMS?

Cloud Storage Services (A)

The Asset Diagram is used to estimate and model the likelihood and impact of identified threats.

False (B)

What type of server manages user access for both students and instructors?

Authentication Server

The LMS's administrative backend uses ________ ________ to analyze system and user data for decision-making.

data analytics

Which of the following is NOT a primary goal of the LMS security requirements?

System Performance Optimization (A)

Risk estimation involves listing potential security incidents affecting the LMS.

False (B)

What is the purpose of prioritizing assets in the CORAS methodology?

Based on their importance to the LMS's operation and the impact of potential threats

The local database supports the LMS by storing courses, user information, and ________ ________ for retrieval and analysis.

system data

What aspect of online exams is considered particularly important in the LMS security requirements?

Non-repudiation (B)

The threat diagram is used to identify and illustrate all LMS assets, including hardware, software, data, and user interactions.

False (B)

What is the role of the course approval process within the administrative backend?

Verifying and approving new courses

Flashcards

CORAS Approach

A structured approach used to identify, analyze, and manage risks in a system or organization.

Asset Diagram

A visual representation of the system's valuable components, including hardware, software, data, and interactions.

Unwanted Incident

An event that could harm the confidentiality, integrity, or availability of a system or its data.

Estimate and Model Risk

The process of determining how likely a threat is and how bad the impact would be if it occurred.

Evaluate and Treat Risk

Deciding whether a risk is acceptable and planning actions to reduce or eliminate unacceptable risks.

Risk Treatment Diagram

A diagram showing the results of the risk assessment and the chosen strategies to handle those risks.

Availability

Ensuring data is accessible and usable when needed.

Integrity

Guaranteeing data is accurate and complete and that systems function as intended, without unauthorized modification.

Authentication

The process of verifying a user's identity before granting access to the system.

Non-repudiation

Security principle ensuring actions can be traced back to a specific user, preventing denial of responsibility.

Threat

A potential cause of an unwanted incident, such as a hacker or a system vulnerability.

Vulnerability

A weakness in the system that a threat can exploit.

Risk

The potential negative consequence or impact resulting from a threat exploiting a vulnerability.

Treatment

An action taken to reduce or eliminate a risk.

Confidentiality

The protection of sensitive information from unauthorized access or disclosure.

Accountability

The ability of a system to assign responsibility for actions to specific users.

Study Notes

• This assessment involves using the CORAS approach to risk analysis on a provided case study.
• The task requires reading the case study and applying the CORAS risk assessment methodology.
• The goal is to identify and model applicable risks using asset, threat, risk, treatment, and treatment overview diagrams.

System Architecture of the Case Study

• Assignment Grading facilitates the evaluation of student work.
• Student Performance Analysis tools are available for monitoring student progress.
• User Management handles user accounts, permissions, and roles.
• Data Analytics analyzes system and user data for decision-making.
• Course Approval processes verify and approve new courses.
• Cloud Storage Services provide additional storage for system data.
• External Educational Resources integrate external learning materials.
• Video Conferencing supports live sessions and virtual classrooms.

Interconnections within the System

• An Authentication Server manages user access.
• It interfaces with both student and instructor portals to ensure secure logins.
• A Local Database supports the LMS by storing courses, user information, and system data.
• The system integrates with Third Party Tools.
• These include cloud services for storage expansion, external resources for enriched learning content, and video conferencing for interactive sessions.

Security Concerns and Requirements

• The security requirements for the LMS focus on Confidentiality, Integrity, and Availability.
• Privacy, Authentication, and Non-repudiation are also important, especially for online Exams.

Applying CORAS for Risk Assessment

• Set the Scope and Focus on the LMS’s security aspects
• Consider all components and subsystems involved in the assessment.
• Define the Target as the secure operation of the LMS.
• Ensure that educational activities are carried out effectively and securely.
• Develop an Asset Diagram to illustrate all LMS assets, including hardware, software, data, and user interactions.
• Analyze Unwanted Incidents by listing potential security incidents affecting the confidentiality, integrity, and availability of the LMS.
• Identify and Rank Assets based on their importance to the LMS’s operation and the impact of potential threats.
• Estimate and Model Risk using the threat diagram.
• Determine the likelihood and impact of identified threats, and model them accordingly.
• Evaluate and Treat Risk by assessing the risks and deciding on acceptable levels.
• Propose treatments to mitigate or eliminate the risks.
• Construct a Risk Treatment Diagram to display the risk assessment results.
• This diagram should include the selected risk treatment strategies.