Assignment 1 – Development Team Project: Risk Identification Report & Peer Review

This week, students were preparing for the submission of the first graded assignment, the Team Project and individual Peer Review, which was a team project report on Risk Identification for a small enterprise, Pampered Pets.

Pampered Pets Enterprise

Pampered pets are a bricks-and-mortar business, based in a leafy suburb of Hashington-on-the-Water. It employs 4 staff; Alice the owner/ manager; Cathy the shop manager; Andrea the store assistant and Harry the warehouse manager. 90% of their business is carried out face to face, with people coming into the store to buy items. The business is most famous for the quality of its pet foods – using the highest quality ingredients from local suppliers, with many items being prepared and packed in-house.

The report should investigate all reasonable threats AND address the following three questions:  Could an online presence grow the business by up to 50%?  Could changing to an international supply chain reduce costs by up to 24%?  Could the business lose up to 33% of its existing customers if the business doesn’t provide some online features?

Introduction

This report explains the methodology and results of the risk assessment of the brick-and-mortar business Pampered Pets. Simultaneously Pampered Pets is looking forward to expanding its business using digitalization, therefore the same assessment is being done for these plans. The first section of this document highlights the risk assessment of Pampered Pets in its current state. The second section concentrates on the risks associated with digitalization and the third section outlines the summary along with recommendations.

Risk Assessment

The chosen risk assessment methodology is the OCTAVE-S methodology, which is shown in Figure 1. It is argued that the OCTAVE-S approach is designed and applied to smaller businesses with a maximum of 100 people (Caralli et al., 2007; Shevchenko et al., 2018). Considering Pampered Pets consists of 4 employees, OCTAVE-S is a well-structured approach suited for identifying and prioritizing information security risks and providing recommendations on how to manage these risks. Based on this information, the following results have been produced using the OCTAVE-S methodology:

Define Assets:

Inventory such as pet food and other accessories, customer data, financial records, and physical structure (shop, warehouse, etc).

Identify Threats:

Theft, damage to property, vandalism, and natural disasters (fire, flood) can potentially disrupt supply chain operations.

Identify Vulnerabilities:

A lack of security measures (surveillance) could make the business vulnerable to theft vandalism, or poor information security practices.

Assess Impacts:

In this context, theft and information security have a higher impact on the business in the short term, so it would be beneficial to diversify the suppliers to reduce the impact of supply chain disruptions.

Risk Analysis and Prioritization:

In this case, theft and data security have higher priority as opposed to supply chain disruptions.

Develop Risk Mitigation Strategies:

Implementing physical security measures such as surveillance, alarms, and secure locks to protect assets. Furthermore, implementing information security procedures to secure client data, such as access controls, encryption, and frequent data backups. In addition, Training employees on proper safety protocols.

Implementation and Monitoring:

Adapt to changes in the business environment by reviewing and updating risk assessments regularly. It is advised to use the PDCA cycle for this process, as this is part of becoming ISO 27001/27002 compliant (Calder, 2011). Based on this information, the following results have been produced using the OCTAVE-S methodology:

Define Assets:

Identify critical assets that will be affected by the digitalization process, such as customer data (personal information and purchase history), inventory records, and financial information.

Identify Threats:

o Adversaries gaining access to sensitive information such as POS or customer database. o Theft or exposure of customer data due to vulnerabilities in computer systems. For instance, Harry’s old computer system could be affected by such vulnerabilities due to its outdated software. o Viruses, ransomware, or other malicious software compromising Pampered Pets business. o Downtime or outages affecting digital services due to technical issues or DOS cyberattacks. o Phishing scams or other forms of targeting employees to gain access to sensitive information.

Identify Vulnerabilities:

o Weak password policies: Employees using weak passwords or re-using passwords across multiple accounts. o Outdated software: Failure to install security patches or updates, leaving systems vulnerable to known exploits. Next to that, the computer used by Harry and all computers and software that are at End-of-Support should be replaced by supported alternatives. o Insufficient awareness of cybersecurity best practices of employees.

Assess Impacts:

In this case, DOS attacks can impact customer experience and damage a company’s reputation, while others have a direct impact on customer information.

Risk Analysis and Prioritization:

Analyze the probability and potential impact of each identified threat to determine its overall risk level based on its severity and likelihood of occurrence. For instance, training should be prioritized in addition to updating old hardware and software.

Develop Risk Mitigation Strategies:

o Limiting access to sensitive information and systems to authorized personnel only. o Installing firewalls like WAF, antivirus software, and intrusion detection systems to detect and prevent threats. o Conducting regular audits on Pampered Pets’ infrastructure on an ongoing basis. However, this needs to be executed by domain experts to ensure effective security of the network (Li et al., 2023). o Educating staff about cybersecurity risks and best practices to minimize the likelihood of human error. o Conducting the latest patching and upgrades to all computers and POS at Pampered Pets to ensure the latest fixes are in place. It would be difficult for hackers to inject malware into a fully patched computer system (Grimes, 2017).

o Preparing for security incidents by having a well-documented plan with an escalation path that is clear to all employees.

Implementation and Monitoring:

Implement the identified risk mitigation strategies and controls within Pampered Pets’ digital environment. Regularly monitor the effectiveness of these controls and adjust as necessary based on changes in the threat landscape or business requirements. Moreover, conduct periodic reviews and updates of risk assessment to ensure it remains relevant and aligned with Pampered Pets’ digitalization efforts. Based on the findings of the risk assessment, Pampered Pets moves ahead with the digitalization process with caution and careful consideration of the information security and plan shared.

Conclusion and Recommendations

This thorough risk assessment of Pampered Pets shows that there are both opportunities and challenges associated with the digitalization process. Although there is no predefined integration of risk assessment methodologies. In future research FAIR (Factor Analysis of Information Risk) can be used alongside OCTAVE-S. While they can be used independently, it is also possible to use certain elements from each methodology to complement the other in a comprehensive risk assessment. The current online purchasing method, coupled with physical in-store payment and pickup, poses security risks to customers. The warehouse manager’s outdated computer system, lacking security patches, and lack of updates can lead to security breaches and prolonged downtime. The wireless gateway used also poses a security risk. (Giansanti, 2021; Cybersecurity for Electronic Devices | CISA, 2021).

The organization should upgrade its traditional computer system to a modern supported POS system for enhanced sales transactions, inventory monitoring, and seamless integration with its online store. This may require additional computers and personnel. Access should be password-protected (Nguyen, 2021; POS Integration: How to Connect Offline and Online Sales, 2024). Tighe (2023) highlights that 43% of US online shoppers shop online, presenting opportunities for online retail companies to boost sales, increase brand recognition, and expand their global customer base, potentially leading to cost savings.

Based on all findings of the risk assessment, it is recommended that Pampered Pets go ahead with the digitalization process, albeit with caution and careful consideration of the information security and plan shared. It is advised to follow the plan presented in Chapter 3 following the Gantt chart of Figure 4.

REFERENCES:

Calder, A. (2011) Implementing information security based on ISO 27001/ISO 27002. Van Haren. Available at: https://books.google.nl/books?hl=en&lr=&id=Vt1EBAAAQBAJ&oi=fnd&pg=PT9&dq=pdca+iso+27001&ots=7u_C6OKg9N&sig=zD_qof85MniS55uJuSw1fg_Y5FM (Accessed: 7 March 2024).

Caralli, R.A., Stevens, J.F., Young, L.R. and Wilson, W.R. (2007) ‘Introducing octave allegro: Improving the information security risk assessment process’, Hansom AFB, MA [Preprint]. Available at: https://www.academia.edu/download/30095727/Introducing_octave_allegro_Improving_the_information_security_risk_assessment_process.pdf (Accessed: 7 March 2024). Cybersecurity for Electronic Devices | CISA (2021). Available at: https://www.cisa.gov/news-events/news/cybersecurity-electronic-devices (Accessed: 7 March 2024).

Giansanti, D. (2021) ‘Cybersecurity and the Digital-Health: The Challenge of This Millennium. Healthcare 2021, 9, 62’, Cybersecurity and the Digital Health, p. 1. Grimes, R.A. (2017) Hacking the hacker: Learn from the experts who take down hackers. John Wiley & Sons. Available at: https://books.google.nl/books?hl=en&lr=&id=uaOaDgAAQBAJ&oi=fnd&pg=PA31&dq=Grimes,+R.+(2017)+Hacking+the+hacker.+&ots=VHkvfC-2W4&sig=rzQpyqf4eE0-7m1GZ44ubeeh8kg (Accessed: 7 March 2024).

Ionita, D. (2013) Current Established Risk Assessment Methodologies and Tools. Available at: https://doi.org/10.13140/RG.2.2.32981.01769. Li, Q., Zhang, M., Shen, Y., Wang, R., Hu, M., Li, Y. and Hao, H. (2023) ‘A Hierarchical Deep Reinforcement Learning Model with Expert Prior Knowledge for Intelligent Penetration Testing’, Computers & Security, p. 103358.

Mind Mapping Software | MindView | MatchWare.com (2019) Matchware. Available at: https://www.matchware.com/mind-mapping-software (Accessed: 7 March 2024). Miro | The Visual Workspace for Innovation (2019) https://miro.com/. Available at: https://miro.com/homepage-092-2/ (Accessed: 7 March 2024). Nguyen, J. (2021) ‘5 best POS inventory systems for 2024 from $0 per month’, World’s #1 POS for Magento, 15 April. Available at: https://www.magestore.com/blog/pos-inventory-system/ (Accessed: 7 March 2024).

POS Integration: How to Connect Offline and Online Sales (2024) BigCommerce. Available at: https://www.bigcommerce.co.uk/articles/ecommerce/pos-integration/ (Accessed: 7 March 2024). Shevchenko, N., Chick, T.A., O’Riordan, P., Scanlon, T.P. and Woody, C. (2018) Threat modeling: a summary of available methods. Carnegie Mellon University Software Engineering Institute Pittsburgh United …. Available at: https://apps.dtic.mil/sti/citations/AD1084024 (Accessed: 7 March 2024). Tighe, D. (2023) Consumers shopping online vs. offline worldwide 2023, Statista. Available at: https://www.statista.com/statistics/1384193/mostly-online-vs-offline-shopping-worldwide/ (Accessed: 7 March 2024).