COMP0056代写、c++,python程序

日期：2022-08-27 11:30

COMP0056 People and Security

Coursework 1

Date Announced: 10.08.2022

Submission Date: 30.08.2022 (16:00 UK time, via

Moodle) Version 1.2 r>Instructions

This assignment is part of the mandatory assessment of the COMP0056: People and

Security module and will count 25% towards your final overall mark.

Assignment submission is due via Moodle through the TurnItIn interface on August

30, 2022 at 16:00 UK time. Late submissions will be accepted with deductions

according to UCL’s late submission policy.

Only PDF submissions will be accepted.

This assignment is open note, open book, and open course resources. You must

identify sources as accurately and fully as possible. UCL plagiarism policies will be

strictly enforced. For more details, see http://www.ucl.ac.uk/current-

students/guidelines/plagiarism.

You are not allowed to consult other people (outside of course staff) on this work.

Each student has to work on the assignment individually.

Your answers will be judged in terms of their quality, the depth of understanding,

and also their brevity. Explain your answers clearly, but succinctly. Partial credit may

be awarded.

The assignment has an upper limit of 20 pages.

This assignment has a maximum of 100 marks allocated as follows:

Q1 Q2 Q3 Q4 Total

Marks 50 10 20 20 100

For this coursework, put yourself in the role of Jason Manning, the CISO for Spiffington

General. The CIO had been pushing of board for some time to appoint a CISO because she

realised the hospital was not meeting basic security and data protection standards. The “big

goal” she has set to you is that within 2 years, the hospital should meet the NCSC’s Cyber

Essentials and the General Data Protection Regulation (GDPR) requirements. She has

allocated you a fairly generous budget for the next 2 years to buy equipment and services.

Please answer the following questions in writing, by applying the concepts from Lectures 1-4

and the CyberBoK Human Factors Chapter and the Spiffington General Scenario. You may of

course use information from peer- reviewed research papers. If you cite vendor information

(on performance or cost) you should state how you could test their veracity.

Question 1 (50%)

Jason’s first goal is to ensure access to medical records is properly secured. Given that he

has a budget to purchase some new equipment, he is considering a number of 2

Factor/multi-factor solutions. These are listed below; your task for each solution is to:

A) Estimate the workload for each alternative and say which proposal would have a

higher workload.

B) Identify any other usability issues that would affect the use of the solution.

C) Identify possible acceptability/user satisfaction issues associated with the solution.

D) Identify security vulnerabilities that an attacker looking to copy patient medical data

might exploit.

For Administrative Staff (using desktop computers in admin offices, and laptops in meetings

with medical staff on the wards):

- a 2FA solution consisting of a token (YubiKey) and a 12-digit, complexity 3 password

(at least 3 of the following 4: numerical, lowercase, uppercase and special

characters).

- fingerprint recognition, combined with a 7-digit OTP generated via an app on their

mobile phone.

- an NFC chip contained in their staff pass, combined with face recognition.

For medical staff (doctors and senior nursing staff using the tablets):

- face recognition, combined with a 6-digit OTP generated on their phone.

- an NFC chip contained in their staff pass, combined with face recognition.

- a passphrase combined with voice recognition biometric.

Question 2 (10%)

Jason’s previous employer is a member of the Information Security Forum (ISF). During his

time there, he came across their briefing paper on Human-Centred Security, with the

following statement:

“Miller’s Magic Number Theory of Memory is an established psychological theory that explores the human mind’s capacity

to store data in the short-term memory – the average human mind is capable of holding seven short pieces of information

(+ or – two) at one time.12 Studies also suggest that humans forget approximately 50% of new information within an hour of

learning it, and 70% within 24 hours.13 This reinforces the need to frequently deliver and repeat security messages,

education and training.

A) Are the statements about human memory correct/relevant in this context?

B) If Jason were to follow the recommendation “to frequently deliver and repeat

security messages, education and training” at Spiffington General, how do you

expect medical staff to respond, and why?

Question 3 (20%)

The procurement department in the Spiffington administration has been targeted with

invoices that seem to come from genuine suppliers, but their bank details have been

altered. Since the fake accounts were immediately emptied, the money was lost.

A) Apply the Human Error concept to explain why staff made this mistake.

B) The Chief Financial Officer demands that Jason immediately introduces security

measures to stop this happening again. Jason considers requiring all suppliers to

send digitally signed invoices, but Spiffington does not have the infrastructure to

receive encrypted emails. What measures could Jason introduce at short notice to

stop this happening again?

Question 4 (20%)

Many Spiffington staff use WhatsApp groups to communicate with each other about

hospital business – for instance to swap shifts, ask each other questions about patient care

or ask the pharmacy to send urgent medications. An attacker managed to steal a doctor’s

phone in a cafe close to the hospital. After going through the WhatsApp messages, he

requested some controlled drugs and snatched them from the porter who was dispatched

to deliver it. Jason considers introducing a policy that staff are only allowed to use hospital

systems for work related communications – which would mean the internal email system.

A) What impact would the policy have on hospital business?

B) What impact would it have on staff?