Theft (employees plus outsiders)

  You work for a large hospital. You have been tasked by your employer to participate in risk management efforts with the risk assessment team. The team lead notifies you that the following 5 risks have been identified as applicable to your business’s IT department: Risks: 1. Ransomware attack 2. Spear phishing 3. Distributed Denial of Service (DDoS) 4. Social engineering 5. Theft (employees plus outsiders) Impact of risk may be captured as: • Critical (5.0) • High (4.0) • Medium (3.0) • Low (2.0) • Minimal (1.0) Probability of risk may be captured as: • Very likely (5.0) • Likely (4.0) • Possibly (3.0) • Unlikely (2.0) • Very unlikely (1.0) Objectives: Start by reading article https://cybersecurityguide.org/industries/healthcare/. Carry out further research on the types of attacks (bulleted above). Based upon your research, identify the probability/likelihood of each occurring in the IT department for the healthcare company. Apply impact/severity, again based upon what you find in research. You are expected to: • Define each type of attack briefly, in your own words (no quotes). Cite your sources using APA. • Evaluate the above identified risks and assign an impact and probability level to each, based on your opinion of its potential impact, backed by outside research. Construct a risk matrix and assign each risk appropriately within the matrix, based upon your evaluation. • Calculate overall risk for each of the 5 identified risks (impact x probability). • Develop an attack tree with malware as primary node. Ensure the attack tree has at least 3 paths. • Construct a numerical scale identifying the organization’s risk threshold, tolerance and indicate where you feel each calculated risk instance falls (above or below the threshold). Your scale will start at zero and end at your highest calculated risk value. (Hint: research risk tolerance and the various forms in which it may be expressed: a graphic, a matrix, etc). • Use a minimum of 5 outside sources, listed at the bottom of the matrix. Your submission will range from 3 to 6 pages, plus title page and references page. Note: You may utilize any tool available to accomplish the above objectives. Some examples may include Microsoft Word, Excel, PowerPoint, Visio, Paint or Paintbrush on Mac. Rubric ASSIGNMENT VALUE 50 Points Possible Excellent 9-10 Good 7-8 Acceptable 5-6 Unsatisfactory 0-4 Definition of Risk Terms 10 pts A concise yet thorough definition of each of the five risks is present. Each is original writing with source properly cited. One term lacking a thorough, concise definition. Each is original writing with source properly cited. More than one term lacking a thorough, concise definition. Writing not completely original OR sources not properly cited Definitions lacking overall, or are missing, or not original writing and appropriately cited. Probability and Impact Matrix 10 pts Matrix is appropriately constructed, with all risks, probability and impact identified. Overall risk is correctly noted. Matrix is lacking appropriate identification of probability and impact for the risks; overall risk is noted. Probability and impact not appropriately identified OR matrix is not constructed properly OR overall risk is missing. Probability and impact not appropriately identified AND matrix is not constructed properly (or is missing) AND overall risk is missing. Development of Attack Tree 10 pts Attack tree is appropriately constructed, with proper placement of nodes. Three or more paths are indicated. Attack tree appropriately constructed but paths not logical or thorough enough. Attack tree appropriately constructed but paths not logical or thorough enough OR contains fewer than 3 paths. Attack tree not appropriately constructed AND paths not logical or thorough enough AND contains fewer than 3 paths. Risk Threshold Identified 10 pts Risk threshold is identified for the organization and a graphic/matrix/ or chart constructed to indicate overall risk. Each risk is clearly identified as to where it falls. Risk threshold is identified for the organization and a graphic/matrix/ or chart constructed to indicate overall risk. Somewhat unclear as to where one or more risks falls. Risk threshold is identified for the organization but the graphic/matrix/ or chart is not appropriately constructed to indicate overall risk. Somewhat unclear as to where one or more risks falls. Risk threshold is not identified OR the graph / matrix is missing. Business-like Presentation 10 pts Assignment is devoid of spelling or grammatical errors; is created in a business-like manner, with at least 5 outside references properly cited in APA. All original writing. 1 or 2 spelling or grammatical errors; at least 4 references and all written in own words; proper APA citation. 2+ spelling or grammatical errors; OR less than 4 references OR not written in own words OR not properly cited using APA. Multiple spelling or grammatical errors; and less than 4 references OR not written in own words OR not properly cited using APA.