IT Risk Management
Table of Contents Executive Summary ................................................................................................................................. 3
Introduction ............................................................................................................................................ 4
Overview of the Organization ................................................................................................................ 4
Project Background ................................................................................................................................ 4
Risk Assessment for the Project ............................................................................................................. 4
Set of Risks, Threats & Vulnerabilities ..................................................................................................... 5
Device-related Risks ............................................................................................................................... 5
Network Attacks & Vulnerabilities ......................................................................................................... 5
Software Risks & Database Attacks ........................................................................................................ 6
Encryption Attacks .................................................................................................................................. 7
Legal Issues ............................................................................................................................................. 7
Ethical Risks ............................................................................................................................................ 8
Risk Assessment Matrix .......................................................................................................................... 8
Primary Threat Agents ........................................................................................................................... 9
Impact on the Organization ................................................................................................................... 9
Countermeasures .................................................................................................................................. 10
Literature Review: Protection Mechanisms against Risks .................................................................... 10
Conclusion ............................................................................................................................................. 12
References ............................................................................................................................................. 12
Gigantic Corporation: Internet of Things (IoT) – Risk Assessment
2
Executive Summary
Gigantic Corporation is a company that design web solutions and services for its customers. The
company primarily provides services to the SMEs. The primary aim of the organization is to enhance
the business activities and the customer base. It is currently designing an application that is based on
the concept of Internet of Things (IoT). This application is being design for a health centre which will
allow remote health management of the patients. The IoT application that is being designed by
Gigantic Corporation will include the IoT components as heart rate monitoring machine, glucometer,
blood pressure monitor, thermometer, data analytics tools, Smartphones, web server, database server,
and computer systems.
The application may be exposed to numerous risks, threats and vulnerabilities. These may be grouped
in the categories as device-related risks, network attacks and vulnerabilities, software risks, database
risks, encryption attacks, legal issues, and ethical issues. The threat agents associated with these
attacks may be IoT devices, networks, employees, and end-users. The report provides a description of
all of these risks and the threat agents along with the impact of these risks on the organization and a
literature review on the protection mechanisms.
Gigantic Corporation: Internet of Things (IoT) – Risk Assessment
3
Introduction
Overview of the Organization
Gigantic Corporation is a company that design web solutions and services for its customers. The
company primarily provides services to the SMEs. There company has its headquarters in Sydney,
Australia and has two other offices set up in Melbourne and Brisbane. It was incepted in 2014 and
started with 18 employees. The company has now grown up to 115 employees in just 3 years. The
primary aim of the organization is to enhance the business activities and the customer base.
Project Background
The organization has decided to move up the ladder by including latest technologies in its offerings. It
is currently designing an application that is based on the concept of Internet of Things (IoT). This
application is being design for a health centre which will allow remote health management of the
patients. The targeted audience for the project will be medical association and the patients. There
cannot be any changes made to allocation costs and schedule for the project.
Internet of Things (IoT) is a technology that is defined as an integrated network of devices, sensors,
servers, databases, information sets, software, computer networks, home appliances, and electronic
equipment. The IoT application that is being designed by Gigantic Corporation will include the IoT
components as heart rate monitoring machine, glucometer, blood pressure monitor, thermometer, data
analytics tools, Smartphones, web server, database server, and computer systems.
The project may involve numerous risks and the document is an assessment report for the same.
Risk Assessment for the Project
IoT platforms and applications are formed of a varied number and types of devices, tools, and
technologies. The case will be the same for the healthcare application being designed by Gigantic
Corporation. As a result, there may be certain risks, threats, and vulnerabilities that may be observed.
Risk management is one of the knowledge areas under Project Management that provides the Project
Manager and the team to efficiently manage the risks involved. The process is composed of sub-
activities as risk identification & assessment, risk treatment, risk monitoring & control, and risk
reporting.
Gigantic Corporation: Internet of Things (IoT) – Risk Assessment
4
Risk Management Process
Set of Risks, Threats & Vulnerabilities
Device-related Risks
The IoT application that is being developed by Gigantic Corporation will be composed of several
physical tools and devices. These tools will comprise of Smartphone or any other mobile device,
computer systems, glucometer, thermometer, heart rate recording machine, blood pressure machine,
networking peripherals etc. All of these devices will have their own properties and there will be
specific information that will be stored in these physical tools and equipment (Abdur, Habib, Ali &
Ullah, 2017).
The attackers may target these devices to gain access to the information sets present in the devices.
There may be occurrences of accidental device loss or deliberate device snatching and stealing. If
these devices go in the hands of the attackers, they may misuse them by gaining access to the
application and the information stored in the same. There will be varied nodes that will be present in
the application and the access to the application may be acquired with the use of these nodes as well.
Network Attacks & Vulnerabilities
The IoT application will be able to perform its functions only if it will be connected to a network. The
connectivity will be necessary in most of the application functionalities which may lead to the
development of a connection by the user to an unsecure network. For example, a patient may wish to
access his/her medical report on the application while shopping in the market. The patient may
connect the Smartphone to the public Wi-Fi of the market to access the records. The public networks
have huge number of security vulnerabilities that will be linked with the application as well.
Gigantic Corporation: Internet of Things (IoT) – Risk Assessment
5
Another form of security attack that may occur in this case is the eavesdropping attack. The attacker
may monitor the network activity without the permission. The unauthorized capturing and monitoring
can be done through man-in-the-middle attack as well.
Man in the Middle Attack
The situation of a sinkhole may be developed by the malicious entities to deteriorate the application
availability (Mosenia & Jha, 2017).
The attackers may also introduce a lot of unwanted traffic from one or multiple sources. These will
result in the breakdown of the application and the attacks will be termed as denial of service or
distributed denial of service attack (Ling et al., 2017).
Software Risks & Database Attacks
Technology is not used in the right direction by all the entities and the incorrect use of technology
may result in the compromise of security and privacy of the applications and the information sets that
are targeted.
The attacking surface in this application will be big as every device will have its own security norms,
properties, and limitations. The attackers may utilize such a situation to make incorrect use of
technology by launching malware attacks or SQL injection attacks.
Gigantic Corporation: Internet of Things (IoT) – Risk Assessment
6
SQL Injection Attack
The database server involved in the application may be a physical server or cloud databases may also
be used. The use of the second choice will prove to be beneficial for making the application cost-
effective. However, it will bring along cloud-related security attacks and risks that may result in the
compromise of the confidentiality, integrity, and availability of the information and data sets
(Abomhara & Koien, 2015).
The breaching of the information sets, identity thefts, and manipulation of the information may also
be witnessed.
Encryption Attacks
One of the newer forms of security attacks in the IoT world is the encryption threats and attacks. The
attackers may utilize the side-channel attacking mechanism in this case to violate the encryption
algorithm implemented in the application feature. The transactions and processing of the application
and the devices involved may be observed to infer the security keys utilized for the purpose of
encryption (Bekara, 2014). The cryptanalysis attacks may be given shape by the malevolent entities
and most of these attacks are adaptive. The ability to prevent and control such attacks may not be
easy.
Legal Issues
The application will not only be exposed to the security and privacy issues only. There may also be
legal and regulatory issues and risks that may be observed. The application is being designed for the
health centre and the utilization of the application may be done in or outside of Australia. The
application developers will be required to incorporate and adhere to the global laws and regulatory
policies along with the Australian laws and norms.
The violation of these regulations or the exposure of the private and confidential health information
may result in legal obligations for the organization. The issues around ownership and authority for the
Gigantic Corporation: Internet of Things (IoT) – Risk Assessment
7
attack may also be a major concern. Risk transfer is a primary strategy that the organizations look to
adapt in such cases which may lead to severe losses to the users.
Ethical Risks
Ethics play an extremely important role in the field of ICT and other sectors as well. There are ethical
principles and guidelines that are defined by several bodies and at least one such code shall be
followed in the organizations. However, there are ethical violations that are often carried out by the
employees of an organization.
In this case, the project team members will have the access to the health details of the patients. Also,
the credentials to the database will be available. This information may be given to the unauthorized
entities, such as the competitors of the organization to deteriorate the organizational reputation and to
have selfish gains. These ethical violations are also termed as insider threats that have become a
common occurrence in the organizations.
Risk Assessment Matrix
Risk Name Likelihood (5
Highest, 1 Lowest)
Impact (5 Highest,
1 Lowest)
Rank (Likelihood
x Impact)
Treatment Strategy
Device
Loss/Stealing
2 5 10 Risk
Avoidance/Transfe
r
Legal Risk 1 5 5 Risk Avoidance
Ethical Risks –
Insider Threats
3 4 12 Risk Avoidance
Network-related
Attacks
4 4 16 Risk
Avoidance/Mitigat
ion
Software Attacks –
Malware Issues
4 3 12 Risk
Avoidance/Mitigat
ion
Database Risks 3 3 9 Risk
Avoidance/Mitigat
ion
Encryption Risks 2 4 8 Risk
Avoidance/Mitigat
ion
Gigantic Corporation: Internet of Things (IoT) – Risk Assessment
8
Primary Threat Agents
There is always a medium required to give shape to the security and other forms of attacks. The
majority of issues in the case of IoT application for the project are security and privacy concerns.
These attacks will require a threat agent which can be one or multiple from the list given below.
IoT Devices: The primary threat agent will be the physical tools and equipment used in the
IoT application. These tools and equipment may be any of the computing resource or a health
monitoring tool. The devices may be captured by the attackers through unauthorized
mechanisms and the information present in these devices may get exposed to the attackers
(Mape, 2017).
Network: The IoT application will be able to perform its functions only if it will be connected
to a network. The connectivity will be necessary in most of the application functionalities
which may lead to the development of a connection by the user to an unsecure network
resulting in increased security loopholes.
Employees: The ethical issues and insider threats will be majorly given shape by the
employees as the agents of the threat. The occurrence of such issues will be usually
deliberate; however, there may also be accidental steps that may increase the probability of
the attack.
End-Users: There are scenarios that are created by the end-users that at times lead to the
formation of a security loophole resulting in the ability of an attacker to give shape to a
security attack. For example, the users may keep common or weak passwords to login to the
application or may connect the application to an unsecure network. In such cases, the attack
surface and window will expand providing the attackers with the ability to give shape to the
security threats.
Impact on the Organization
The impacts of the risks and issues that have been listed above may vary on the basis of the factors,
such as information sets targeted, application functionality affected by the attack, motive of the attack,
nature of the attack, and likewise.
The application will comprise of a varied set of information, such as private data sets, public data sets,
confidential information, sensitive data, non-sensitive data etc. The impact of the security risk or
privacy issue will be more severe of the data sets that are targeted in the attack are private,
confidential, or sensitive in nature. On the other hand, the impact will be less severe if public or non-
sensitive data sets are impacted. There are further regulations and policies that guard the health
information. One such regulation is Health Information Portability and Accountability Act 1996
(HIPAA). According to this act, there may be legal obligations that may result as an impact in the case
of violation of the properties of health information (Kumar & Patel, 2014).
Gigantic Corporation: Internet of Things (IoT) – Risk Assessment
9
The impact of such issues and risks can be negative for the health centre. This is because of the reason
that the reputation of the health centre in the market may come down due to the compromise on the
privacy and security of the patient details. The patients may also opt out of the services offered by the
health centre and may collaborate with other service providers in the market. The revenues, profits,
market value, and customer base of the health centre may come down as an impact of the issues.
Countermeasures
The countermeasures to the risks and issues that are discussed in the sections above will be required to
be implemented. These countermeasures shall include a combination of logical controls and
administrative upgrades for the management of risks and maintenance of security.
Administrative changes, such as audits and reviews by the security team shall be a regular exercise.
Additionally, latest security tools for attack detection, prevention, and control shall be used. There
shall also be an integration of the managerial practices with the security practices (Riazul Islam,
Kwak, Humaun Kabir, Hossain & Kwak, 2015).
The use of network security tools and awareness among the users regarding the security practices,
ethical standards, and guidelines must be promoted as well.
Literature Review: Protection Mechanisms against Risks
The organization must also make use protection measures so that occurrence of these issues may be
avoided. Also, in case of an occurrence, the organization shall be ready to control the damage and
recover from the disaster in minimal response time.
Frequency hopping is one of the protection measures that shall be used to protect the application from
network-related attacks. The attacker will not be able to jam the network if the frequency is altered at
regular cycles. Spoofing attacks shall be prevented with the use of the technique as message
authentication code and timestamp (Goeke, 2017). The use of encryption of all the data sets shall be
made mandatory so that the attacker fail in the misuse of the information sets.
The authentication schemes used in the application shall also be enhanced to avoid data breaches and
data loss. SSH authentication and multi-fold authentication schemes must be used to avoid Brute
Force attacks and violation of access control (Kleppmann & Irwin, 2018).
Gigantic Corporation: Internet of Things (IoT) – Risk Assessment
10
SSH Authentication
The IoT application must not restrict to the age old access control measures. The newer forms of
access control tools shall be used and integrated in the application (Bhabad & Bagade, 2015).
Technology is rapidly advancing and the application of technology in the field of security controls has
been impressive. The rise of cyberattacks and other web-based attacks has led to the emergence and
development of technical tools and controls for security. Malware attacks on the IoT application shall
be controlled and detected with the integration of the application with the latest anti-malware tools.
Denial of service and distributed denial of service attacks shall be detected and prevented with anti-
denial tools.
The focus of the organization shall not be restricted towards the prevention and detection of the
attacks. However, the occurrence of such issues shall be avoided and the efforts must be done in that
direction as well. One of such measures that shall be used shall be service auditing. It is the process
that will list out all the services being carried out on the application server. All the details associated
with the network ports and nodes and the application protocols will be brought forward by this
process. A real-time presentation and analysis of the application services will be made available.
Another process that shall be used in the same direction shall be file auditing (Ellingwood, 2015).
Disaster recovery and damage control are also the mechanisms that will lead to the protection of the
information and data sets. There must be a disaster recovery plan developed for the project so that all
forms of disaster may be handled and tackled. There are automated backup and recovery tools and
Gigantic Corporation: Internet of Things (IoT) – Risk Assessment
11
schemes that must be integrated in the IoT application. These tools will keep a copy of the data sets at
an alternate location. The application will be brought back to the recovery state in the case of the
disaster.
There must be attention paid to the basic protection measures, such as firewalls and proxy servers.
Conclusion
Gigantic Corporation has undertaken a project of the development of an IoT-based application for a
health centre. The aim of the project is to design and develop a secure application that shall allow the
users to monitor their health conditions. The patients and medical association will be the primary
users of this application. There may be several risks that may be associated with this project. The
majority of these risks will be in the form of security and privacy issues. There may be attacks
associated with the IoT devices, networks, software, encryption, and database. There may also be
legal and ethical issues that may also be observed.
It is recommended that latest countermeasures and protection mechanisms shall be utilized and
integrated in the application to prevent, detect, and control the risks and threats. The integration of the
application with backup and recovery tools, anti-malware and anti-denial tools shall be made. Also,
there shall be use of security techniques as encryption, frequency hopping, multi-fold authentication,
message authentication, and timestamp. The basic measures in the form of installation of firewalls and
use of proxy servers shall also be included.
References Abdur, M., Habib, S., Ali, M., & Ullah, S. (2017). Security Issues in the Internet of Things (IoT): A
Comprehensive Study. International Journal Of Advanced Computer Science And
Applications, 8(6). http://dx.doi.org/10.14569/ijacsa.2017.080650
Abomhara, M., & Koien, G. (2015). Cyber Security and the Internet of Things: Vulnerabilities,
Threats, Intruders and Attacks. Journal Of Cyber Security And Mobility, 4(1), 65-88.
http://dx.doi.org/10.13052/jcsm2245-1439.414
Bekara, C. (2014). Security Issues and Challenges for the IoT-based Smart Grid. Procedia Computer
Science, 34, 532-537. http://dx.doi.org/10.1016/j.procs.2014.07.064
Bhabad, M., & Bagade, S. (2015). Internet of Things: Architecture, Security Issues and
Countermeasures. Pdfs.semanticscholar.org. Retrieved 24 January 2018, from
https://pdfs.semanticscholar.org/94bb/0b62588808fd2614c572162fa170cce06856.pdf
Gigantic Corporation: Internet of Things (IoT) – Risk Assessment
12
Ellingwood, J. (2015). 7 Security Measures to Protect Your Servers | DigitalOcean. Digitalocean.com.
Retrieved 24 January 2018, from https://www.digitalocean.com/community/tutorials/7-
security-measures-to-protect-your-servers
Goeke, L. (2017). Security Challenges of the Internet of Things. Theseus.fi. Retrieved 20 January
2018, from
https://www.theseus.fi/bitstream/handle/10024/128420/Goeke_Lisa.pdf?sequence=1
Kleppmann, M., & Irwin, C. (2018). Strengthening Public Key Authentication against Key Theft.
Martin.kleppmann.com. Retrieved 24 January 2018, from
https://martin.kleppmann.com/papers/mrsa-pass15.pdf
Kumar, J., & Patel, D. (2014). A Survey on Internet of Things: Security and Privacy Issues.
International Journal Of Computer Applications, 90(11), 20-26.
http://dx.doi.org/10.5120/15764-4454
Ling, Z., Luo, J., Xu, Y., Gao, C., Wu, K., & Fu, X. (2017). Security Vulnerabilities of Internet of
Things: A Case Study of the Smart Plug System. IEEE Internet Of Things Journal, 4(6),
1899-1909. http://dx.doi.org/10.1109/jiot.2017.2707465
Maple, C. (2017). Security and privacy in the internet of things. Journal Of Cyber Policy, 2(2), 155-
184. http://dx.doi.org/10.1080/23738871.2017.1366536
Mosenia, A., & Jha, N. (2017). A Comprehensive Study of Security of Internet-of-Things. IEEE
Transactions On Emerging Topics In Computing, 5(4), 586-602.
http://dx.doi.org/10.1109/tetc.2016.2606384
Riazul Islam, S., Kwak, D., Humaun Kabir, M., Hossain, M., & Kwak, K. (2015). The Internet of
Things for Health Care: A Comprehensive Survey. IEEE Access, 3, 678-708.
http://dx.doi.org/10.1109/access.2015.2437951