SPRING2_2026

Project 2 –Risk Analysis

Description

For this project, you will continue your research from Project #1 by reviewing and then analyzing your

chosen company’s risk statements as published each year in the company’s Annual Report to Investors

(also published in the company’s annual filing of SEC Form 10-K). After analyzing the company’s IT

operations and its risk statements about those activities, you will construct and document your own IT

focused risk analysis including both its primary operations and all supporting business processes. Your

risk analysis will also address information risks and technology risks which you identify in your research

about the company.

Note: before beginning this assignment, you should review NIST SP 800-30 R1: Guide for Conducting Risk

Assessments. Pay special attention to Appendix D: “Threat Sources: Taxonomy of Threats Sources

Capable of Initiating Threat Events” and Appendix H: “Impact: Effects of Threat Events on Organizations,

Individuals, and the Nation.”

Conduct Additional Research for Your Chosen Company

1. Extend the research that you did for Project #1 by reviewing the company’s website to learn

more about the company’s business areas and operations.

2. Retrieve the Hoovers profile for the company. You should use the same company and profile that

you used for Project #1. The base URL for Hoover’s is

http://ezproxy.umgc.edu/login?url=http://www.mergentonline.com/Hoovers

***COMPANY'S 10Q AND 10K FINANCIAL STATEMENTS WHICH IS PUBLIC INFORMATION AND CAN

GOOGLE PLEASE, DO NOT HAVE TO USE HOOVER

3. Review the SWOT and Technologies in Use sections of the Hoover’s profile.

4. Retrieve the Form 10K for the company using the URL provided in Project #1.

5. Identify 3 or more additional sources of information about the company and how it uses

Information Technologies to conduct its business operations. These sources can be news articles,

data breach reports, etc.

6. Using the information obtained from your sources, identify the types of information and

business operations which drive this company’s need for cybersecurity products and services.

(What information or information infrastructures need to be protected?)

Analyze the Information and Information Technology Risks for Your Company

1. Retrieve the Form 10K for the company you reviewed for Project #1.

2. Read and analyze the Risk Factors section in the company’s most recent Form 10-K (pay close

attention to Item 1.A). This Form 10-K contains a professionally written risk analysis that has

been written for a specific audience (investors and shareholders). Pay close attention to what the

company includes as risk factors and how the writers chose to present this information.

3. Analyze the risk factors, as stated by the company, to determine which ones are related to

information and information technology used in its business operations or which are otherwise

affected by the use of information in digital form and Information Technology systems and

infrastructures (e.g. financial risks associated with digital currency transactions).

4. Review the SWOT Analysis from the Hoovers report. Identify information or IT related risk factors

presented in this analysis. SENT THIS AS A FILE AS WELL ***

5. Review the Technologies in Use section of the Hoovers report. Choose 5 or more specific

technologies in use by the company which contribute to the company’s risk factors. You may

need to research specific vulnerabilities or recent attacks against these technologies. Use the

product name followed by “vulnerabilities” in an Internet search engine to retrieve

vulnerabilities reports.

6. Complete your research by reviewing news stories and cybersecurity analyst reports of how this

company or the technologies it uses can be attacked or compromised in ways that adversely

impact its IT security posture. (Use recent news stories and blogs from IT security analysts at

companies such as Sophos, SC Magazine, Norton, Mandiant, etc.).

Develop and Document Your Risk Profile

1. Begin by copying Table 1 from this assignment file into a new file (for your assignment

submission). This table will become your Risk Profile Table. (Delete the example text.)

2. Transfer your identified risk factors and technology vulnerabilities into the Risk Profile table (one

item or risk factor per row).

a. Enter a unique Risk ID for each row.

b. Enter a brief but unique title for each risk factor or technology vulnerability

c. Enter a description that briefly explains what the risk or vulnerability is. Identify the

information, digital assets, and/or business operations (processes) affected by this risk,

e.g. people, processes, or technologies that need to be protected from threats and

attacks (including insiders and external threats).

d. In the category column, categorize the type of risk or threat that could affect the item.

You can use the basic “People, Processes, Technologies” framework or create a set of

categories of your own choosing.

e. In the impact column, rate the potential for loss or harm should this risk materialize (an

attack occurs). You can use “low, medium or high” but remember that rating everything

at the same level is not helpful when executives with limited budgets need to allocate

funding for risk remediation (which you will address in Project #3).

3. When you are finished, you should have identified and documented 15 or more risks related to

the company’s business operations, use of the Internet, the company’s IT systems and

infrastructures (including “technologies in use”), and the types and collections of information

used by the company.

Write

1. An introduction section which identifies the company being discussed and provides a brief

introduction to the company (you may reuse some of your narrative from Project #1). Your

introduction should include a brief overview of the company’s business operations.

2. A separate analysis section in which you describe this company’s needs or requirements for IT

security. What are the likely sources of threats or attacks for each type of information or

business operation? What information and/or business operations need to be protected? Make

sure to identify and discuss the sources of information used in your analysis.

3. A separate analysis section in which you present your risk profile in table format. Provide an

introductory paragraph that explains the risk profile, e.g. what information is contained in the

table and what sources were used to obtain this information. In your introductory paragraph,

identify the sources used to provide the information presented in the table. This attribution will

take the place of in-text citations in the description column and makes the table easier to read.

4. A separate closing section which provides a summary of the risk analysis, the identified risks, and

potential impacts of risks upon the company’s operations as a whole.

Additional Information

1. Your 8 to 10 page Risk Analysis should be professional in appearance with consistent use of

fonts, font sizes, colors, margins, etc. You should use headings and sub-headings to organize your

paper. Use headings which correspond to the content rows in the rubric – this will make it easier

for your instructor to find required content elements and will help you ensure that you have

covered all required sections and content in your paper.

2. The stated page length is a recommendation based upon the content requirements of the

assignment. All pages submitted will be graded but, for the highest grades, your work must be

clear, concise, and accurate. Exceeding the recommended length will not necessarily result in a

higher grade. Shorter submissions may not fully meet the content requirements resulting in a

lower grade.

3. The INFA program requires that graduate students follow standard APA style guidance for both

formatting and citing/reference sources. Your file submission must be in MS Word format

(.docx). PDF, ODF, and other types of files are not acceptable.

4. You must include a cover page with the course, the assignment title, your name, your

instructor’s name, and the due date. Your reference list must be on a separate page at the end of

your file. These pages do not count towards the assignment’s minimum page count.

5. You are expected to write grammatically correct English in every assignment that you submit for

grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)

verifying that your punctuation is correct and (d) reviewing your work for correct word usage

and correctly structured sentences and paragraphs.

6. You are expected to credit your sources using in-text citations and reference list entries. Both

your citations and your reference list entries must follow APA Style guidance. Use of required

readings from the course as sources is expected and encouraged. Where used, you must cite and

provide references for these readings.

7. When using Security and Privacy controls from NIST SP 800-53, you must use the exact

numbering and names (titles) when referring to those controls. This information does not need

to be treated as quotations. You may paraphrase or quote from the descriptions of the controls

provided that you appropriately mark copied text (if any) and attach a citation for both quoted

and paraphrased information.

8. Consult the grading rubric for specific content and formatting requirements for this assignment.

9. All work submitted to the Assignment Folder will be scanned by the Turn It In service. We use

this service to help identify areas for improvement in student writing.

Table 1. Risk Profile for [company]

Risk ID Risk Title Description Risk Category Impact Level 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015