CMM542 Human Factors in Cybersecurity

Semester

One

Module Number

CMM542

Module Title

Human Factors in Cybersecurity

Assessment Method

100% Coursework

Deadline (time and date)

Thursday 8th December 2022 (TBC)

The submission deadline is 4pm whilst a 30-minute grace period has been added for technical issues, you should aim to submit by 4pm.

Submission

Assessment Dropbox in the Module Study Area in CampusMoodle.

Word Limit

(see Assessment Word Limit Statement)

3000 words

Module Co-ordinator

Christopher McDermott

Even though the Turnitin score isnt very high, most of the report has been copied from external sources. Please see some feedback below:

Room for Improvement:

The purpose of activity 1 was to show that you have understood how to create personas to represent potential stakeholders of the NEOAPP. You need to discover relevant sources, and through factoid extraction you need to build a persona. You must clearly list all these sources, and ALL the factoids to prove that you have carried out the data analysis yourself.

Trust expectations should link the specific characteristics of each persona into the NEOAPP and giving a brief description of whether this would be led to a positive or negative outcome.

It would help if you made your own DFD which is relevant to NEOAPP, instead of copying a diagram from online.

A list of risks with a focus on the threats and vulnerabilities involved would have helped, along with which DFD assets could be affected.

A human error section, including a description of the types of errors covered in the course, and specific examples of those types of errors would aid the report.

I like the attempt to focus on issues regarding GDPR within the Privacy and Security Recommendations, however you need to write them in your own words.

General Recommendations:

You cannot copy large amounts of text from a reference and then change a few words. That is not your own work.

You must also reference every external source that you use to make your report.

A grade will be provided for each criterion on the feedback grid which is specific to the assessment. The overall grade for the assessment will be calculated using the algorithm below. At the end of the module, you will have received separate subgrades which will be combined as follows.

A

At least 50% of the subgrades to be at Grade A, at least 75% of the subgrades to be at Grade B or better, and normally 100% of the subgrades to be at Grade C or better.

B

At least 50% of the subgrades to be at Grade B or better, at least 75% of the subgrades to be at Grade C or better, and normally 100% of the subgrades to be at Grade D or better.

C

At least 50% of the subgrades to be at Grade C or better, at least 75% of the subgrades to be at Grade D or better.

D

At least 50% of the subgrades to be at Grade D or better, at least 75% of the subgrades to be at Grade E or better.

E

At least 50% of the subgrades to be at Grade E or better.

F

Failing to achieve at least 50% of subgrades at Grade E or better.

NS

Non-submission.

Data Sources & Analysis

(2 grade)

A wide range of appropriate online data sources has been selected and justified.

Many factoids have been effectively elicited from the data sources and analysed to identify many affinity groups corresponding with a range of relevant persona behaviour. Assurance of the contribution made by the data analysis to each affinity groups is evident.

A range of appropriate online data sources has been selected and justified.

Many factoids have been effectively elicited from the data sources and analysed to identify many affinity groups corresponding with a range of relevant persona behaviour.

Several online data sources have been selected.

Many factoids have been elicited and analysed, but there are minor flaws evident in the data elicited and its analysis.

Several online data sources have been selected, but their relevance is not always clear.

An adequate number of factoids have been elicited and analysed, but there are minor flaws evident in the data elicited and its analysis.

A small number of online data sources have been selected, but not justified.

A small number of factoids have been elicited and analysed, but there are significant flaws evident in the data elicited and its analysis.

No online data sources have been selected.

No data analysis underpinning the persona/s is evident.

Persona Trust Expectations & Value Scenario

(2 grade)

The specification of one or more personas is thorough, with a narrative that clearly follows from the data analysis. The security and/or trust expectations provide a good summary of the key needs of the stakeholder represented by the persona/s.

The value scenario is well written and provides a provocative and insightful sketch that accounts for stakeholders, pervasiveness, time, systematic effects, and value implications.

The specification of one or more personas is thorough and well-presented, with a narrative that is generally aligned with the data analysis. The security and/or trust expectations summarise the key needs of the stakeholder represented by the persona/s.

The value scenario is well written and provides useful insights that account for stakeholders, pervasiveness, time, systematic effects, and value implications.

The specification of one or more personas is good and well- presented, but the narrative does not always follow from the data analysis. The security and/or trust expectations provide a helpful summary of the stakeholder needs, but these are not always grounded in the analysis carried out.

The value scenario is well written and, barring some minor flaws provides useful insights that account for one or more of stakeholders, pervasiveness, time, systematic effects, and value implications.

The specification of one or more personas is adequate with some weaknesses in presentation.
The persona narratives are only tenuously linked to the data analysis. Some security and/or trust expectations area given, but these do not follow from the data analysis or persona specification.

The value scenario is adequate. Some insights into one or more of stakeholders, pervasiveness, time, systematic effects, and value implications. However, the reasoning behind these insights is flawed in several cases

The specification of one or more personas is limited and doesnt follow from the data analysis carried out. No security and/or trust expectations are provided.

The value scenario is briefly described, with only limited consideration of one or more of stakeholders, pervasiveness, time, systematic effects, and value implications. There is evidence of significant flaws in both the scenarios and its insights

No persona specification is included.

Value scenario is absent or briefly outlined without any insight into its implications.

Threat Modelling

(2 grade)

Professionally specified hardware, software, and information assets: entities, processes, dataflows, and trust boundaries.

Excellent presentation and rating of risks. Constituent threats and vulnerabilities identified, and impact and validity of risk well argued.

Near professional specification of hardware, software, and information assets: entities, processes, dataflows, and trust boundaries.

Very good presentation and rating of risks. Constituent threats and vulnerabilities identified, and impact and validity of risk generally well argued.

Good specification of hardware, software, and information assets: entities, processes, dataflows, and trust boundaries with minor flaws

Good presentation and rating of risks. Constituent threats and vulnerabilities identified, and impact and validity of risk generally well argued but with minor flaws.

Adequate specification of hardware, software, and information assets: entities, processes, dataflows, and trust boundaries, but marred with ambiguity or major flaws.

Adequate presentation and rating of risks. Constituent threats and vulnerabilities identified, and impact and validity of risk generally well argued but with major flaws

Limited specification of hardware, software, and information assets: entities, processes, dataflows, and trust boundaries specified. Evidence of significant ambiguity.

Limited presentation and rating of risks or constituent threats and vulnerabilities.

Specification of hardware, software and information assets are either absent or deeply flawed.

Presentation and rating or risks are either absent or deeply flawed.

Usable Security

(2 grade)

All identified human errors or violations are well argued and presented.

Appropriate methodology chosen for assessing usable security. Professional presentation of methods and metrics with well-argued antidotes to errors and violations.

Most identified human errors or violations are well argued and presented.

Appropriate methodology chosen for assessing usable security. Near professional presentation of methods and metrics with generally well-argued antidotes to errors and violations.

Good presentation of human errors or violations, but with a little ambiguity or minor flaws in reasoning.

Methodology for assessing usable security is appropriate and well presented. Antidotes to errors and violations are appropriate with minor flaws.

Presentation of human errors or violations is adequate, but with ambiguity or major flaws in reasoning.

Adequate presentation of methods of assessing usable security. Suggested antidotes are adequate, but marred by ambiguity and/or faulty reasoning

Limited presentation and discussion of human errors or violations.

Evidence of significant ambiguity and/or faulty reasoning for methodology chosen. Limited presentation of antidotes to human error or violations.

Presentation of human errors or violations is either absent or deeply flawed.

Usable security not adequately assessed.

Security & Privacy Recommendations

(1 grade)

The security and/or privacy recommendations are insightful, well- argued and well presented.

The security and/or privacy recommendations are generally well written and argue.

The security and/or privacy recommendations read well, but with some minor flaws in their reasoning.

The security and/or privacy recommendations proposed are adequate, but marred by ambiguity and/or faulty reasoning

Limited security and/or privacy recommendations are proposed. There is evidence of significant ambiguity and/or faulty reasoning.

Security and/or privacy recommendations are either absent or deeply flawed.

Professional presentation and structure

(1 grade)

Professional presentation and structured.

Near professional presentation and structure with very minor flaws

Clear presentation and structure with a few major flaws

Adequate presentation and structure, but has major flaws

Limited or significantly flawed presentation and structure

Little or no structure and supporting arguments.