Professional Documents
Culture Documents
Table A.
ASSET C,H,M,L Asset Value
1-10
people Kim Schatzel H 8
Students C 10
Data and Student Records (Loans, Grades, etc) C 10
information
software Blackboard M 5
Peoplesoft H 7
hardware University Computers C 10
Lab equipment H 7
Part 2 – Threat Identification, fill out table B
1. List and identify 5 threats, examples:
● Act of human error or failure
● Compromise of intellectual property
● Deliberate acts of espionage
● Deliberate acts of information extortion
● Sabotage, vandalism, theft
● Software attacks
● Forces of nature
● Technical hardware failures
● Software failures
● Technological obsolescence
2. Rating - for each threat, list whether it is critical, high, medium, or low. The threat rating is a
subjective judgment based on existence, capability, history, intention, and targeting.
3. Threat valuation – Determine the numeric rating of each threat. Use personal judgment. Keep
mission of the entity in mind
Threat Rating
Critical- Known aggressors or hazards, highly capable of causing loss or damage 10
exist. One or more vulnerabilities are present. The threat source is known to having
intent and means.
High – Known aggressors or hazards, capable of causing loss or damage to the 7-9
school exist. One or more vulnerabilities are present and the aggressors are known
or reasonably suspected having intent and means.
Medium - Known aggressors or hazards that may be capable of causing loss or 5-6
damage exist. One or more vulnerabilities may be present; however, the aggressors
are not believed to have intent.
Low - Few or no aggressors or hazards exist. Their capability of causing damage is 1-3
doubtful.
Table B.
THREAT C,H,M,L Threat Rating
1-10
1 Someone steals a faculty onecard and gains access to all H 9
buildings and rooms
2 Someone hacks into PeopleSoft and gains the ability to H 8
change or delete students’ grades
3 A rival school commits a DoS attack on Blackboard, making M 6
teachers unable to host online lectures
4 A hacker gains access to the financial aid office computer and C 10
erases student loan data
5 A powerful storm destroys one or more of the academic C 10
buildings on campus
Part 3 – Vulnerability Identification, fill out table C
1. List and identify vulnerabilities, examples:
● Human
● Operational – insufficient security procedures
● Informational vulnerabilities
● Facility – weak physical location and geographical
● Equipment
2. Rating- for each vulnerability, list whether it is critical, high, medium, or low. The
vulnerability rating is a subjective judgment based on existence, capability, history,
intention, and targeting.
3. Vulnerability valuation – Determine the numeric rating of each vulnerability. Use
personal judgment. Keep mission of the entity in mind
Vulnerability Rating
Critical- no known countermeasures and adversary capability 10
exists
High – no known countermeasures and adversary capability 7-9
exists
Medium - there are effective countermeasures in place, but 5-6
adversaries can exploit a weakness
Low - multiple levels of countermeasures exist and few or no 1-3
adversaries could exploit the asset
Table C.
Vulnerability C,H,M,L Vulnerability Rating
1-10
1 Human Error- susceptible to social engineering to gain M 5
access to student accounts
2 Backdoors to University systems M 5
3 Open campus/ unlimited access to academic buildings H 7
4 Human error- onecard theft can allow access to meal plans, M 5
dorms, etc.
5 Weak passwords to systems L 3
Part 4 – Risk Assessment
Risk Assessment: Fill out the table below based on the asset, threat, and vulnerability
assessment values calculated above. All italic values should be replaced with your own data.
After completing, color code using the table above.
Table D.
Threat 1 Threat 2 Threat 3 Threat 4
Data breach Natural disaster Identify theft Espionage
Asset 1 Asset* Asset* Asset* Asset*
Students threat* threat* threat* threat*
vuln = 630 vuln = 250 vuln =90 vuln =90
Asset Value 10
Threat 9 5 3 3
Rating
Vulnerability 7 5 3 3
Rating
Asset 2 Asset* Asset* Asset* Asset*
Student threat* threat* threat* threat*
Records vuln = 360 vuln = 250 vuln = 120 vuln = 90
Asset Value 10
Threat 9 5 6 3
Rating
Vulnerability 4 5 2 3
Rating
Asset 3 Asset* Asset* Asset* Asset*
Blackboard/ threat* threat* threat* threat*
Peoplesoft vuln = 168 vuln = 24 vuln = 60 vuln = 24
Asset Value 6
Threat 7 4 5 2
Rating
Vulnerability 4 1 2 2
Rating
Asset 4 Asset* Asset* Asset* Asset*
University threat* threat* threat* threat*
Computers vuln = 200 vuln = 16 vuln = 432 vuln = 72
Asset Value 8
Threat 5 2 9 3
Rating
Vulnerability 5 1 6 3
Rating
Asset 5 Asset* Asset* Asset* Asset*
Financial Aid threat* threat* threat* threat*
records vuln = 630 vuln = 20 vuln = 360 vuln = 250
Asset Value 10
Rating
Threat 9 2 9 5
Rating
Vulnerability 7 1 4 5
Rating