Assessment 2

Case Study Risk Assessment

Student Name:

Student ID:

University Name:

1
Contents
Introduction......................................................................................................................................3

Discussion........................................................................................................................................3

Security of Employee Data..........................................................................................................3

Privacy of Employee Data...........................................................................................................7

Digital Identity Issues................................................................................................................10

Conclusion.....................................................................................................................................11

References......................................................................................................................................11

2
Introduction

Any business is not immune to risks however, developing a comprehension about the relevance
to prevent, minimized or get the risks eliminated whenever possible for preventing losses is the
key to success for every business. Ultimately, theoretically lesser risk must be driving the
business towards more success. Risk, for an organization irrespective of its size, sector and type
can be described as factors - internal or external eventually impacting the business objectives by
either reducing the profits that has been projected or even leading towards a loss. Aloini, Dulmin
& Mininno, (2012) Risks derived either from economic or financial issues, industry regulations,
business costs, and information breaches or political influences, can push businesses in losing

money or eventually become bankrupt. Risk assessment is a principal management tool to ensure
the health and safety of employees (and others). But, what most people might be unaware of is that
for employers this actually is a legal obligation. The key purpose of this report study revolves
around the risk assessment of the given case study of Department of Administrative Services
providing services in Australian State Government, which is moving to a “Shared Services”
approach due to change in Government policy.

Discussion

Security of Employee Data

a. Establish the existing threats and risks to the security of that data and information
contained in the in house HR database

A threat and risk coming to data security, which can be an intruder network via a port on the
firewall, a process that penetrates data by violating the security policy or an unintended blunder
made by a staff further exposing secret information or destroying the probity of a file, is any
possible danger to data and information systems. Comprehending the risks in crucial for any
business. Walker-Roberts, et al., (2020) In-house HR database is more likely in been targeted for

3
phishing attacks because invaluable data wanted by attackers are gathered and stored here. This
threat and risk is only at rise, with phishing attacks, or using of authentic-looking emails for
collecting sensitive information, are getting more refined. Storing personal information related to
the employees, in case of any breach, banking details besides social security numbers are at risk.
Attackers are working to better for disguising their data breaching efforts by analysing the
writing styles of executives on social media platforms like LinkedIn and Facebook with intent of
making a phishing email look like coming from the CEO. Uptick in getting the phishing attacks
more refined goes ahead to just mimic the CEO. Kim, Lee & Kim, (2019) Targeted employees'
names and Social Security numbers are also included for tricking the receiver to click on the link
of a phishing email. Malicious cyberattacks is also an existing threat and risk to data and
information security. Different research reveals that system administrator or other IT employees
having access to the HR database are the most possible executioner of cyberattacks. Back door
into the in-house database are opened by the employees who are technical expert by using their
system access besides leaving programs on the network for stealing information or wreaking
disruption. Social engineering haply is the way most common for gaining access to a network by
the attackers. This is done by getting the employees trust exploited. Despite of having best
technical systems in place, if employees are uneducated about the risks, they tend to remain
ineffective. It has revealed from a recent survey that employees of nearly 3/4 th of companies are
untrained about the risks of information leakage and social engineering. Recognizing a phishing
email or knowing that they should be providing their passwords to anyone unauthorised is
critical for people to comprehend. Taylor & Sharif, (2017) Download of malicious content on
internet is also a threat and risk to data security. It is suggested by some reports that up to an
hour a day is spend by the average employee in a business to surf the internet for personal
purpose — maybe seeing a video or file-sharing websites, use social media websites like
Facebook or play games. There has been a significant rise by more than 50 percent every year in
the number of malware and virus threats as a result of such destructive payloads initiated to the
network unintentionally by the employees. A game or a video clip may have hidden rootkit,
which often goes unnoticed by a user. The other existing threat and risk to data security in in-
house HR database is information leakage. Information from the internal computer networks can
be obtained today with the help of a staggering number of ways for releasing them outside the
company. A significant portion of in-house database can be easily taken by the employees out of

4
the door into their back pocket by using an MP3 player, a CD-ROM, a digital camera or USB
data stick, with such devices being effectively portable and hard drives having higher-capacity.

b. Are there any other risks and threats to the employee data after migration to an SaaS
application?

The popularity of cloud computing within distributed computing environment has increased
significantly. Storing and processing of data by utilizing cloud environments has fast become a
trend across the globe. SaaS is widely perceived as one of the major cloud models catered into a
public, private or hybrid network. Looking at the effect of SaaS on various business applications
alongside the everyday life of the common man, it can be said easily that this disruptive
technology not going anywhere. Cloud computing are internet-based computing with software,
shared resources, and information available to devices on demand. Patel & Alabisi, (2019)
Making use of cloud computing paradigm however, can have both positive and negative impact
on the security of employee data. Several key features increasing the attractiveness of cloud
computing have not simply challenged the prevailing security system, but have also given
exposure to newer security risks. Some of the other risks and threats to the employee data after
migration to a SaaS application are

Door opened through account takeovers

Threat actors that compromise the corporate credentials of employees are involved in Account
takeover attacks. This is done either by getting a credential phishing campaign launched against
a company or purchasing credentials on the Dark Web as a result of data leaks from third-party.
The credentials stolen are then leveraged by a threat actor with intent of gaining added access or
increased prerogatives. There is possibility that a compromised account remains undetected for
the longest time or never be found. Akinrolabu, New & Martin, (2019)

5
Stability

The true pillars of dependable SaaS software, which have become increasingly popular, are
security and stability. On one hand where it means more choices for users and higher-quality
services for keeping with the market competition, not everyone is capable of keeping with the
expanding market and may end up shutting down failing to compete. In such situation, the client
is faced with a challenging task to address data portability- a key concern due to time and money
invested in migrating to SaaS application is likely in going wasted along with the crucial
employee data. Akinrolabu, New & Martin, (2019)

Lack of transparency

Often SaaS providers maintain secrecy. Apparently clients are ensured that comparing to other
service providers in the market they excel to keep data safer or at the minimal are providing
guarantee of their efficiency in keeping information and files more secured than the client
themselves. However, not taking their word at face value is better as there are likely in being
logical concerns about the lack of transparency of the service provider on how the entire security
protocol is actually handled might be causing skepticism amidst customers. Failures in not
getting satisfactory answers to numerous questions revolving around security leaves clients with
gaps and speculations about the service employed. Akinrolabu, New & Martin, (2019)

c. Assess the resulting severity of risks and threats to employee data

Data breach can take place when it is least expected. The effect of risk and threats to employees
data can be amounting DAS to millions or billions besides leaving its reputation into disarray
both in the market and customers similarly. Because of the severity of risks and threats to
employee data, comprehending the potential consequences is very important. The resulting
severity of risks and threats like phishing to employee data is reputational damage taking an
immediate hit besides increase of mistrust amidst the employees about how the company is
viewed further sabotaging their secret details. Moreover, phishing attacks can even lead to delete
of data and sending spam through a virus release in to the database by just clicking on a simple

link. Cheng, Liu & Yao, (2017) Ransomware attack can also be the resulting severity of risks

6
and threats to employee data wherein computers say for example, functioning on the Microsoft
Windows operating system are targeted by a ransomware cryptoworm to encrypt data and
demand ransom payments for getting the access restored on the data only after being paid.
Another resulting severity is of regulatory fines. Under the General Data Protection Regulation –
EU law on data protection and privacy, for decades there have been in place financial penalties
for misusing or mishandling of employee data. Often the penalties can be nearly 4%o of the
annual turnover of a company or a total of €20 million, whichever is high. Business disruption is
also widely perceived as a resulting severity of risks and threats on employee data. A breach
automatically leads to business disruption, regardless of how small the breach may be. On being
infected by malware most possibly following a phishing email, employees have to disconnect
immediately their devices until notified further. Getting back to normal services often takes
several days. Confente, et al., (2019)

Privacy of Employee Data

a. Establish the existing threats and risks to the privacy of the data and information
contained in the in house HR database.

With an ever increasing number of organizations being duped, they have become more
vulnerable to attacks as a result of threats and risks to data privacy clearly continuing to witness
a rise. Some of the existing threats and risks to the privacy of the data and information contained
in the in-house HR database are vulnerabilities in web based applications, which literally are
more than sufficient for causing a large-scale data breach. Hackers can easily enter into the
system of DAS by getting a vulnerability that can feasibly be patched months back exploited
eventually exposing the personal data of all the employees. Another threat and risk can be the
insiders and employees who are not well trained. Exposure of employee data at the operator’s
end can be caused by a mischievous insider knowingly or it might be a simple mistake made
unknowingly. The impact at the end is quite same, culminating into a larger breach or even a
small number of leaking employee data. However, chances are higher that a hostile insider might
opt for choosing specific employee data and information to release with intent of causing more

7
damage. Homoliak, et al., (2019) Lacked response for breach is also an existing threat and risk to
data privacy. The probability of instance that lead to leaks still exist despite of having in place
the best security controls. Hence, focus should not be on preventing every incident, but being
ready for providing a quick response for minimizing the effect of unpredicted circumstances.
Inadequate disposal of personal data of the employees in in-house HR database is also a principal
threat and risk. An employee’s personal data and information must be stored only during that
time till the relationship with him/her is in effect. Thereafter, it must be disposed off in a secured
way. Most organizations fail miserably into effective removal or deletion of personal data in a
timely manner after the ending of the specific purpose or on request, which directly violates
GDPR compliance most likely resulting into heavy reparations. In addition, lack of transparency
in privacy policies, terms and conditions is also an added threat and risk to the privacy of the
employee data. According to the GDPR, to gather, store or process personal data, consent is the
main requisite. Principally, for consenting to anything, developing a comprehension about what
an employee is giving his/her consent to be is essential. However, still there are a number of
organizations failing in publishing a legitimate privacy policy while many are written in a
language that employees (generally non-technical and non-lawyers) don’t understand. This is
also a direct violation of GDPR compliance, straightaway leading to penalties. Deshpande, Nair
& Shah, (2017)

b. Are there any other risks and threats to the privacy of the employee data after migration
to an SaaS application?

Risks and threats to the privacy of the employee data after migration to a SaaS application
include lesser visibility and control. DAS is likely in losing some visibility and control over its
assets/operations while getting them transitioned to the cloud. While external cloud services are
utilized, the service provider becomes accountable for certain policies and infrastructure.
Another risk and threat is simplification of unauthorized use from on-demand self service.
Provisioning new services are made very easier by the service providers further enabling any
staff of a company to provision added services sans any consent of the IT department. Lower
costs and ease of implementation of SaaS products increases the possibility of unauthorized use

8
of cloud services thereby, presenting risk to organizations in terms of increased malware
infections or data exfiltration due to failure in protecting the unknown resources. Compromised
internet-accessible management Application Programming Interfaces is the other risk and threat.
A set of APIs are exposed by the service providers used by the clients in managing and
interacting with the cloud services. These APIs, which might be containing the same software
vulnerabilities as an operating system, library, etc. API, are used by companies for provisioning,
managing, orchestrating and monitoring their assets and users. Since the APIs of service
providers are accessed through the internet, they are more widely exposed to possible misuse.
Vulnerabilities in management APIs can be turned into fruitful attacks by threat actors. Hong, et
al., (2019)

c. Assess the resulting severity of risks and threats to the privacy of employee data

The resulting severity of risks and threats to the privacy of employee data is most likely to
damage the company’s bottom line. In the wake of a data breach, a string of direct financial
consequences straightaway affect the business. For example, regulatory agencies can impose
heavy fines while shelling out huge funds to conduct a forensic investigation for identifying the
sources of the data breach with intent of yielding invaluable evidence and insights helping in
prevention of data breaches in future. With employees sharing their sensitive information with
their company in a belief that there exist proper security measures for protecting the data, loss of
trust amidst the employees possibly is a considerable long-term after-effect of a data breach. Sen
& Borle, (2015) Damage to company reputation as a result of data breach although is difficult to
evaluate, but often the damage lasts long. In addition, normal operations often get disrupted as a
result of data breach, particularly at the time of the inquiry procedure. Furthermore, the total loss
of important employee data might be also involved in some of the worst cases of data breaches
thus, increasing the risk of misuse of the data.

9
Digital Identity Issues

What are the threats and risks to the digital identities of Government employee from the
move to SaaS application?

The threats and risks to the digital identities of Government employee from the move to SaaS
application revolves around user password weariness. Despite of the SaaS model’s initial ease
for users in accessing their applications, there is a quick rise in complications with the number of
applications, with each requiring varied passwords and expiry cycles eventually reducing the
productiveness of the user besides increasing annoyance due to time spent on resetting,
remembering and managing the continuous change of passwords and URLs across all of their
applications. Use of evident or reused passwords stored on Post-it notes or in Excel files on
laptops are possible even bigger concern about the security risks caused by the same user’s
reaction to this “password fatigue”. Another threat and risk is compliance visibility.
Understanding applications and data are accessed by who, where and what is done with it is
important. In addition, an isolated user directory for every application is also a major risk and
threat in adopting SaaS application. For getting access to on-premises network resources
managed, investment into a corporate directory like Microsoft Active Directory have been made
by most companies. While adopting cloud based services, that investment must be leveraged by
the organizations for extending it to the cloud instead of creating a parallel directory and access
management infrastructure simply for those newer SaaS applications. Kumar & Goyal, (2019)

10
Conclusion

From the above study it can be concluded that despite of the existence of tremendous the
advantages of cloud computing, the focus of several customers of the cloud have always been on
the security and privacy coming along with it besides hurdles to its extensive adaptation by
businesses and organizations. It has been further observed that for helping companies in
comprehending the risks and threats that are involved with the implementation of cloud
computing services, a wide range of risk assessments have been developed by the researchers
thus, helping the businesses in making decisions that are well informed about cloud computing
service providers ahead of buying any service. With the growth of cloud computing witnessing a
significant growth across the globe backed with rapidly changing technology resulting into
newer ways for the service providers in getting their services delivered to the clients, it is utmost
important that users are aware of the risks and vulnerabilities existing within the prevailing
cloud computing environment. It is evident from studying different literatures of risk assessment
about cloud computing that there is a need of specified risk assessment approach. Presently, a
structured method for assessing the risks cloud consumers for placing their resources outside for
the maximization of the trust amidst them and the service providers is lacking besides an
effective security system.

References

11
Akinrolabu, O., New, S., & Martin, A. (2019, June). Assessing the security risks of multicloud
saas applications: A real-world case study. In 2019 6th IEEE International Conference on
Cyber Security and Cloud Computing (CSCloud)/2019 5th IEEE International
Conference on Edge Computing and Scalable Cloud (EdgeCom) (pp. 81-88). IEEE.

Aloini, D., Dulmin, R., & Mininno, V. (2012). Risk assessment in ERP projects. Information
Systems, 37(3), 183-199.

Cheng, L., Liu, F., & Yao, D. (2017). Enterprise data breach: causes, challenges, prevention, and
future directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge
Discovery, 7(5), e1211.

Confente, I., Siciliano, G. G., Gaudenzi, B., & Eickhoff, M. (2019). Effects of data breaches
from user-generated content: A corporate reputation analysis. European Management
Journal, 37(4), 492-504.

Deshpande, V. M., Nair, D. M. K., & Shah, D. (2017). Major web application threats for data
privacy & security–detection, analysis and mitigation strategies. International Journal of
Scientific Research in Science and Technology, 3(7), 182-198.

Homoliak, I., Toffalini, F., Guarnizo, J., Elovici, Y., & Ochoa, M. (2019). Insight into insiders
and it: A survey of insider threat taxonomies, analysis, modeling, and
countermeasures. ACM Computing Surveys (CSUR), 52(2), 1-40.

Hong, J. B., Nhlabatsi, A., Kim, D. S., Hussein, A., Fetais, N., & Khan, K. M. (2019).
Systematic identification of threats in the cloud: A survey. Computer Networks, 150, 46-
69.

Kim, B., Lee, D. Y., & Kim, B. (2019). Deterrent effects of punishment and training on insider
security threats: a field experiment on phishing attacks. Behaviour & Information
Technology, 1-20.

Kumar, R., & Goyal, R. (2019). On cloud security requirements, threats, vulnerabilities and
countermeasures: A survey. Computer Science Review, 33, 1-48.

12
Patel, K., & Alabisi, A. (2019). Cloud Computing Security Risks: Identification and
Assessment. The Journal of New Business Ideas & Trends, 17(2), 11-19.

Sen, R., & Borle, S. (2015). Estimating the contextual risk of data breach: An empirical
approach. Journal of Management Information Systems, 32(2), 314-341.

Taylor, J. M., & Sharif, H. R. (2017, May). Security challenges and methods for protecting
critical infrastructure cyber-physical systems. In 2017 International Conference on
Selected Topics in Mobile and Wireless Networking (MoWNeT) (pp. 1-6). IEEE.

Walker-Roberts, S., Hammoudeh, M., Aldabbas, O., Aydin, M., & Dehghantanha, A. (2020).
Threats on the horizon: Understanding security threats in the era of cyber-physical
systems. The Journal of Supercomputing, 76(4), 2643-2664.

13