CYBR 535 West Virginia University Risk Management and Threat analysis Memorandum – Assignment Help

Help me study for my Computer Science class. I’m stuck and don’t understand.

Don't use plagiarized sources. Get Your Custom Essay on
CYBR 535 West Virginia University Risk Management and Threat analysis Memorandum – Assignment Help
Just from $13/Page
Order Essay

UE DATE FOR ENTERPRISE/EMPLOYER RISK MANAGEMENT THREAT ANALYSIS- 11 OCT. 20. (A prototype is posted under Course Documents.) Please note this is NOT a template or a format, simply a sample as to how to approach this paper. More guidance will follow. 6-8 pages range, double-spaced typed, exclusive of charts or references, to be posted in your assignment folder.

(professor email)

there is a major assignment due shortly per the syllabus, your risk management analysis. 6-8 pgs double spaced, plus sources. Legal focus as well as a threat assessment applicable to your workplace or critical infrastructure, e.g. hospital, bank. Dont be late!


cyber Policy, Law, & Criminal Investigation 

Insider Threat Risk Management PROTOTYPE AND SAMPLE ONLY



To: Chief Operating Officer | EC | 
Thru: Chief Information Officer | ISTS | 

General Counsel | OGC | 
From: Senior IT Analyst | IT |
Subject: Insider Threat Risk Management and Recommendations 

In light of the Executive Announcement issued on September 21st 2018 and concern 
expressed by General Gene , I was tasked by the executive committee to 
propose a risk management strategy to address insider threats to the agency. For your 
consideration, this proposal includes recommendations to the Executive Committee and 
General Council concerning the current risk management program as well as the possible legal 
ramifications and executive actions needed in wake of recent events. 

We are known for independent nonpartisan values and its reputation , 
among the American people, and throughout the globe. It is imperative to combat any forces 
attempting to damage or discredit the organization through leaking sensitive information, 
maliciously manipulating reports , and or placing our  clients and 
fellow  agencies at risk of compromise. 

The Office of the Director of National Intelligence’s National Insider Threat Task Force, 
under joint leadership of the Attorney General and the Director of National Intelligence, defines 
insider threat as “a threat posed to U.S. national security by someone who misuses or betrays, 
wittingly or unwittingly, their authorized access to any U.S. Government resource. This threat 


can include damage through espionage, terrorism, unauthorized disclosure of national security 
information, or through the loss or degradation of departmental resources or capabilities.”1 

In 2017, insider threat events made up one in five incidents and are deemed more costly 
than those committed by outsiders.2 While industry statistics for insider threat 
events, the organization has personally seen an influx of insider threat incidents in recent years 
with 3 notable cases: 

Event: 2013 Security Controls Assessment Leak 

More specifically, we experienced a leak of a Confidential Security Controls 
Assessment obtained, stored, and maintained by us for a review on the Department of Health 
and Human Services’ (HHS) healthcare exchange known as in support of the 
Affordable Care Act passed in 2010.3  Protocols policy states, “we will 
grant clients, upon their written request, access to its audit documentation .” 
However, to accommodate more than 15 signatories, we hosted an event on the Hill to allow 
members to review the requested SCA. According to congressional staff, a member of 
congress leaked the results of the SCA to the media in an effort to allegedly advance a political 
agenda to discredit the federal healthcare exchange effort and the passing of ACA. It was 
confirmed in the November 2013 hearing by multiple congressional staff as well as the head of 

1 Office of the Director of National Intelligence. National Insider Threat Task Force Mission Fact Sheet. Retrieved 

2 Forcepoint, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon 
University. The 2017 U.S. State of Cybercrime Survey. 

3 U.S. Congress “House Energy and Commerce Subcommittee on Oversight and Investigations Holds Hearing on Security.” Congressional Transcript . November 19, 2013. pp. 218, 22–23, 270. 


.4 The investigation concluded on November  with no identified 
source and no policy changes . 

The unauthorized disclosure of the SCA violates Executive Order 13526 sections 4.1 
and 5.4, which calls for organizations to ensure safeguards and restrictions on access to 
prevent unauthorized disclosure of information within the federal classification schema. The 
lapse in document control, could lead to a compromise in HHS systems as the report detailed 
the specific vulnerabilities in the system. This places HHS at risk of violating the 
Federal Information Security Modernization Act; The Privacy Act of 1974, as amended at 5 

U.S.C. 552a; the HHS Privacy Act regulations, as well as the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA). While a congressional staff member leaked the document 
to the media, we face risks to one of our core values, reliability. If government agencies are 
unable to trust the document control measures we have in place when interacting with 
congressional committees, then a longstanding issue of obtaining documentation will 
become a major roadblock for the organization. While we must prevent insiders within the 
organization, we must also help limit insider threats within our clients as it impacts our 
operations and values. 
Event: Malicious Insider Project Veritas 

Additionally, in September 2018, a deemed conservative activist group Project Veritas 
released a 14-minute video on Google’s platform YouTube depicting a current GAO employee 
contributing to the Democratic Socialists of America (DSA) during work hours with the intent to 
influence GAO work products provided to the U.S. Congress.5 The individual submitted a federal 

4 U.S. Congress “House Energy and Commerce Subcommittee on Oversight and Investigations Holds Hearing on Security.” Congressional Transcript . November 19, 2013. pp. 218, 22–23, 270. 

5 Project Veritas. “Deep State Unmasked, U.S. GAO Auditor Admits ‘I Break Rules Every Day.’” Project Veritas Deep 
State Unmasked, 20 Sept. 2018,


independence form, however, he did not provide specifics on his extracurricular activism work. 
This not only violates our conflict of interest policies, but he also intentionally misled the 
federal government and defrauded the U.S. taxpayers. 

Event: Disgruntled Employee 

Most notably, in October 2018 preliminary reports from the Office of the Inspector 
General indicate that an  analyst leaked a preliminary  report and extracted 
more than 2.3 terabytes of classified documents from our internal document management 
system for monetary gain including materials concerning Department of Defense weapons 
systems, National Reconnaissance Office satellite protection systems, vulnerabilities on the 

U.S. electric grid, and the Department of Energy’s National Nuclear Security Agency security 
protocols, and HHS’s infectious disease lab security results from NIH. This is a direct violation of 
policy, the Computer Fraud and Abuse Act as well as the Espionage Act. 
Insider Threat Risk Management Analysis 

As tasked by the executive committee, the details below address each insider threat 
event through a risk management perspective. This will form the basis of an insider threat 
program for your consideration. The NIST Risk Management framework is an effort to 
implement the provisions outlined in the Federal Information Security Modernization Act. The 
insider threat risk management approach captured below takes in account the results of the 
completed 2018 risk assessment report executed to fulfill Phase 4 of the NIST Risk 
Management Framework model. A detailed analysis on insider threat is attached in Appendix I. 
NIST notes that the risk assessment identifies “risks to organizational operations (including 
mission, functions, image, reputation), organizational assets, individuals, other organizations, 


and the Nation, resulting from the operation of an information system.”6 This includes the threat 
vulnerability analysis associated with the system. 

Additionally, Executive Order 13587 and the National Policy on Insider Threat calls for 
agencies to establish an insider threat program for handing classified information, which can be 
extended to ensure additional security for all our work products. Additionally, OMB memo M17-
25 calls for agencies to establish an Insider Threat Program to protect the federal network 
and its data. This effort is based on implementing PM-12 of NIST’s 800-53 Revision 4 standard 
and in alignment with the Risk Management Framework and best practices from Carnegie 
Mellon’s Software Engineering Institute. Below details the top 3 risk management steps to 
safeguard against the insider threat based on the organization’s current posture: Learn, 
Detect/Prevent, and Respond. 


GAO’s insider threat program must be able to identify potential indicators of insider threats 
based on previous events, list known characteristics as identified in the risk assessment 
attached in Appendix I, identify the target assets within the organization and possible mens rea. 
The identified characteristics from Appendix I are a combination of identified elements with 
those identified by the Department of Homeland Security’s National Cybersecurity and 
Communications Integration Center. 7 Based on the insider events captured above, I identified 
four main actors with the associated characteristics to create an insider threat profile with the 
targeted organizational asset and intent. These profiles include: 

6 NIST Risk Management Framework 


Congressional Partners | Political Motivation/Agenda | Unauthorized Disclosure 
Internal Staff | Human Error | N/A 
Malicious Insider | Activism | Manipulation of Report 
Disgruntled Employee | Financial Gain | Data Exfiltration 
While this is not inclusive of all potential combinations, the four profiles captured above adhere 
to the first of three critical elements of an insider threat program. 
Further, as a result of the risk assessment captured in Appendix I, the results revealed 
that the insider threat places us at a moderate risk level. Under a moderate risk level, 
exploitation of vulnerabilities within the organization (1) may result in the costly loss of tangible 
assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or 
interest; or (3) may result in human injury. This aligns with the NIST Risk Management 
Framework, as organizations must first understand the threats and risks facing the organization 
prior to selecting controls. This step was adapted for the insider threat program in Appendix I. 

Detect & Prevent 

Given the three insider events we faced, there are several best practices that 
could have been instrumental to detecting and preventing insider threats. These include 
activities associated with stakeholders at all levels throughout the organization such as HR, 
Infrastructure, Public Affairs, and within our mission teams. 

Human Resources 

Software Engineering Institute’s best practices include: monitor and respond to 
suspicious or disruptive behavior, develop a comprehensive employee termination 
procedure, and anticipate and manage negative issues in the work environment. These 
best practices would directly address the following insider threat actors: Disgruntled 


Employee and Malicious Insider. While our currently policies call for automatic 
removal of access rights in the event of employee termination, our procedures do not 
link employee satisfaction with insider threat notification. Our employee feedback survey 
within the IT mission team indicates that Band 2Bs are the most unsatisfied among the 
staff due to promotion availability. Given this, HR should work with IT to deploy adaptive 
analytics on access rights and user activity among groups with a certain level of 
authorization. Threat actor: Disgruntled Employee was a Band 2B seeking financial 

Public Affairs 

In regards to the Malicious Insider, our annual independence review process 
failed to identify an employee associated with the DSA. This is where social media 
monitoring capabilities within our Office of Public Affairs can make a direct impact. The 
privacy concerns associated with this effort are moderate as it must remain within the 
public domain. The individual was engaged in political activity during work through 
social media. This effort by OPA would extend the reach of the independence policy 
and actively engage in identifying conflicts of interest beyond a federal document. 


Lastly, detection falls on the Infrastructure department’s security control mechanisms 
captured in NIST’s 800-53 Revision 4. The organization must raise its Integrity baseline 
and implement high integrity security controls identified by NIST to ensure that the 
integrity of the data is not compromised from an insider. Additionally, intrusion detection 
capabilities must be expanded in order to baseline normal behavior on the network and 


then detect anomalous behavior such as accessing social media, emailing multiple 
documents outside of the organization, and saving files on an external drive. Given 
these best practices, the three threat events identified can be addressed through the 
following mechanisms: 

Congressional Partners | Political Motivation/Agenda | Unauthorized Disclosure 
Action: Prohibit mobile phones during closed sessions with sensitive documents 
Action: Intentionally insert typos in each version of the document to identify a 
source of a leak 
Action: Invite agency representatives to administer and collect sensitive 
documents at the conclusion of the session to redirect the risk 
Benefit: Limits mode of exfiltration, detects source of the leak, and shifts liability 
to data owner (HHS) 
Internal Staff | Human Error | N/A 
Action: Apply additional document control requirements when handling files 
outside of the document management system 
Action: Limit the number of files a single person is responsible for and assign an 
accountability officer for each set of files 
Benefits: Adds oversight to reduce likelihood of human error 
Malicious Insider | Activism | Manipulation of Report 
Action: Increase Integrity security controls to NIST 800-53 standards 
Action: Increase social media monitoring efforts and align with annual 
independence attestation 
Action: Re-baseline intrusion detection system to include insider threat detection 
Benefits: Improves security posture, proactively detects conflicts of interest, and 
increases technical capabilities for anomalous employee behavior. 
Disgruntled Employee | Financial Gain | Data Exfiltration 
Action: Share employee satisfaction results with IT for adaptive analytics 
Action: Re-baseline intrusion detection system to include insider threat detection 
Action: Implement new policies regarding external media, email attachments, and 
remote access after work hours 

Benefits: Improves security posture, proactively detects conflicts of interest, and 
increases technical capabilities for anomalous employee behavior. 

CMU’s 2017 study on U.S. Cybercrime surveyed more than 500 organizations across the 
country regarding insider intrusions. According to the study, the number of events handled 
internally without legal action or law enforcement stayed the same from 2016 to 2017 at 76%.8 
Additionally, the top 3 reasons included: 

Could not identify the individual(s) responsible 
Damage level insufficient to warrant prosecution 
Lack of evidence/not enough information to prosecute 
8 Forcepoint, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon 
University. The 2017 U.S. State of Cybercrime Survey. 


All three justifications could be addressed through applying additional logging and auditing 
controls as recommended by NIST-800-53 Rev 4, which I prescribe for our internal systems 
through its high Integrity categorization. While unauthorized disclosures could call for legal 
action depending on its nature, the availability of evidence is essential to respond with any legal 
action. In regards to the 3 insider events : 

Congressional Partners | Political Motivation/Agenda | Unauthorized Disclosure 
Response Reported: None 
Reason: Lack of evidence; Could not identify individual 
Potential Legal Response: Violation of congressional policies; If compromised: 
Computer Fraud and Abuse Act, Privacy Act violation; 
Internal Staff | Human Error | N/A 
Response Reported: None 
Reason: Damage level insufficient; No malicious intent 
Potential Legal Response: None;  internal policy violation 
Malicious Insider | Activism | Manipulation of Report 
Response Reported: System access rights terminated; Suspension pending 
investigation from the OIG. 
Reason: Damage level insufficient due to  quality control processes 
Potential Legal Response: Internal  policy violation; Making false statements 
(18 U.S.C. § 1001), Fraud 
Disgruntled Employee | Financial Gain | Data Exfiltration 
Response Reported: System access rights removed; Employee terminated and 
incident handled with legal action 
Reason: Involved Classified information posing threat to national security 
Potential Legal Response: Computer Fraud and Abuse Act, Espionage Act 
Section 793 

Next Steps 

We are the first line of defense when it comes to insider threat. This includes all departments 
within the organization and each individual analyst. Take action by implementing the short-term 
measures outlined in the memo followed by a comprehensive insider threat program in FY19 in 
accordance with OMB M-17-25. 



Document Management 

October 2018 

Record of Changes: 

Version Date Sections Modified Description of Changes 
1.0 October 2018 Initial RAR 

The risk management process is based on the general concepts presented in National Institute 
of Standards and Technology (NIST) Special Publication (SP) 800-30, Revision 1, Guide for 
Conducting Risk Assessments, along with the principles and practices in NIST SP 800-18, 
Guide for Developing Security Plans for Information Technology Systems and is consistent with 
the policies presented in Office of Management and Budget (OMB) Circular A-130, Appendix III, 
Security of Federal Automated Information Resources. 

The scope of this risk assessment is focused on the system’s use of resources and controls to 
mitigate vulnerabilities exploitable by threat agents (internal and external) identified during the 
RMF control selection process, based on the system’s categorization. This initial assessment 
will be a Tier 3 or “information system level” risk assessment. 


A preliminary analysis informed the identified insider threat agents 
This assessment is based on a FY17 security controls assessment and agency-wide 
external threat analysis. 

This risk assessment is being conducted in order to determine the impact of an insider threat on 
the organization and its business processes to form the basis of a managed insider threat 
program maturity. Identifying the impact is a preliminary step in building a robust insider threat 
program to safeguard GAO and its materials from unauthorized disclosure. This document is to 
supplement existing risk assessments performed on the organization and update the existing 
risk profile of the organization and information system. 

Risk Assessment Approach 

This initial risk assessment was conducted using the guidelines outlined in the NIST SP 800-30, 
Guide for Conducting Risk Assessments. A quantitative and qualitative approach will be utilized 
for this assessment. Risk will be determined based on a threat event, the likelihood of that threat 
event occurring, known system vulnerabilities, mitigating factors, and consequences/impact to 


The following table is provided as a list of insider threat characteristics as identified by the 
Department of Homeland Security. 

Table 1: Insider Threat Characteristics 

Characteristics of Insiders at Risk of Becoming a Threat 
Financial Need Motive for Political Gain 
Activism Workplace Grievance 
Behavioral Limitations: Compulsive and 
Destructive Behavior 
Ethical “flexibility” Minimizing their mistakes or faults 
Reduced loyalty Self-perceived value exceeds performance 
Pattern of frustration and disappointment Lack of empathy 
No Accountability or Integrity Intolerance of criticism 

Potential Threat Actions: 

Assault on an employee 
Browsing of proprietary information 
Computer abuse 
Fraud and theft 
Information bribery 
Input of falsified, corrupted data 
Malicious code (e.g., virus, logic 
bomb, Trojan horse) 
Sale of personal information 
System bugs 
System intrusion 
System sabotage 
Unauthorized system access 

The following tables from the NIST SP 800-30 were used to assign values to likelihood, impact, 
and risk: 

Risk Level Matrix: 

The final determination of mission risk is derived by multiplying the ratings assigned for threat 
likelihood (e.g., probability) and impact of an exploited vulnerability after consideration of in 
place controls. Table 2 below shows how the overall risk ratings might be determined based on 
inputs from the threat likelihood and threat impact categories. The determination of these risk 
levels or ratings may be subjective. The rationale for this justification can be explained in terms 
of the probability assigned for each threat likelihood level and a value assigned for each impact 
level. For example: 

The probability assigned for each threat likelihood level is 5 for High, 3 for Moderate, 
1 for Low. 
The value assigned for each impact level is 5 for High, 3 for Moderate, 1 for Low. 
The matrix below is a 3 x 3 matrix of threat likelihood (High, Moderate, and Low) and 
threat impact (High, Moderate, and Low). 
Table 2: Assessment Scale – Level of Risk (Combination of Likelihood and Impact) 

Threat Likelihood 
LOW (1) MODERATE (3) HIGH (5) 
HIGH (5) 
5 X 1= 5 
5 X 3= 15 
5 X 5= 25 
3 X 1= 3 
3 X 3= 9 
3 X 5= 15 
LOW (1) 
1 X 1=1 
1 X 3= 3 
1 X 5= 5 

of Impact 
Impact Definition 
High Exploitation of the vulnerability (1) may result in the highly costly loss of 
major tangible assets or resources; (2) may significantly violate, harm, or 
impede an organization’s mission, reputation, or interest; or (3) may result 
in human death or serious injury. 

Page 15 

Moderate Exploitation of the vulnerability (1) may result in the costly loss of tangible 
assets or resources; (2) may violate, harm, or impede an organization’s 
mission, reputation, or interest; or (3) may result in human injury. 
Low Exploitation of the vulnerability (1) may result in the loss of some tangible 
assets or resources or (2) may noticeably affect an organization’s 
mission, reputation, or interest. 

Risk Assessment Results: 
Disgruntled Employee / Insider Penetration / Unauthorized Use 

Vulnerabilities / Predisposing 
Likelihood Impact Risk 
Inadequate Security policy High Moderate Moderate 
Inadequate System Administration High Moderate Moderate 
Inadequate User Account Management High Moderate Moderate 
Inadequate Personnel Management High Low Low 
Inadequate Warning Banners High Moderate Moderate 
Use of Replayable I&A High Moderate Moderate 
Sharing of ID or Passwords High Moderate Moderate 
Inadequate Audit Log High Moderate Moderate 
Inadequate Audit Analysis High Moderate Moderate 
Inconsistent Physical Perimeter 
High Moderate Moderate 
Inadequate Facilities High Low Low 
Data Unavailability High Low Low 
Weak Rules of Behavior High Moderate Moderate 
Untrained Users High Moderate Moderate 
No Individual Accountability High High High 
No System Change Control High Moderate Moderate 
No Software Change Control High Moderate Moderate 

Page 16 

No Separation of Duties High Moderate Moderate 
Unlimited User Privileges High High High 
Poor Patch Management High Moderate Moderate 
Interconnection Weaknesses High Moderate Moderate 
Copyright Protection Violations High Moderate Moderate 
Poor Logical Access Controls High Moderate Moderate 
Weak Passwords/No Passwords High High High 
Unprotected Networks High Moderate Moderate 
Weak Integrity Verification High Moderate Moderate 
Unknown Vulnerabilities High High High 

Risk Score: The insider threat agent poses a MODERATE risk to the organization. 

Page 17 

Calculate your paper price
Pages (550 words)
Approximate price: -

Why Work with Us

Top Quality and Well-Researched Papers

We always make sure that writers follow all your instructions precisely. You can choose your academic level: high school, college/university or professional, and we will assign a writer who has a respective degree.

Professional and Experienced Academic Writers

We have a team of professional writers with experience in academic and business writing. Many are native speakers and able to perform any task for which you need help.

Free Unlimited Revisions

If you think we missed something, send your order for a free revision. You have 10 days to submit the order for review after you have received the final document. You can do this yourself after logging into your personal account or by contacting our support.

Prompt Delivery and 100% Money-Back-Guarantee

All papers are always delivered on time. In case we need more time to master your paper, we may contact you regarding the deadline extension. In case you cannot provide us with more time, a 100% refund is guaranteed.

Original & Confidential

We use several writing tools checks to ensure that all documents you receive are free from plagiarism. Our editors carefully review all quotations in the text. We also promise maximum confidentiality in all of our services.

24/7 Customer Support

Our support agents are available 24 hours a day 7 days a week and committed to providing you with the best customer experience. Get in touch whenever you need any assistance.

Try it now!

Calculate the price of your order

Total price:

How it works?

Follow these simple steps to get your paper done

Place your order

Fill in the order form and provide all details of your assignment.

Proceed with the payment

Choose the payment system that suits you most.

Receive the final file

Once your paper is ready, we will email it to you.

Our Services

No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.


Essay Writing Service

No matter what kind of academic paper you need and how urgent you need it, you are welcome to choose your academic level and the type of your paper at an affordable price. We take care of all your paper needs and give a 24/7 customer care support system.


Admission Essays & Business Writing Help

An admission essay is an essay or other written statement by a candidate, often a potential student enrolling in a college, university, or graduate school. You can be rest assurred that through our service we will write the best admission essay for you.


Editing Support

Our academic writers and editors make the necessary changes to your paper so that it is polished. We also format your document by correctly quoting the sources and creating reference lists in the formats APA, Harvard, MLA, Chicago / Turabian.


Revision Support

If you think your paper could be improved, you can request a review. In this case, your paper will be checked by the writer or assigned to an editor. You can use this option as many times as you see fit. This is free because we want you to be completely satisfied with the service offered.