Analyze the risk associated with the given case study based on FAIR approach . You are expected to provide the following:

First, analyze the case study and decide the two scenarios based on the provided data.

Second, for each scenario, write the following:

Threat event frequency , Secondary Loss Event Frequency, and vulnerability.

2- Analysis of each scenario

estimate the primary and secondary losses for each scenario and provide rationale.

The Case Study

HAPTech University is a renowned technical institution at the forefront of innovation, research, and patent creation. The University has 300 staff, 400 faculty members, 4000 students, and 50 donors. Established in the heart of a bustling technological hub, the University has earned a global reputation for excellence. The University has A financial endowment of US$1 billion, with an average donor donating $500,000 to the University yearly. HAPTech University is committed to cutting-edge research across various fields, including engineering, computer science, biotechnology, and sustainable energy. Its diverse research centers and institutes serve as incubators for groundbreaking discoveries. The Tech University has a remarkable record of generating patents and intellectual property. The campus is equipped with state-of-the-art laboratories, research centers, and libraries that provide students and faculty with the tools and resources they need to conduct meaningful research. HAPTech University fosters collaboration with industry partners, government agencies, and other universities. These partnerships facilitate research and offer students real-world experiences and opportunities for internships and employment. The University has a vibrant entrepreneurship ecosystem, nurturing student startups and providing resources to transform innovative ideas into successful businesses. It hosts pitch competitions, accelerator programs, and business incubators. HAPTech Tech University's research and innovations have a global impact. Its commitment to sustainability, health, and technological advancement is pivotal in solving some of the world's most pressing challenges.

HAPTech University, being a prominent technical institution known for research and innovation, would have several critical systems that could be potential targets for cyberattacks. These systems are crucial for the University's operations and safeguarding sensitive data. Some of the critical systems at HAPTech University that might be targeted include Research Data Repositories, Student Records and Personal Information, Academic Systems, Financial Systems, Intellectual Property and Patents, Network Infrastructure, Research Equipment, Collaboration and Communication Tools, Access Control and Authentication Systems, Access Control and

Authentication Systems, and Student Information Portals.

HAPTech University implements robust cybersecurity measures to protect these critical systems, including firewalls, intrusion detection systems, regular security audits, employee training, and incident response plans. Additionally, a strong focus on data encryption, access control, and monitoring is essential to safeguard these systems from potential cyber threats. However, recent cybersecurity incidents in the education and business sectors have raised concerns about intellectual property, patents, and network infrastructure. The University is worried about potential risks and wants a comprehensive risk analysis. Consequently, the university risk analysts immediately started the investigation.

The University's intellectual property and patent databases contain valuable innovations and research findings. State-sponsored actors may aim to exploit this information through Advanced Persistent Threat (APT).

3

The University's network infrastructure, including servers, routers, and switches, could be targeted for various cyberattacks, including DDoS attacks to disrupt network services and eventually disrupt internal and external facing systems.

State-sponsored actors, often highly skilled and well-resourced, use advanced methods to attack intellectual property and patent databases. Their motivations may include economic espionage, technological advantage, and national interest. State-sponsored attackers frequently employ APTs, which are stealthy and long-term cyberattacks designed to remain undetected for

extended periods. APTs involve multiple phases, including gaining access through application vulnerability, network expansion, and data extraction.

HAPTech University deploys a vulnerability scanning software, CISA, that performs vulnerability scans to internet-facing systems from weak configurations and known vulnerabilities and delivers a weekly report. The data produced by CISA confirms that HAPTech's current system configurations can defend against 70-80% of malicious accesses.

The data security team confirmed that the University never experienced APT attacks before. However, from recent risk analysis reports, it's believed that APT attempts range between 1 to 3 times a month while malware attempts range between 3 to 6 times a month. On average, similar universities experience security incidents once every six months.

DDoS detection is an absolute necessity for organizations that rely on internet traffic to avoid disruption of the network and, consequently, disruption of applications and services. For this reason, the University deploys a control tool for DDoS detection. The network security teams said the tool has reported 25 to 35 DDoS attempts per year.

Firewalls, scanners, and mitigation tools have been implemented to identify surges in inbound traffic. However, The tools have signaled that, despite the absence of a successful DDoS attack

on the University thus far, the increasing complexity of these attacks has led to the belief that 1 in 25 of such incidents might succeed on average.

The network security team has noted that the network infrastructure experienced a single disruption in the last six years, attributed to severe weather conditions. In addition, the University has experienced three minor security incidents in the past year, such as malware infections and phishing attempts.

In the event of a data breach, the internal incident response team will start responding, and the first step is to isolate the affected servers and disconnect them from the network to prevent further malicious access. This action helps contain the breach and protects the intellectual property. The internal incident response team comprises 6-10 people who would be deployed for 6-13 hours at a loaded hourly wage of $200/hr.

In the event of a data breach, regular meetings are scheduled to keep the incident response team updated on the forensic findings, the status of the investigation, and any emerging challenges.

4

These meetings provide a platform for collaboration and decision-making among diverse experts. The average cost of this meeting is $20,000.

Given the potential involvement of state-sponsored actors in a data breach, the University's cybersecurity team collaborates with law enforcement agencies to share information and seek assistance. This process may involve agencies specializing in cyber threats and economic espionage, costing an average of $150,000.

A specialized forensics team is called in to investigate a data breach and thoroughly analyze the logs, system snapshots, and any other relevant data to determine the extent of the breach, identify the attack vectors, and assess the potential loss of intellectual property. Investigations of this scale cost an average of $125,000.

The University's reputation, once a key differentiator, is now threatened due to the cyber breach of its intellectual property data. As news of the incident spreads, stakeholders, including students, faculty, donors, and the broader community, become increasingly concerned about the University's ability to safeguard sensitive information. The team, comprising communication experts and public relations professionals, takes center stage. The University will initiate a comprehensive reputation management plan to rebuild trust and convey transparency in its response to the cyber incident. Public relations campaigns will be launched to highlight the University's commitment to cybersecurity, showcasing the immediate actions taken to address the breach and prevent future occurrences. It will cost an average of $50,000. In addition, meetings will be organized for regular updates, and communications will be disseminated to inform stakeholders of ongoing efforts to strengthen security measures. It will cost an average of $15000.

Research partners from the private sector and other academic institutions may consider legal action against the University due to the compromise of shared intellectual property and research findings. Lawsuits may be filed to seek compensation for damages, potential revenue losses, and harm to their reputations resulting from the cyber incident. Over the past two years, fines- related records have ranged from $350,000 to $500,000.

The University had long been a trusted institution for cutting-edge research and innovation. The loss of intellectual property threatens to erode this key differentiator, potentially impacting donor support. In the event, it is estimated that 4% of Donors would stop denoting to the University.

If the APT leads to the unauthorized disclosure of proprietary research, competitors could gain insights that undermine the University's unique selling points. This loss may result in diminished opportunities for research collaborations, funding, and industry partnerships. It is estimated at $200,000.

The DDoS attack saturates the University's network bandwidth, rendering essential services inaccessible. Students, faculty, and administrative staff cannot access critical systems, which immediately disrupts normal operations. With the network effectively paralyzed, academic

5

activities come to a standstill. Online classes, research collaborations, and administrative tasks that rely on network connectivity grind to a halt. Staff members, including professors, researchers, and administrative personnel, cannot perform their duties. The inability to conduct research, communicate with colleagues, and manage administrative functions impacts the University's overall efficiency. It is assumed that an average hourly rate of $50 for staff, considering that the outage prevents work for 4 to 8 hours a day for one day. Beyond lost wages, there are additional operational disruption costs. The University estimates an average indirect cost of $50,000 associated with the delay in research projects, rescheduling of classes, and the

need for additional resources to manage the aftermath of the attack.

In case of systems and service disruptions, the incident response team will be activated, composed of cybersecurity experts, network engineers, and forensics specialists. Their primary task will be to assess the scope and impact of the DDoS attack and initiate immediate countermeasures to mitigate its effects. A team of 5-8 people would be deployed for 8-14 hours at a loaded hourly wage of $250/hr. Simultaneously, forensics specialists will be hired to analyze the attack vectors, patterns, and potential vulnerabilities the attackers exploit. The goal is to identify the source of the DDoS attack and gather evidence for further legal and investigative purposes. Investigations of this scale cost an average of $200,000. The incident response team and key members of the University's management convened for an emergency meeting. This meeting aims to provide real- time updates on the incident, discuss the potential impact on operations, and strategize the next steps in the response plan. It will cost an average of $12000.

In case of a DDos incident, the target will be replaced. Simultaneously, the decision will be made to replace the affected hardware components (servers, routers, switches, etc.) to ensure network services' swift restoration. The team initiates the replacement process, swapping compromised devices with the preconfigured spare ones. Replacement of the hardware will cost around. $500,000, and it takes a team of 8 workers 8 hours. At overtime rates, those workers will be paid $100 per hour.