Consider the following Attribute-based Access Control policies: PA: Permit if OR (FINGER_Ok, HANDSHAPE_Ok) PB: Permit if VOICE_Ok PC: Deny if FACE_notok PD: POV(PA,PB) PE: POV (PD, PC) a) What is the decision returned by the policies PA, PB, PC, PD and PE, if all attributes evaluate to True? [5 Marks] b) What is the decision returned by the policies PA, PB, PC, PD and PE, if all attributes evaluate to Unknown? [5 Marks] c) Find an attribute evaluation such that PE evaluates to Deny. [5 Marks] A financial organisation providing credit cards and short-term loans is collecting and storing all financial transactions done by its customers when they use their credit cards. This information is then used by the organisation to decide whether to accept or deny a loan application from a customer: if their spending behaviour is deemed risky, the loan application will be denied. All transactions are stored in a SQL database, which is available by the organisation's employees through a form written in HTML and Javascript, and protected by a unique password. To comply with GDPR, they do not store in plain text the name of their customers, and use a unique pseudo-identifier for each customer, but they keep the details of each transaction. a) Identify and assess the risk of an Information Disclosure threat, and recommend an avoidance risk control against that threat. [10 Marks] b) Identify and assess the risk of a Spoofing threat, and recommend a mitigation risk control against that threat. [10 Marks]