- 首页 >> Algorithm 算法
COMP0056 People and Security
Coursework 1
Date Announced: 10.08.2022
Submission Date: 30.08.2022 (16:00 UK time, via
Moodle) Version 1.2 r>Instructions
This assignment is part of the mandatory assessment of the COMP0056: People and
Security module and will count 25% towards your final overall mark.
Assignment submission is due via Moodle through the TurnItIn interface on August
30, 2022 at 16:00 UK time. Late submissions will be accepted with deductions
according to UCL’s late submission policy.
Only PDF submissions will be accepted.
This assignment is open note, open book, and open course resources. You must
identify sources as accurately and fully as possible. UCL plagiarism policies will be
strictly enforced. For more details, see
You are not allowed to consult other people (outside of course staff) on this work.
Each student has to work on the assignment individually.
Your answers will be judged in terms of their quality, the depth of understanding,
and also their brevity. Explain your answers clearly, but succinctly. Partial credit may
be awarded.
The assignment has an upper limit of 20 pages.
This assignment has a maximum of 100 marks allocated as follows:
Q1 Q2 Q3 Q4 Total
Marks 50 10 20 20 100

For this coursework, put yourself in the role of Jason Manning, the CISO for Spiffington
General. The CIO had been pushing of board for some time to appoint a CISO because she
realised the hospital was not meeting basic security and data protection standards. The “big
goal” she has set to you is that within 2 years, the hospital should meet the NCSC’s Cyber
Essentials and the General Data Protection Regulation (GDPR) requirements. She has
allocated you a fairly generous budget for the next 2 years to buy equipment and services.

Please answer the following questions in writing, by applying the concepts from Lectures 1-4
and the CyberBoK Human Factors Chapter and the Spiffington General Scenario. You may of
course use information from peer- reviewed research papers. If you cite vendor information
(on performance or cost) you should state how you could test their veracity.

Question 1 (50%)

Jason’s first goal is to ensure access to medical records is properly secured. Given that he
has a budget to purchase some new equipment, he is considering a number of 2
Factor/multi-factor solutions. These are listed below; your task for each solution is to:

A) Estimate the workload for each alternative and say which proposal would have a
higher workload.
B) Identify any other usability issues that would affect the use of the solution.
C) Identify possible acceptability/user satisfaction issues associated with the solution.
D) Identify security vulnerabilities that an attacker looking to copy patient medical data
might exploit.

For Administrative Staff (using desktop computers in admin offices, and laptops in meetings
with medical staff on the wards):

- a 2FA solution consisting of a token (YubiKey) and a 12-digit, complexity 3 password
(at least 3 of the following 4: numerical, lowercase, uppercase and special
- fingerprint recognition, combined with a 7-digit OTP generated via an app on their
mobile phone.
- an NFC chip contained in their staff pass, combined with face recognition.

For medical staff (doctors and senior nursing staff using the tablets):
- face recognition, combined with a 6-digit OTP generated on their phone.
- an NFC chip contained in their staff pass, combined with face recognition.
- a passphrase combined with voice recognition biometric.
Question 2 (10%)

Jason’s previous employer is a member of the Information Security Forum (ISF). During his
time there, he came across their briefing paper on Human-Centred Security, with the
following statement:
“Miller’s Magic Number Theory of Memory is an established psychological theory that explores the human mind’s capacity
to store data in the short-term memory – the average human mind is capable of holding seven short pieces of information
(+ or – two) at one time.12 Studies also suggest that humans forget approximately 50% of new information within an hour of
learning it, and 70% within 24 hours.13 This reinforces the need to frequently deliver and repeat security messages,
education and training.
A) Are the statements about human memory correct/relevant in this context?
B) If Jason were to follow the recommendation “to frequently deliver and repeat
security messages, education and training” at Spiffington General, how do you
expect medical staff to respond, and why?

Question 3 (20%)

The procurement department in the Spiffington administration has been targeted with
invoices that seem to come from genuine suppliers, but their bank details have been
altered. Since the fake accounts were immediately emptied, the money was lost.

A) Apply the Human Error concept to explain why staff made this mistake.
B) The Chief Financial Officer demands that Jason immediately introduces security
measures to stop this happening again. Jason considers requiring all suppliers to
send digitally signed invoices, but Spiffington does not have the infrastructure to
receive encrypted emails. What measures could Jason introduce at short notice to
stop this happening again?

Question 4 (20%)

Many Spiffington staff use WhatsApp groups to communicate with each other about
hospital business – for instance to swap shifts, ask each other questions about patient care
or ask the pharmacy to send urgent medications. An attacker managed to steal a doctor’s
phone in a cafe close to the hospital. After going through the WhatsApp messages, he
requested some controlled drugs and snatched them from the porter who was dispatched
to deliver it. Jason considers introducing a policy that staff are only allowed to use hospital
systems for work related communications – which would mean the internal email system.
A) What impact would the policy have on hospital business?
B) What impact would it have on staff?