1. You have been hired by a bank to help them harden their online banking service against phishing attacks. Explain briefly the strengths and weaknesses of the following four possible countermeasures:

(a) SSL/TLS client certificates issued to each customer.
(b) A handheld password calculator issued to each customer.
(c) Displaying a unique picture to each customer during the login process.
(d) Requiring that large payments, or payments to new recipients, be authorised by telephone or SMS as well as online.

In answering those questions you may need to explain how those countermeasures would be used.

2. Answer the following questions in the context of a food-court.
(a) List the objects present.
(b) List the groups of subjects present and show how they are related.
(c) State the actions available.
(d) Give a reasonable description of the access control for this system.
(e) Describe a specific human characteristic that might be considered a vulnerability in this system. This question should answer first.

i. Explain how that characteristic may be exploited by an attacker for some specified reason.

ii. Explain how that characteristic may lead to accidental damage.

3. Consider that I have an asset worth $1000. There are two independent threats. The first occurs with probability 0.10 and would reduce the value of the asset to $200, while the second occurs with probability 0.02 and would completely destroy the asset. Both could occur.

What would be the threshold value at which buying insurance would be "worthwhile for both parties"? Be sure to show working.

4. For the following information, draw up an ALE table and make a recommendation on the basis of it: Let Ei; 1 <= i <= 10 be the events that could cause damage. Let the respective frequency of events be {1.6,4,0.3,2,140, 0.04, 0.5,1, 0.001, 2}, and the respective cost per events be{3,6,30,3 ,0.3,600,37,45,1500,0.2}.

5. Consider that number of people N willing to buy cars at a given price P varies according to the function. N = 5000 - 2P

Note that, for example, a person willing to buy a car at a price of $200 will also be willing to buy a car at $100 and will be included under both. This is not a function of the number of persons with the price returned as the most they will pay.

(a) Provide a graph of N vs P, in an appropriate range, with N on the x axis and P on the y axis. Be sure to appropriately label the intercepts.

(b) Assume we have a competitive marketplace with a total of 200 cars for sale. How much money will be spent on purchasing cars? Justify your answer.

(c) Now assume we instead have a monopoly. You still have 200 cars for sale. You are only allowed to sell cars at four different prices and you must sell fifty cars at each price. What is the most you can make from car sales? Justify your answer.

6. What purpose might fault injection serve in the context of bicycle assembly? Describe how you might use it in such a setting.

7. Consider you have a fingerprint database containing the fingerprints of every person living in Singapore. To simplify the calculations we will assume there are 5,500,000 people in Singapore. Suppose the false acceptance rate, or false match rate is 1/1000.

(a) How many false matches will occur when 10,000 suspicious fingerprints are compared with the entire database? Justify your answer.

(b) For any individual suspect fingerprint, what is the chance of at least one false match? Justify your answer.

8. Give two distinct examples of the role trust plays in security engineering. Refer to the components of Anderson's framework in your answer.

9. Describe how top-down and bottom-up methods of threat/fault analysis can be used in identifying assets relevant to a scenario. You do not need to be exhaustive but do enough of the analysis to demonstrate you understand the processes. You can choose an appropriate scenario that wasn't looked at in the lectures or tutorials.

10. Complete the following ALE table. Explain what each row/column represents, and indicate units for entries. Explain what actions this specific table suggests we should take.

A 20,000 0.01 answer
B 18,000 0.5 answer
C 3, 000 answer 1,000
D 550 answer 1,100

E 25 4 answer
F 10 answer answer

11. For the scenario Sending a paper letter, describe which of the following properties would be appropriate. Justify your answers and give examples as appropriate Confidentiality, Integrity, Availability, Authenticity,

Anonymity, Non--repudiability, Accountability, Freshness.