The document discusses three threat modeling instruments - TEIQue, EQi, and MSCEIT - that are used to assess emotional intelligence. It provides details on the factors, domains, and tasks measured by each. The TEIQue is highlighted as most accurately measuring EI as it uses fifteen specific facets. Strengths and limitations are also identified for each instrument. The document then discusses a scenario involving threat modeling of a healthcare organization's applications using the STRIDE methodology. It provides details on the organization and its products/infrastructure to apply the STRIDE framework to identify potential threats.
1.The TEIQue instrument is used as a self-reporting assessment tha.docx
1. 1.The TEIQue instrument is used as a self-reporting assessment
that includes multiple different items, facets and factors to
assess one’s EI. The four main factors the TEIQue uses to
evaluate emotional intelligence is Well-being, Self-Control and
Sociability. To assess these main factors, TEIQue breaks it
down into fifteen facets such as happiness, emotion regulation,
awareness, etc. This is done through rating different statements
on a scale of how much you agree with the statement. Through
analyzing one’s answers, the TEIQue is able to thoroughly
assess one’s emotional intelligence accurately.
The EQi instrument is also a self-reporting assessment.
However, it is guided by five domains: intrapersonal,
interpersonal, stress management, adaptability, general mood.
The layout of this self-report uses short sentence prompts
analyzing these domains, in which the assessment taker can rate
on a scale of “not true of me” to “very true of me”.
While both instruments are self-reporting assessments that are
similar, I believe that the TEIQue assessment would do the best
job of measuring EI because it uses fifteen specific facets that
help make the assessment more specific to the respondent.
2.The TEIQue is successful because it uses trait emotional self-
efficacy model of EI, which has been proven to be a reliable
model for assessing EI. Additionally, it splits the four main
factors of the test into fifteen facets, so that the TEIQue can
fully assess the factors. The weakness of this instrument is that
due to it being a self-reporting assessment, if the one taking this
assessment has an unusual mood on the day of testing, it can
create unreliable or incorrect results.
The EQi instrument use of both interpersonal and intrapersonal
EQ allows the assessment to fulsomely measure how one
understands or processes emotions. Additionally, it places an
emphasis on general mood, so that the test assesses ones ability
to generate a positive or self-motivated state. I believe the
rating scale of this assessment is a weakness. One must answer
2. based on “very seldom or not true of me: to “very often true of
me”. I believe this is a difficult scale to answer to because it is
hard to examine where you actually lie in the rating scale,
which could generate inaccurate results.
Instrument 1: MSCEIT
The Mayer Salovey Caruso Emotional Intelligence Test
(MSCEIT) is a measure based on performance of one’s EI
abilities (i.e. perceiving emotions, facilitating emotions,
understanding emotions, and managing emotions) that results in
EIQs. The Assessment is broken up into two parts: strategic EI
and Experiential EI. This measure is based on a series of tasks
that evaluate one’s EI and is NOT self-reporting.
Instrument 2: TEIQue
The Trait Emotional Intelligence Questionnaire (TEIQue) is a
self-reporting assessment known for its four factors of well-
being, self-control, emotionality, and sociability which is then
broken up into 15 facets ranging from adaptability, optimism,
empathy, relationships, and management.
It’s hard to determine which test does a better job or more
accurately measures EI, however, of the two, because MSCEIT
is a performance-based measure that involves a compilation of
tasks, I think it could better judge certain facets of EI. Often
when we self-report, there are bias errors. We inaccurately
gauge ourselves and represent ourselves either on a pedestal or
worse than we are with varying self-images. MSCEIT removes
that error or factor to a certain degree.
2. Identify 2 strengths and 1 limitation for each
3. Two strengths and one limitation for MSCEIT
MSCEIT is a strong instrument as it is thorough and objective.
It provides real understanding of your processing capabilities
and the unique facets of your EI. Another strength of it is that
because it is such an expansive test, you can look at different
elements (i.e. one of the 141 items) to understand your own
strengths and weakness and where they stem from. However, the
biggest limitation is that the final measure can be misleading
and interpreting your result and the application of it into reality
may be difficult.
Two strengths and one limitation for TEIQue
One strength of TEIQue is that the test promotes self-awareness
and provides real understanding of one’s EI and where they are
successful and where they need to improve. Another strength is
that it is proven and reliable which in this area of research is
important to be able to trust the results. One limitation of it is
that, since it is self-reporting, a lot of internal factors can skew
the results, such as mood, situation, environment, etc.
Project: Threat Modeling with STRIDE
Purpose
This project provides an opportunity to apply the concepts of
using a Threat Modeling methodology, STRIDE, against a
fictitious Healthcare organization’s application.
Learning Objectives and Outcomes
You will gain an overall understanding of risk management, its
importance, and critical processes required when developing a
threat model as a part of risk management for an organization.
Required Source Information and Tools
Web
References:https://www.webtrends.com/blog/2015/04/threat-
modeling-with-stride/
Deliverables
4. As discussed in this course, risk management is an important
process for all organizations. This is particularly true in
information systems, which provides critical support for
organizational missions. The project activities described in this
document allow you to fulfill the role of an employee
participating in the risk management process in a specific
business situation, identifying the threats and vulnerabilities
facing your organization.
Submission Requirements
All project submissions should follow this format:
· Format: Microsoft Word or compatible
· Font: Arial, 10-point, double-space
· Citation Style: APA style. Any work copied from Internet or
other sources will automatically receive a 0.
Scenario
You are an information technology (IT) intern working for
Health Network, Inc. (Health Network), a fictitious health
services organization headquartered in Minneapolis, Minnesota.
Health Network has over 600 employees throughout the
organization and generates $500 million USD in annual
revenue. The company has two additional locations in Portland,
Oregon and Arlington, Virginia, which support a mix of
corporate operations. Each corporate facility is located near a
co-location data center, where production systems are located
and managed by third-party data center hosting vendors.
Company Products
Health Network has three main products: HNetExchange,
HNetPay, and HNetConnect.
HNetExchange is the primary source of revenue for the
company. The service handles secure electronic medical
messages that originate from its customers, such as large
hospitals, which are then routed to receiving customers such as
clinics over the Internet. Information transmitted over this
network include patient health information, xrays, bloodwork,
and diagnoses.
HNetPay is a Web portal used by many of the company’s
5. HNetExchange customers to support the management of secure
payments and billing. The HNetPay Web portal, hosted at
Health Network production sites, accepts various forms of
payments and interacts with credit-card processing
organizations much like a Web commerce shopping cart. The
Web portal is hosted on a Windows IIS Web server. Data from
the portal is stored in an Oracle database on a Unix server.
HNetConnect is an online directory that lists doctors, clinics,
and other medical facilities to allow Health Network customers
to find the right type of care at the right locations. It contains
doctors’ personal information, work addresses, medical
certifications, and types of services that the doctors and clinics
offer. Doctors are given credentials and are able to update the
information in their profile. Health Network customers, which
are the hospitals and clinics, connect to all three of the
company’s products using HTTPS connections. Doctors and
potential patients are able to make payments and update their
profiles using Internet-accessible HTTPS Web sites. You have
already run a Nessus scan and used nmap to determine
vulnerabilities.
Information Technology Infrastructure Overview
Health Network operates in a production data center that
provide high availability across the company’s products. The
data center host about 1,000 production servers, and Health
Network maintains 650 corporate laptops and company-issued
mobile devices for its employees. Employees are allowed to
work from home, using their company-issued laptops. There is
also a wireless network available at work.
Project
For the project, you must create a threat model, using STRIDE
(remember to use the information in the article at the Web link,
to understand these sections). To do so, you must analyze the
data and create a threat model document that contains the
following sections:
1. A section titled Attacker Viewpoint discussing framing the
threat from the mindset of the perceived attacker. Address the
6. following questions: 5 points.
a. Who is likely to attack the system?
b. What are they likely to attack to accomplish their goal?
2. A section titled Asset Viewpoint discussing the
organization’s assets from the information provided in the
scenario, above. Be sure to also address the following
questions (I recommend placing this in a table). 15 points
a. What is the asset?
b. What value does the asset have to the organization?
c. How might that asset be exploited by an attacker?
3. A section, titled STRIDE, that will identify the following
security threats for six different categories, as discussed in the
article in the Web reference you were asked to read, as they
apply to this scenario. Include the following: 60 points
a. Spoofing – address any spoofing threats that might be present
in the applications or systems. Include the ramifications
(impact) of a spoofing attack.
b. Tampering – address any data or databases that might be
subject to data tampering (applications, for instance, that might
be vulnerable to cross site scripting attacks or SQL injection in
the healthcare organization scenario, above).
c. Repudiation – address where repudiation attacks might be
possible in the organization.
d. Information disclosure – address where there may be the
likelihood for a data breach in the organization’s assets listed in
the scenario that would allow the attacker to access private
information (or, worse, patient health information). Discuss the
laws and regulations that would be impacted and the
ramifications (impact and penalities) that would be incurred by
this organization in that event.
e. Denial of Service – discuss the potential for service
interruptions for those systems or applications connected to the
Internet. Which systems are vulnerable? What would be the
impact to the organization for each connected system, if it were
to be unavailable?
f. Elevation of Privilege – discuss the systems and applications
7. that might be subject to an attacker elevating his privilege
levels (think of a patient database - what would happen if the
attacker was able to gain Administrator access to the
database?).
4. A section, titled Risk Mitigation Plan, that summarizes your
findings for the boss and discusses the security controls that
you recommend for each of the potential attacks that you have
identified. This can be summarized using the table I’ve
provided for you below for each of your threats. Remember to
assign the implementation of the recommended security control
to a role within the organization (you can use a generic role,
such as System Administrator, Database Admin, Security
Officer, etc. – your textbook and other supplemental readings
listed different organizational roles responsible for managing
risk) 20 points.
Risk Mitigation Plan:
Asset
Threat
Impact
Recommended Security Control
Responsible Role