1. FINAL PAPER 1
FINAL PAPER
1. INTRODUCTION 3
2. THREAT AND VULNERABILITY ASSESSMENT
4
2.1. ASSESSMENT SCOPE
4
2.2. MEASURES TO THREATS AND VULNERABILITIES IN
THE COMPANY 6
2.3. THREAT AGENTS AND POSSIBLE ATTACKS
7
2.4. EXPLOITABLE VULNERABILITIES
9
3. MITIGATION STRATEGY
10
4. BUSINESS CONTINUITY PLAN
2. 14
4.1. TESTING A DISASTER RECOVERY PLAN
14
4.2. RISK MANAGEMENT PLAN
15
4.3. CHANGE MANAGEMENT PLAN IMPACT
16
5. SECURITY AWARENESS PROGRAM
17
6. CONCLUSION
19
7. REFERENCES
21
Introduction
Gerić and Hutinski (2017), define threat as a potential harm or
danger and Vulnerability as the exposure to possibility of harm.
In information systems and organizational data, threats and
vulnerabilities infer to the possible harms and possi ble exposure
to harm of the information systems infrastructure and
organizational data (Gerić & Hutinski, 2017). Tesla Company is
a multinational company that as businesses in technological
products such as cloud computing, artificial intelligence and e -
commerce (Tran, Childerhouse & Deakins, 2016). Developing
and categorizing a security mitigation strategy is essential for
companies that deal with any kind of threat to their business.
Risk mitigations strategies are designed to control, reduce, and
eliminate known risks that threaten the business with a specified
undertaking to prevent injury. The security awareness program
is important especially to companies like Tesla. Each employee
3. is supposed to be aware of their roles and responsibilities in
fighting against cyber threat and attack. Training must be
attended by every employee to completion and their capabilities
tested in a simulated attack so that they can be familiar with the
types of attack to expect. This paper is going to focus on the
kind of policies and procedures that will help the Tesla
Company to improve security awareness so that they can reduce
the risk of cyber threats and attacks.
2. Threat and vulnerability assessment
2.1Assessment Scope
Though in most cases threat and vulnerability assessment
involve both physical and intangible assets like computer hard-
wares ,organizational networks ,virtualization, database, cloud
and mobile systems, this assessment would only focus on users
and the intangible organizational assets which form the
information system infrastructure of Tesla Inc. Precisely, the
assessment would focus on cyber- related attacks on these
information systems infrastructures.
Tesla has a broad range of information system infrastructure
which include, people, informati on systems, information
security systems (Tanwar et al., 2019). Tesla’s primary
information system assets include E-commerce and web-based
services, namely, cloud computing, database, network,
virtualization, mobile and inform systems.
Diagram and Description of Items Involved In the Assessment
Scope.
Tesla Information System Infrastructure
4. Cloud service
Human resource
E- Commerce
Data Base System
Cloud Service
Cloud information system comprises of storage system and
providence of virtualization programs to magnitude of
companies all over the world. These services are available for
subscribers and registered users that acquire the service in an
order entry (Dhillon & Torkzadeh, 2016).
Human Resource
The Tesla human resource information system is a huge and
complex system that not only acquires information of the
companies merchants but also customer service information and
product support persons that are responsible for product
advertisements and taking care of customer issues (Tanwar et
al., 2019).
Database System
The data base stores all the necessary organization data for
analysis. Tesla database is associated with information
transformation, product presentation and order entries that
enhance customers’ preferences and customizations of the
company’s products and services. Additionally, information
processed can be useful to management in decision making and
therefore is a prime priority of the company to protect its
database information system (Scholz et al., 2020).
E-Commerce
These are the web based platforms that the company uses to
advertise, promote and sale their products and services. Due to
5. the proficiency of the company website and the facts that it’s
one of the main platform for local and international business
platform, the website is a prime target and should be protected
from hackers (Tanwar et.al., 2019).
2.2 Measures to Threats and Vulnerabilities in the Company
Tesla technology department (TTD) has various counter
measures to mitigate the threats and vulnerabilities to their
cyber systems. TTD hash provides Tesla’s computing clients
with custom networks and data centres which are designed to
protect the company information systems. TTD hash also puts in
place network and web applications fire walls, encryptions,
private connectivity options to protect the critical information
system infrastructure in the company(Scholz et.al., 2020).
Furthermore, Tesla protects it database through various
encryptions such as, EBS, SQL Server RDS, Glacier and oracle
RDS encryptions (Tanwar et al., 2019). The Tesla web
platforms use the SSE (Server-side Encryption) to transmit
sensible information and to encrypt the messaging queues.
Another methods that Tesla has imposes to prevent cyber threats
and attacks are use of hardware-based cryptographic keys in
their storage facilities, compliance requirement and in accessing
its database (Tanwar et al., 2019).
2.3 Threat Agents and Possible Attacks
There are numerous agents of cyber threats and attack in Tesla
information systems infrastructure. Most of these agents and
attacks have been aimed at Tesla because of its leading position
in the market and the amount of data the company processes.
These threats and attacks include, Passwords Attacks, Phishing
and Spear Phishing, Malware Or Viruses Attacks, SQL Injection
Attacks, Denial Of Service, Eavesdropping, Man In The Middle
Attack, Birthday Attacks, cross-site scripting And Distributed
Denial Of Service (DDOS) (Scholz et.al., 2020).
1) Phishing refers to sending mails that contain harmful
programs that siphon private information of the receipt; spear
phishing attack occur the same as phishing attack but this time
round the sender targets a particular group of people and
6. conducts research on them (Scholz et.al., 2020).
2) Birthday attacks are generation of two random words that
generate same message digest in the hash algorithm for digital
signatures and messages. In SQL injection, the attackers
execute SQL queries through malefactors in the client input
servers.
3) Cross-site scripting happens when attackers place malicious
scripts in unprotect websites to redirect client to the hackers
sites (Farn, Lin & Fung, 2014).
4) For Denial of service (DoS), the malicious programs
overpowers the systems to unable to react to resource request
while Distributed Denial Of Service (DDoS) happens when a
huge number of systems become impaired by attack and refuse
to respond to service request (Farn et.al., 2014).
5) In man in Middle attack, the infiltrator inserts themselves
between the clients and the servers. Middle man attack include,
IP spoofing, and session hijacking (Gerić & Hutinski, 2017).
6) Password attack is designated on the authenticating process
of a system. There are two types of password attacks; dictionary
attacks and the brute-force password attack. A dictionary attack
occurs through social engineering, guessing while brute- force
occurs through accessing password database (Farn et.al., 2014).
7) Eavesdropping occurs when an attacker intercepts the
network traffic usually through credit cards or obtaining
passwords that client use to transmit over the network
Threat
Assets
Impact
Risk
Phishing and spear phishing
Critical
high
high
Birthday attack
Critical
medium
7. low
Man in the middle attack
Critical
medium
high
Malware attack
Critical
high
high
Denial of service/ distributed denial of service
Critical
medium
high
Password attack
Critical
high
Eavesdropping
Critical
low
low
Table 1: a summary of threats, impact and Risk
2.4 Exploitable Vulnerabilities
Exploitable vulnerabilities refer to the system weakness that an
attacker can use to perform their illegal activities within an
information system.
1) Malware or viruses have been deemed one of the most
exploitable vulnerabilities in any information system and Tesla
systems are no exemption (Scholz et.al., 2020). Though Tesla as
a technological company is deemed to have one of the most
secure networks and information systems, malware are being
developed every day implying that it one exploitable attackers
may use to infiltrate into the company’s information systems
infrastructure.
8. 2) The company’s employees are also another exploitable
vulnerability to the company. Employees are not only the
primary architects of password attacks but also exploitable
vulnerability when approached with phishing and spear phishing
attacks (Gerić & Hutinski, 2017).
3) IOT (internet of things) is also another exploitable
vulnerability in Tesla Company. Devices like smart printers,
phones, refrigerators, coffee markers and manufacturing robots
can be used to launch attacks on the company’s information
system (Dhillon & Torkzadeh, 2016).
4) Updates are also another exploitable vulnerability. As much
as these updates bring better program and system functionalities
they bring new security vulnerabilities that attackers may
exploit (Scholz et.al., 2020).
Vulnerabilities
Assets
Impact
Risk
Malware/ viruses
Critical
high
high
employees
Critical
high
high
Internet of Things (IOT)
Critical
medium
Medium
Updates
Critical
high
high
Table 2: a summary of exploitable vulnerabilities, impact and
9. Risk
3. Mitigation Strategies
Developing and categorizing a security mitigation strategy is
essential for companies that deal with any kind of threat to their
business. Risk mitigations strategies are designed to control,
reduce and eliminate known risks that threaten the business with
a specified undertaking to prevent injury. These strategies when
implemented will help prevent businesses that are vulnerable to
cyber-attacks from being hacked. Tesla Company is a
multinational company that as businesses in technological
products such as cloud computing, artificial intelligence and e -
commerce (Tran, Childerhouse & Deakins, 2016). This web-
based services that the company operates makes it vulnerable to
cyber based threats and attacks. This paper is going to look at
the risk mitigation strategies that the company can employ to
reduce, eliminate and control the impact of the cyber based
threats and attacks.
The first step to a risk mitigation strategy is to diagnose the
business and find out the risks that the businesses faces. For
Tesla Company, it faces numerous attacks from the Tesla
information systems infrastructure. The attacks include malware
or viruses attacks, passwords attacks, birthday attacks, phishing
and spear phishing and cross-site scripting (Stergiopoulos et.al.,
2015). All of these threats have a high impact if they happen
and the risk that tesla faces from these kinds of attacks is high.
Therefore, it is important for the company to come up with risk
mitigation strategies to help prevent the attacks and keep the
Tesla information systems infrastructure safe from cyber-
attacks.
Risks need to be taken on when the strategies that are designed
reduces the risk to a very low level or as low as reasonably
practicable (Talluri, Yildiz & Yoon, 2013). The company needs
to choose the best mitigation strategy that would lower the risk
probability and the severity of outcome. For optimal results to
10. be obtain, more than one mitigation strategy should be
employed by the company.
The first mitigation strategy is risk avoidance where the
company works at avoiding situations that have a high
probability impact for damage and financial loss. For a company
like Tesla, it has to employ this strategy to avoid risks such as
cross-site scripting. This can be achieved by making sure the
employs avoid malicious sites that could direct malware to the
company servers. Phishing attacks can also be prevented
through avoidance of opening mails from unknown sources
which may contain viruses. Although avoidance is a good risk
mitigation strategy, it does not always work as individuals will
always be caught unawares to these kinds of attacks and the
company has to employ strict measures to ensure avoidable
threats and attacks do not happen.
The company limits the risk it is exposed to by regulating the
perceived risk. As such, the company works well at regulating
the exposure of the company’s software to threats and attacks.
For a company like Tesla, limiting the amount of risk would not
be easy as it’s a multinational company that deals with a huge
client base but it can put in measures such as limiting the
websites that employees can go to such as social media and
advertisement sites (Stergiopoulos et al., 2015). The company
can block such sites and limit the risk of employees getting
swayed to other potentially dangerous websites. The company
can also restrict administrative privileges of some of the
employees. Administration privileges allow employees to access
sensitive information or bypass critical security settings.
Limiting administrative privileges to a few employees will
minimize the risk of the company getting threat or cyber-
attacks.
Another risk mitigating strategy is the multi-factor
authentication. This is done through ensuring the system has
several password protected access. This is especially crucial for
users who perform privileged actions or those users that have
the access to sensitive information. Tesla Company can employ
11. this strategy which will help prevent potential threats or
adversaries from accessing legitimate credentials which might
facilitate further malicious activities. This would also make it
easier to detect if a system is being hacked since the many
layers of credentials would mean the hackers take more time to
by-pass security therefore making it easier for the hack to be
detected early.
Patching the operating systems of the company is also a good
risk mitigating strategy. Patching those devices that have a
high risk of attack with extreme risk vulnerabilities for a period
of time would prevent the company’s software from unnecessary
threats and attacks (Menoni et.al. 2013). For Tesla Company,
this strategy would be effective if they made sure the latest
versions of the operating system are the ones that are used for
the company’s operations. Any unsupported versions of the
operating systems should be avoided by all means necessary.
Application whitelisting is also a necessary risk mitigation
strategy especially for a company like Tesla as it aims at
preventing the execution of malicious programs and software.
Whitelisting also identifies attempts on malicious execution of
codes in the system and prevents the activity from going on
before any kind of damage is done. Whitelisting also prevents
the unauthorized use of software and programs which might
increase the risk of attack. This risk mitigation strategy also
prevents the installation of those programs and applications that
might expose the company’s software to cyber-attacks.
The company can also decide to transfer the risk by outsourcing
their services to other companies, purchasing insurance for
damages and loss incurred that are related to cyber-attacks or
form a partnership with another company that employs the same
services as them. For a company like Tesla they can outsource
their services since they are a multinational company (Tran,
Childerhouse & Deakins, 2016). This would ensure that they are
exposed to limited risk and the cost of enforcing risk mitigation
strategies can be shared with the other company. The company
can also get insurance against damages caused by cyber-attacks
12. as this would ensure that the company is well compensated in
case they fall victim to an attack or threat that may cost a lot of
money in damages.
Daily backups of important programs, software, applications
and configuration settings would ensure the information is kept
safe and that it can be accessed again in case of a ransomware
attack that was not anticipated or prevented (Menoni et.al.
2013).
4. Business Continuity Plan
Concepts and practices of designing and implementing a
business continuity and Disaster Recovery Plan
The first concept is to ensure that servers are kept in diverse
locations so that when one is damaged by disaster the other ones
continue functioning and providing services to the customers.
Ensuring that there is back up for all the software, programs and
application will ensure quick recovery from a disaster (Carter,
2018).
The next step is to ensure that there is a secondary source where
data can be accessed. The company can outsource some of its
services to another company so that in case of a disaster,
provision of services can continue through the outsourced
programs.
4.1. Testing a Disaster Recovery Plan
Creating a checklist is the first thing to do where department
heads and senior management assess the business continuity
plan and the disaster recovery plan to improve on developments,
update information.
Setting up a simulation where servers are tested on their
restoration and recovery capabilities. Some of these simulations
involve testing in real life situations like loss recovery
procedures and restoring backups. The employees should also
be tested on staff safety, asset management, leadership response
to disaster and relocation protocols after a disaster.
Procedural drill and hands-on can be supported by a run-
through. This is to ensure that important points of command and
delegation channels are informed about what is expected of
13. when disaster finally happens. These kinds of emergencies
involve data replica tasks, stand-by server switch overs, data
validation and cloud backups.
4.2. Risk Management Plan
The risk management plan should include the budget of the
entire plan. The plan needs to have a budget so that the
company can have an idea how much it is going to cost them to
manage risk.
The plan should also have a time frame as the management
needs to know the amount of time it would take for things like
training to be completed. The plan also has to include every
person’s roles and responsibilities as far as disaster
management is concerned. This will ensure that employees have
an idea of exactly what to do in case of a disaster (Chess, Fay &
Thornton, 2017).
The plan has to also include methodology and approaches so as
to let people know exactly the procedures to be followed in case
of a disaster. Probability of a disaster happening and the impact
it will have to the company should also be included in the risk
management plan. This will let the management be aware of the
likelihood of a disaster happening and the damage it would cost
to the company.
Tracking should also be included in the plan where the
management can track and know how things are going on and
whether they are on schedule or not. It will also help the
management know how the money that was budgeted is being
spent in the implementation process of the plan.
4.3. Change management plan
The change management plan ensures that the risk strategy has
enough resources to be able to prevent disaster from happening
as well as provide enough resources to cover the disaster
recovery process.
Change management also ensures whether the risk strategy that
has been implemented will be effective or not. Having a bad
change management can impact negatively on the business as
people will have no idea what to do in case of a disaster.
14. Through change management people can know the amount of
time it will take for the company to recover from a disaster and
the time it will take for business to go back to normal. The steps
to take and procedures to follow in case of a disaster and how to
prevent the disaster from happening will be determined by
change management (Orlikowski & Hoffman, 2017).
Concepts that should be included in a security plan for the
development of secure software
The concept and the planning of the software should be included
to ensure the software is viable. This is to ensure that the
software is efficient and free from cyber threats and attacks.
The team that programs the software should be well trained in
software security to ensure the software is always secure and
free from attacks. They can also include safety measures such as
multiple password entries to make it difficult to hack.
The architecture and the design of the software should enable it
to be secure and free from cyber threats and attacks. This
includes modeling the software structure through adding third-
party components that ensure the development of the software is
sped up.
The implementation of the software should include multiple
process of debugging and testing the software to ensure its safe
and secure. This would also involve simulations of real life
cyber-attacks to improve its level of defense.
5. Security Awareness Program
According to Eminağaoğlu, Uçar & Eren(2019), the security
awareness program is a program done in a formal way whose
goal is to train users about the potential threats to the
company’s information system. This training is also supposed to
help the company to avoid situations that may put the
company’s data at risk. The goal of this program is to lower the
level of the attack impact to the company, to enforce the
procedures and policies that the company has put in place to
protect its data and to also teach employees on the importance
of taking personal responsibility to protect the information of
the organization. For a multinational company like Tesla, this is
15. an important program because it is the role of the employees to
ensure they do their duty in the fight to prevent cyber threats
and attacks. This paper is going to focus on the kind of policies
and procedures that will help the Tesla Company to improve
security awareness so that they can reduce the risk of cyber
threats and attacks.
All employees in the company are supposed to be given the
permission to spend time learning about security awareness.
This would help the employees to recognize that this is a
priority not only to them but to the organization as well
(Eminağaoğlu, Uçar & Eren, 2019). The C-Suite support is an
important program that would ensure that time is allocated for
the employees to complete the training module, come up with a
training budget and ensuring the employees understand why
cyber security is essential by setting the tone of the training
stressing the importance keeping the company safe from cyber -
attacks. For a company like Tesla this would ensure that all the
executives and the management team are aware of how cyber-
attacks happen and the impact of things like information
disclosure, password theft and know how to detect a
ransomware infection. Simulations on how attacks happen such
as phishing would ensure employees are aware of the exact way
the attack happen and how they are supposed to respond in such
a scenario. The security awareness training that is created
should be engaging as well as relevant to the subject topic.
The next security awareness program is to personalize the
campaign with each employee and make sure that they are
relatable to the content that is being trained. Every employee is
to be given specific role and responsibilities that they are
familiar with and it rhymes with their jobs (Caldwell, 2016).
This would ensure that all employees are aware of exactly the
role that they have to play in the fight against cyber threats and
attacks. Tesla Company is a multinational company with diverse
employees from different countries. It would have to employ
more personalized training like making the content available in
several languages so that people can understand well why
16. security awareness is important to the company. They are also
supposed to know why they are supposed to make sure they are
fully aware of their roles and responsibilities in the fight
against cyber threats and attacks.
The business continuity plan should be able to establish a new
data center at the same or a different site if the first site is
destroyed by a disaster. This would ensure that the operations
are ongoing and that their clients do not miss out on the
services being provided. For a multinational company like
Tesla, the ability to recover from a disaster should be top
priority (Cerullo & Cerullo, 2014). The companies provide its
services to millions of people across the world and some even
depend on their services to earn a living. Being able to recover
from a disaster is important to ensure the business continues
even despite the setback.
The company should also be able to ensure they keep things
running even during the disaster. The services should continue
running even during planned outages such as maintenance and
backups. For a company like Tesla scheduled maintenance and
system backups happen most of the time so as to keep the
software and the programs up to date. The company has to
ensure that during this time operations do not stop and that the
services keep on being provided (Savage, 2012). This can be
achieved by ensuring that there is more than one server which
would enable the company to keep on providing services despite
the disruptions.
The company is also supposed to ensure that they have the
capability to access software and applications despite the
disruptions. Tesla Company can achieve this by outsourcing
some of their services so that the programs can be accessed
remotely. The availability of these applications will ensure the
customer is able to access the services of the company despite
the disruptions.
6. Conclusion
With increasing incidences of cybercrime activities that have
been reported, it is important that organizations be vigilant in
17. their efforts to mitigate potential cyber threats and attacks.
Employing these risk mitigation strategies would help prevent
the companies from potential cyber threats and attacks. This
strategy can be implemented at an early level so that the
company can prevent the attacks from an early stage, and it
would also make employees be aware of the potential threats
from an early stage. For Tesla Company, these strategies would
help in prevention of the many potential attacks that they face
daily.
The security awareness program is important especially to
companies like Tesla. Each employee is supposed to be aware of
their roles and responsibilities in fighting against cyber threat
and attack. Training must be attended by every employee to
completion and their capabilities tested in a simulated attack so
that they can be familiar with the types of attack to expect. The
business is also supposed to have continuity strategies in place
like outsourcing or having secondary servers to ensure the
business in the company continues.
7. References
Dhillon, G., & Torkzadeh, G. (2016). Value‐ focused
assessment of information system security in
organizations. Information Systems Journal, 16(3), 293-314.
Farn, K. J., Lin, S. K., & Fung, A. R. W. (2014). A study on
information security management system evaluation—assets,
threat and vulnerability. Computer Standards &
Interfaces, 26(6), 501-513.
Gerić, S., & Hutinski, Ž. (2017). Information system security
threats classifications. Journal of Information and
organizational sciences, 31(1), 51-61.
Im, G. P., & Baskerville, R. L. (2015). A longitudinal study of
information system threat categories: the enduring problem of
human error. ACM SIGMIS Database: the DATABASE for
Advances in Information Systems, 36(4), 68-79.
Scholz, R. W., Czichos, R., Parycek, P., & Lampoltshammer, T.
18. J. (2020). Organizational vulnerability of digital threats: A first
validation of an assessment method. European Journal of
Operational Research, 282(2), 627-643.
Tanwar, S., Thakkar, K., Thakor, R., & Singh, P. K. (2018). M-
Tesla-based security assessment in wireless sensor
network. Procedia computer science, 132, 1154-1162.
Menoni, S., Molinari, D., Parker, D., Ballio, F., & Tapsell, S.
(2012). Assessing multifaceted vulnerability and resilience in
order to design risk-mitigation strategies. Natural Hazards,
64(3), 2057-2082.
Stergiopoulos, G., Kotzanikolaou, P., Theocharidou, M., &
Gritzalis, D. (2015). Risk mitigation strategies for critical
infrastructures based on graph centrality analysis. International
Journal of Critical Infrastructure Protection, 10, 34-44.
Talluri, S.,Yildiz, H., & Yoon, J. (2013). Assessing the
efficiency of risk mitigation strategies in supply chains. Journal
of Business logistics, 34(4), 253-269.
Tran, T. T. H., Childerhouse, P., & Deakins, E. (2016). Supply
chain information sharing: challenges and risk mitigation
strategies. Journal of Manufacturing Technolo gy Management
Carter, W. N. (2018). Disaster management: A disaster
manager's handbook.
Chess, B., A., Fay, S., & Thornton, R. (2017). U.S. Patent No.
7,207,065. Washington, DC: U.S. Patent and Trademark Office.
Orlikowski, W., …