Requirement: 1. The report must include at least 15 references out of which at least five (5) of them must be peer-reviewed journal articles and at least two (2) books (EXCLUDING Dubé and Bernier...

Requirement:
1. The report must include at least 15 references out of which at least five (5) of them must be peer-reviewed journal articles and at least two (2) books (EXCLUDING Dubé and Bernier XXXXXXXXXXAND our textbook (Romney and Steinbart, 2018) and/or previous editions (Romney et al., 2013; Romney and Steinbart, XXXXXXXXXXAdditional marks will be given to those groups that go beyond this requirement and include additional references (see marking ru
ic for more details).
2. You must follow the American Psychological Association (APA) referencing style for citation and referencing (see: http:
guides.lib.monash.edu/ld.php?content_id= XXXXXXXXXX).
3. The target case: https:
hbsp.harvard.edu/tu/7b423b40
Question that I need to do:
After reading the Target case study, you need to write a report about cybersecurity and information systems controls. The report should answer the following questions:
1. Dubé and Bernier XXXXXXXXXXdeveloped a Risk Management Approach for IT solutions (see Appendix below) which is comprised of five (5) steps. In steps 1 and 2 of the Risk Management Approach, Dubé and Bernier XXXXXXXXXXdiscuss the sources of risk that companies should analyse and, if necessary, protect themselves against in order to safeguard their systems and data. Step 1 of the Approach involves identifying potential sources of risk including employees, organisational or business partners, hackers and technology components.
1. a)  Analyse how each source of risk including employees, organisational or business partners, hackers and technology components contributed to the data
each. In other words, what role did each of those actors play in the cyberattack?
2. b)  Taking into account the role of each of the sources of risk that you analysed above (part 1a), explain one control measure for each given source of risk that Target should have implemented to protect itself.
Appendix
Risk Management Approach for IT solutions
(Source: Translated from Dubé and Bernier, 2011, p XXXXXXXXXX)
Each of a company’s critical information systems require a five-step risk management approach allowing for an in-depth analysis of risks:
Step 1: Identify potential sources
The first step is to establish the most significant and frequent potential sources of risk that could hurt the organisation. They are:
· Employees, whether intentionally or unintentionally;
· Organisational
usiness partners, whether intentionally or unintentionally;
· Hackers whose deliberate intention is to hurt the organisation;
· Technology components (for example, IT components such as software)
Step 2: Clarify the nature of the risk
Once the different sources of risk have been identified, draw up a list of the events that could harm the company for each of these potential sources of risk. Risks will be related to:
· Data, including: o Data theft
o Improper use of data
o Destruction of data
o Breach of data confidentiality
o Unauthorised modification of data (for example, by a virus or intruder)
· The use of software and hardware, including:
o The faulty functioning of an infrastructure component o The abnormal functioning of an application
o An unauthorised operation by a use
o An e
or by a user of an application
o The shutdown and inaccessibility of a server
Step 3: Determine the impact (potential losses) and resulting costs
The impact is the consequence of the materialisation of the risk on the IT components and, consequently, on the organisation’s activities. The most significant potential consequences include:
· Inte
uption of the company’s activities
· Loss of revenue
· Harm to the company’s reputation
· Harm to the
and’s prestige
· Theft of trade secrets
Edward Tello
Chief Examiner ACC ACF 2400 s XXXXXXXXXX
• Lawsuits
Once the company has established the potential risk sources, the nature of the risks and their impact, it must evaluate the potential losses resulting from each of the events identified. This cost assessment is the only way to determine the scale of the impact and the relevance of implementing the appropriate controls.
Step 4: Determine control measures (as well as their cost)
If, based on the identification of the source and nature of the risk, the company decides that action is needed, it must then decide on the control(s) to be implemented and their cost (as with any assessment, consideration must be given to the total cost of ownership; i.e. not only the initial cost, but also the costs related to management, follow-up and upgrades of each of the controls). Thus, the cost of the control environment must be proportional to the estimated potential losses.
Step 5: Proceed with the implementation and ensure follow-up and continuous assessment
It is important to regularly assess the effectiveness of the controls in relation to new technological developments and the increased capacity of hackers and other sources (for example, lengthen encryption keys used), to manage updates (for example, updating of antivirus software), to reconfigure firewalls (if attacks on the company increase), etc. Even if the company’s information system are stable, the technological environment and the skills of hackers are constantly evolving. A return to steps 1 and 2 will be necessary to reassess risks.

Autopsy of a Data Breach: The Target Case
Volume 14
Issue 1
March 2016
Autopsy of a Data Breach: The Target Case
Case1, 2 prepared by Line DUBÉ3
On December 19, 2013, Target, the second-largest retailer in the United
States, announced a
each involving the theft of data from over 40 million
credit and debit cards used to make purchases in its U.S. stores between
November 27 and December 18.4
On January 10, 2014, it reported that the cybercriminals had also stolen
personal data, including the names, telephone numbers, home addresses and
email addresses of up to 70 million additional customers.
The Discovery
As is often the case in such situations, Target learned of the data
each from law enforcement
agencies. Indeed, on December 13, 2013, representatives from the U.S. Department of Justice
notified Target’s management of a large number of fraudulent debit and credit card transactions
that all seemed to share a link to transactions made at Target. Following this meeting, Target hired
a computer forensics firm to investigate the
each. The results confirmed its worst fears:
cybercriminals had been hacking into Target’s systems and stealing data from 40 million debit and
credit cards used in its U.S. establishments since November 27. Target wasted no time eradicating
all the software used by the cybercriminals, but despite the company’s eagerness to stifle the news,
word got out and reporters started asking questions.
On December 19, under growing pressure, Target announced the
each and theft of the data. Its
website and call centre were quickly inundated with calls from wo
ied consumers, creating a
nightmare scenario for its customer service department. To make matters even worse, the
each
1 Translation from the French by Andrea Neuhofer of case # XXXXXXXXXX, “Autopsie d’un vol de données : le cas Target.”
2 This case was written using public information sources and therefore reflects the facts, opinions and analyses published in the
media. The blog by the investigative reporter Brian Krebs (krebsonsecurity.com), an expert in the field of computer security, was
also a valuable source of information. See the list of publications used at the end of the case.
3 Line Dubé is a full professor in HEC Montréal’s Department of Information Technologies.
4 This date varies between December 15 and 18, depending on the source. December 18 is used here because it is the date given by
John Mulligan, Target’s Executive Vice-President and Chief Financial Officer, in testimony before the U.S. Senate Committee
on the Judiciary on Fe
uary 4, 2014 (see http:
www.judiciary.senate.gov/meetings/privacy-in-the-digital-age-preventing-data-
eaches-and-combating-cybercrime).
© HEC Montréal 2016
All rights reserved for all countries. Any translation or alteration in any form whatsoever is prohibited.
The International Journal of Case Studies in Management is published on-line (http:
www.hec.ca/en/case_centre/ijcsm/), ISSN XXXXXXXXXX.
This case is intended to be used as the framework for an educational discussion and does not imply any judgement on the
administrative situation presented. Deposited under number XXXXXXXXXX001T with the HEC Montréal Case Centre, 3000, chemin de
la Côte-Sainte-Catherine, Montréal (Québec) H3T 2A7 Canada.
HEC130
This document is authorized for use only in Dr Edward Tello's ACC/ACF2400 S2 2018 ACCOUNTING INFORMATION SYSTEMS at Monash University from Jul 2018 to Jan 2019.
http:
www.hec.ca/en/case_centre/ijcsm
http:
www.judiciary.senate.gov/meetings/privacy-in-the-digital-age-preventing-data-
eaches-and-combating-cybercrime
http:
www.judiciary.senate.gov/meetings/privacy-in-the-digital-age-preventing-data-
eaches-and-combating-cybercrime
Autopsy of a Data Breach: The Target Case

occu
ed during the pre-Christmas shopping season, which included Black Friday, one of the
usiest days of the year for “
ick-and-mortar” retailers. The data
each affected approximately
10% of all debit and credit cards in circulation in the United States.

The financial institutions that had issued the cards from which data had been stolen reacted swiftly
to Target’s announcement. Normally, in order to minimize losses, the banks would simply cancel
the cards and issue new ones. However, because of the sheer number of cards affected and the
massive costs involved, and because the holiday season is a very bad time to leave consumers
unable to pay for purchases (without the possibility of paying by credit card or withdrawing cash
from an ATM using a debit card), the banks sought alternative solutions. JP Morgan Chase, for
example, which had at least two million affected customers, quickly placed strict limits on
withdrawals ($100 in cash per day; $300 limit on card purchases) by its potentially affected
customers until new cards could be issued. The banks, left alone to manage the
each, faced
extraordinary financial and logistical challenges.

At the same time, Target launched a major public relations operation. It assured its customers that
the technological component responsible for the
each had been found and destroyed and that they
could continue to confidently shop in its stores. It also pledged that no one would be held liable for
fraudulent transactions and offered a free subscription to a credit monitoring service. With the
assistance of a specialized firm, Target continued its investigation of this major
each in an effort
to get to the bottom of what had gone wrong. The U.S. Justice Department and Secret Service did
the same.

So, What Did Happen?
Experts agree that the attack was perpetrated by cybercriminals who used a well-known strategy
and what are in fact fairly conventional technological tools. Between November 15 and 27, the
hackers managed to penetrate Target’s point-of-sale network (most cash registers today are actually
computers) and to install malware on the terminals. The malware resembled a widely known
program called