Final Research Paper
Risk management is one of the most important components in empowering an organization to achieve its ultimate vision. With proper risk management culture and knowledge, team members will be “speaking” the same language, and they will leverage common analytical abilities to identify and mitigate potential risks as well as exploit opportunities in a timely fashion. In order to consolidate efforts, the existence of an integrated framework is crucial. This is why an ERM is necessary to the fulfillment of any organization’s goals and objectives.
In your final research project for the course, your task is to write a 7-10 page paper discussing the following concepts:

Why should an organization Implement an ERM application?
What are some key challenges and solutions to Implementing an ERM?
What is Important for an effective ERM?
Discuss at least one real organization that has been effective with implementing an ERM framework or /application.
Conclusion, final thoughts for future research

Your paper should meet the following requirements:

Be approximately seven to ten pages in length, not including the required cover page and reference page.
Follow APA7 guidelines. Use Calibri, 11 pt .Your paper should include an introduction, a body with fully developed content, and a conclusion. Try dividing your paper into section with section headers.
Support your answers with the readings from the course, the course textbook, and at least ten scholarly journal articles to support your positions, claims, and observations, in addition to your textbook. 
Be clearly and well-written, concise, and logical, using excellent grammar and style techniques. You are being graded in part on the quality of your writing.


Next-Generation Digital Forensics: Challenges and
Future Paradigms

Reza Montasari
Department of Computing and Engineering

The University of Huddersfield

Huddersfield, U.K.

Richard Hill
Department of Computing and Engineering

The University of Huddersfield

Huddersfield, U.K.

Abstract— In recent years, Information and Communications

Technology (ICT) has rapidly advanced, bringing numerous benefits
to the lives of many individuals and organisations. Technologies such
as Internet of Things (IoT) solutions, Cloud-Based Services (CBSs),
Cyber-Physical Systems (CPSs) and mobile devices have brought
many benefits to technologically-advanced societies. As a result,
commercial transactions and governmental services have rapidly
grown, revolutionising the life styles of many individuals living in
these societies. While technological advancements undoubtedly
present many advantages, at the same time they pose new security
threats. As a result, the number of cases that necessitate Digital
Forensic Investigations (DFIs) are on the rise, culminating in the
creation of a backlog of cases for law enforcement agencies (LEAs)
worldwide. Therefore, it is of paramount importance that new research
approaches be adopted to deal with these security threats. To this end,
this paper evaluates the existing set of circumstances surrounding the
field of Digital Forensics (DF). Our research study makes two
important contributions to the field of DF. First, it analyses the most
difficult technical challenges that need to be considered by both LEAs
and Digital Forensic Experts (DFEs). Second, it proposes important
specific future research directions, the undertaking of which can assist
both LEAs and DFEs in adopting a new approach to combating cyber-

Keywords—digital forensics, IoT forensics, cloud forensics,
cybersecurity, digital investigation, encryption, anti-forensics

In recent years, we have witnessed rapid advancements in

Information and Communication Technology (ICT) features.
Technologies such as communication networks, mobile devices,
Internet of Things (IoT) solutions, Cloud-Based Services
(CBSs), Cyber-Physical Systems (CPSs) have brought many
benefits to technologically-advanced societies [1, 2, 3]. As a
result, commercial transactions and governmental services have
rapidly grown, revolutionising the life styles of many
individuals living in these societies. While technological
advancements undoubtedly present many advantages, at the
same time they pose new cybersecurity threats which have

significant impacts on a variety of domains such as government
systems, enterprises, ecommerce, online banking, and critical
infrastructure. According to an official survey conducted by The
Office for National Statistics [4], there were an estimated 3.6
million cases of fraud and two million computer

The Governance of Corporate Forensics using
COBIT, NIST and Increased Automated Forensic


Henry Nnoli1, Dale Lindskog2, Pavol Zavarsky2, Shaun Aghili2, Ron Ruhl2
1ATB Financial, Edmonton T5J 1P1, Canada

2Information Systems Security Management, Concordia University College of Alberta, Edmonton T5B 4E4, Canada, {dale.lindskog, pavol.zavarsky, shaun.aghili, ron.ruhl}

Abstract—Today, the ability to investigate internal matters
such as policy violations, regulatory compliance, and employee
separation has become important in order for corporations to
manage risk. The degree of information security threats evolving
on a daily basis has increasingly raised concerns for enterprise
organizations. These threats include but are not limited to fraud,
insider threat and intellectual property (IP) theft. These have
increased the demand for organizations to implement corporate
forensics as a deterrent to illegitimate acts or for linking
perpetrators to their illegitimate acts. This explains why forensic
practices are expanding from the traditional role in law
enforcement and becoming an essential part of business
processes. However, most organizations may not be maximizing
the benefits of corporate forensic capabilities because of lack of
corporate forensic governance best practices, needed to ensure
organizations prepare their operating environment for digital
forensic investigation. Corporate forensic governance will help
ensure that digital evidence is obtained in an efficient and
effective way with minimal interruption to the business. This
paper presents a corporate forensic governance framework
intended to enhance forensic readiness, governance, and
management, and increase the use of automated forensic
techniques and in-house forensically sound practices in large
organizations that have a need for these practices.

Index Terms—corporate forensic governance; corporate
forensic readiness; increased automated forensic solutions;
digital forensic investigation; digital evidence

Most organizations waste effort, time and resources in

carrying out forensic investigations due to lack of corporate
forensic preparedness [4]. Forensic readiness (preparedness)
can be defined as the process of being prepared (having the
right policies, procedures, people, techniques in place to
respond professionally and timely) before an incident occurs.
Rowlingson [4], in his paper, ‘A Ten Step Process for Forensic
Readiness’ described forensic readiness as the ability of an
organization to maximize its potential to use digital evidence
while minimizing the cost of an investigation. In his paper he
discussed practices that, when implemented before a digital
incident occurs, can help organizations to be ready to carry out
forensic investigations. However, forensic readiness is one part
of a comprehensive and well-structured corporate forensic
governance program.


future internet


ERMOCTAVE: A Risk Management Framework for IT
Systems Which Adopt Cloud Computing

Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,*
1 ING Bank, B-1040 Brussels, Belgium;
2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea;
3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea
* Correspondence:; Tel.: +82-54-478-7526

Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019

Abstract: Many companies are adapting cloud computing technology because moving to the cloud
has an array of benefits. During decision-making, having processed for adopting cloud computing,
the importance of risk management is progressively recognized. However, traditional risk management
methods cannot be applied directly to cloud computing when data are transmitted and processed by
external providers. When they are directly applied, risk management processes can fail by ignoring
the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix
this backdrop, this paper introduces a new risk management method, Enterprise Risk Management
for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines
Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for
mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management
methods by combining each component with another processes for comprehensive perception of risks.
In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller
migrates some modules to Microsoft Azure cloud. The functionality comparison with ENISA and
Microsoft cloud risk assessment shows that ERMOCTAVE has additional features, such as key objectives
and strategies, critical assets, and risk measurement criteria.

Keywords: risk management; ERM; OCTAVE; cloud computing; Microsoft Azure

1. Introduction

Cloud computing is a technology that uses virtualized resources to deliver IT services through the
Internet. It can also be defined as a model that allows network access to a pool of computing resources
such as servers, applications, storage, and services, which can be quickly offered by service providers [1].
One of properties of the cloud is its distributed nature [2]. Data in the cloud environments had become
gradually distributed, moving from a centralized model to a distributed model. That distributed nature
causes cloud computing actors to face problems like loss of data control, difficulties to demonstrate
compliance, and additional legal risks as data migration from one legal jurisdiction to another. An example
is, which suffered a huge outage, locking more than 900,000 subscribers out of important
resources needed for busines

Reproduced with permission of copyright owner. Further reproduction
prohibited without permission.

Walid Al-Ahmad, Bassil Mohammed, Vol. 2, No. 2


Addressing Information Security Risks by Adopting


Walid Al-Ahmad*‡, Bassil Mohammad**

*Computer Science Department, Faculty of Arts and Science, Gulf University for Science & Technology, Kuwait

**Ernst & Young, Amman, Jordan

P.O.Box 7207 Hawally, 32093 Kuwait, Tel: +96525307321, Fax: +965 25307030, e-mail:

Abstract- Modern society depends on information technology in nearly every facet of human activity including, finance,

transportation, education, government, and defense. Organizations are exposed to various and increasing kinds of risks,

including information technology risks. Several standards, best practices, and frameworks have been created to help

organizations manage these risks. The purpose of this research work is to highlight the challenges facing enterprises in their

efforts to properly manage information security risks when adopting international standards and frameworks. To assist in

selecting the best framework to use in risk management, the article presents an overview of the most popular and widely used

standards and identifies selection criteria. It suggests an approach to proper implementation as well. A set of recommendations

is put forward with further research opportunities on the subject.

Keywords- Information security; risk management; security frameworks; security standards; security management.

1. Introduction

The use of technology is increasingly covering

most aspects of our daily life. Businesses which

are heavily dependent on this technology use

information systems which were designed and

implemented with concentration on functionality,

costs reduction and ease of use. Information

security was not incorporated early enough into

systems and only recently has it started to get the

warranted attention. Accordingly, there is a need to

identify and manage these hidden weaknesses,

referred to as systems vulnerabilities, and to limit

their damaging impact on the information systems

integrity, confidentiality, and availability.

Vulnerabilities are exploited by attacks which are

becoming more targeted and sophisticated.

Attacking techniques and methods are virtually

countless and are evolving tremendously [1, 2].

In any enterprise, information security risks

must be identified, evaluated, analyzed, treated and

properly reported. Businesses that fail in

identifying the risks associated with the

technology they use, the people they employ, or

the environment where they operate usually

subject their business to unforeseen consequences

that might result in severe damage to the business

[3]. Therefore, it is critical to establish reliable

information security risk assessment and treatment

frameworks to guide organizations during the risk

management process.

Because risks cannot



What is Enterprise
risk management?


Mark S. Beasley
Deloitte Professor of ERM and Director of the ERM Initiative

North Carolina State University

2801 Founders Drive
Raleigh, NC 27695

919.513.0901 |



Mark S. Beasley
Deloitte Professor of ERM and Director of the ERM Initiative

All organizations have to manage risks in order to stay in business. In fact, most would say that
managing risks is just a normal part of running a business. So, if risk management is already occurring
in these organizations, what’s the point of “enterprise risk management” (also known as “ERM”)?

Let’s Start by Looking at Traditional Risk Management

Business leaders manage risks and they have done so for decades. Thus, calls for enterprise risk
management aren’t suggesting that organizations haven’t been managing risks. Instead, proponents
of ERM are suggesting that there may be benefits from thinking differently about how the enterprise
manages risks affecting the business.

Traditionally, organizations manage risks by placing responsibilities on business unit leaders to
manage risks within their areas of responsibility. For example, the Chief Technology Officer (CTO) is
responsible for managing risks related to the organization’s information technology (IT) operations,
the Treasurer is responsible for managing risks related to financing and cash flow, the Chief Operating
Officer is responsible for managing production and distribution, and the Chief Marketing Officer is
responsible for sales and customer relationships, and so on. Each of these functional leaders is
charged with managing risks related to their key areas of responsibility. This traditional approach to
risk management is often referred to as silo or stove-pipe risk management whereby each silo leader
is responsible for managing or elevating risks within their silo as shown in Figure 1 below.

Figure 1



Limitations with Traditional Approaches to Risk Management

While assigning functional experts responsibility for managing risks related to their business unit
makes good sense, this traditional approach to risk management has limitations, which may mean
there are significant risks on the horizon that may go undetected by management and that might
affect the organization. Let’s explore a few those limitations.

Limitation #1: There may be risks that “fall between the siloes” that none of the silo leaders can see.
Risks don’t follow management’s organizational chart and, as a result, they can emerge anywhere in
the business. As a result, a risk may be on the horizon that does not capture the attention of any of
the silo leaders causing that risk to go unnoticed until it triggers a catastrophic risk event. For example,
none of the silo leaders may be paying attention to demo


A Survey on Digital Forensics in Internet of Things
Jianwei Hou , Yuewei Li, Jingyang Yu, and Wenchang Shi

Abstract—Internet of Things (IoT) is increasingly permeat-
ing peoples’ lives, gradually revolutionizing our way of life. Due
to the tight connection between people and IoT, now civil and
criminal investigations or internal probes must take IoT into
account. From the forensic perspective, the IoT environment con-
tains a rich set of artifacts that could benefit investigations, while
the forensic investigation in IoT paradigm may have to alter to
accommodate characteristics of IoT. Therefore, in this article, we
analyze the impact of IoT on digital forensics and systematize
the research efforts made by previous researchers from 2010 to
2018. We sketch the landscape of IoT forensics and examine the
state of IoT forensics under a 3-D framework. The 3-D frame-
work consists of a temporal dimension, a spatial dimension, and
a technical dimension. The temporal dimension walks through
the standard digital forensic process while the spatial dimension
explores where to identify sources of evidence in IoT environ-
ment. These two dimensions attempt to provide principles and
guidelines for standardizing digital investigations in the context
of IoT. The technical dimension guides a way to the exploration of
tools and techniques to ensure the enforcement of digital forensics
in the ever-evolving IoT environment. Put together, we present
a holistic overview of digital forensics in IoT. We also highlight
open issues and outline promising suggestions to inspire future

Index Terms—Cybercrime, digital forensics, Internet of
Things (IoT).


W ITH the Internet of Things (IoT) permeating our dailylives, people are becoming more reliant on various
kinds of smart IoT services, leaving traces on various IoT
devices. These rich repositories of digital traces in IoT envi-
ronment can provide insight into people’s daily activities in
their home and elsewhere, which are of great value to digital
forensics [1]. On the other hand, the number of both civil and
criminal cases involving IoT devices or services has grown.
IoT devices may not only be targets for attacks, but also tools
for committing crimes. Security vulnerabilities in IoT systems
can be leveraged to remotely control the systems, for exam-
ple, to control the accelerator and brake system of the smart

Manuscript received May 9, 2019; revised July 9, 2019; accepted August
26, 2019. Date of publication September 11, 2019; date of current version
January 10, 2020. This work was supported in part by the National Natural
Science Foundation of China under Grant 61472429, in part by the Natural
Science Foundation of Beijing Municipality under Grant 4122041, and in
part by the National High Technology Research and Development Program of
China under Grant 2007AA01Z414. (Corresponding author: Wenchang Shi.)

J. Hou, Y. Li, and W

Integration of ERM
with Strategy
Case Study Analysis – April 2016

Prepared by: Ha Do, Maria Railwaywalla, Jeremiah Thayer
Graduate Students, Poole College of Management, NCSU

Table of Contents

I. Introduction …………………………………………………………………………………………… 2

II. Case Study: Mitchell Industries ……………………………………………………………….. 3

III. Case Study: Eli Lilly ……………………………………………………………………………….. 9

IV. Case Study: Daisy Company …………………………………………………………………… 15

V. Conclusion …………………………………………………………………………………………….. 21

VI. Appendix ………………………………………………………………………………………………. 22

A1: Mitchell Industries: Risk Assessment Template

A2: Mitchell Industries: Template Assessing Risk in Relation to Strategy

A3: Eli Lilly: Risk Assessment Template

A4: Eli Lilly: Risk Ranking Matrix

A5: Daisy Company: Risk Template

A6: Daisy Company: Rating Scale

VII. About the Authors …………………………………………………………………………………. 34



One of the greatest sources of risk for today’s companies arises from the context of its strategic

plan. While a company’s strategy drives its value creation, it also entails risk-taking; when

strategies change or new initiatives are implemented, new risks may be introduced or existing

risks could change. The greater the degree of integration between strategy and risk management,

the more likely it is that a company will be able to successfully implement its strategy.

Enterprise Risk Management (ERM) is an emerging process that can serve many purposes: as a

tool for risk management, strategic planning, and identification of emerging opportunities and

potential competitive advantages. The purpose of this case study is to provide a description of the

processes used by three different companies in different industries to illustrate the ways these

companies have integrated ERM in the context of their strategy.

These case studies are based on real life examples of how companies have attempted to better

integrate their ERM process within their strategic planning process. The three cases reveal the

variety of methods that can be used based on a company’s strategic objectives, business model,

culture, and maturity in ERM implementation. This report also highlights key takeaways as

points of comparison when assessing the level of integration between ERM and the strategic

planning and implementation process.

Readers should keep the following in mind:

● ERM personnel can use this document to assess their company’s level o


Interdependent Strategic Security Risk Management
With Bounded Rationality in the Internet of Things

Juntao Chen , Student Member, IEEE, and Quanyan Zhu, Member, IEEE

Abstract— With the increasing connectivity enabled by the
Internet of Things (IoT), security becomes a critical concern,
and users should invest to secure their IoT applications. Due to
the massive devices in the IoT network, users cannot be aware
of the security policies taken by all its connected neighbors.
Instead, a user makes security decisions based on the cyber
risks that he perceives by observing a selected number of
nodes. To this end, we propose a model which incorporates
the limited attention or bounded rationality nature of players
in the IoT. Specifically, each individual builds a sparse cognitive
network of nodes to respond to. Based on this simplified cognitive
network representation, each user then determines his security
management policy by minimizing his own real-world security
cost. The bounded rational decision-makings of players and their
cognitive network formations are interdependent and thus should
be addressed in a holistic manner. We establish a games-in-
games framework and propose a Gestalt Nash equilibrium (GNE)
solution concept to characterize the decisions of agents and
quantify their risk of bounded perception due to the limited
attention. In addition, we design a proximal-based iterative
algorithm to compute the GNE. With case studies of smart
communities, the designed algorithm can successfully identify
the critical users whose decisions need to be taken into account
by the other users during the security management.

Index Terms— Risk management, bounded rationality, cogni-
tive networks, Internet of Things, smart community.


RECENT years have witnessed a significant growthof urban population. As the growth continues, cities
need to become more efficient to serve the surging pop-
ulation. To achieve this objective, cities need to become
smarter with the integration of information and communication
techniques (ICTs) and urban infrastructures. Driven by the
advances in sensing, computing, storage and cloud technolo-
gies, the Internet of Things (IoT) plays a central role in
supporting the development of smart city. Though IoT enables
a highly connected world, the security of IoT becomes a
critical concern. There are 5.5 million new things connected

Manuscript received May 21, 2018; revised March 4, 2019; accepted
April 9, 2019. Date of publication April 15, 2019; date of current ver-
sion July 2, 2019. This work was supported in part by the National Sci-
ence Foundation under Award SES-1541164 and Award ECCS-1847056,
in part by the Army Research Office (ARO) under Grant W911NF1910041,
and in part by a grant through the Critical Infrastructure Resilience
Institute (CIRI). The associate editor coordinating the review of this

2019 14th Iberian Conference on Information Systems and Technologies (CISTI)

19 – 22 June 2019, Coimbra, Portugal

ISBN: 978-989-98434-9-3

How ISO 27001 can help achieve GDPR compliance

Isabel Maria Lopes
Polytechnic Institute of Bragança, Bragança, Portugal
UNIAG, Polytechnic Institute of Bragança, Portugal
ALGORITMI Centre, Minho University, Guimarães,


Pedro Oliveira
Polytechnic Institute of Bragança, Bragança, Portugal

Teresa Guarda
Universidad Estatal Península de Santa Elena – UPSE, La

Libertad, Ecuador
Universidad de las Fuerzas Armadas – ESPE, Sangolqui,

Quito, Equador
ALGORITMI Centre, Minho University, Guimarães,


Abstract — Personal Data Protection has been among the most
discussed topics lately and a reason for great concern among
organizations. The EU General Data Protection Regulation
(GDPR) is the most important change in data privacy regulation
in 20 years. The regulation will fundamentally reshape the way in
which data is handled across every sector. The organizations had
two years to implement it. As referred by many authors, the
implementation of the regulation has not been an easy task for
companies. The question we aim to answer in this study is how far
the implementation of ISO 27001 standards might represent a
facilitating factor to organizations for an easier compliance with
the regulation. In order to answer this question, several websites
(mostly of consulting companies) were analyzed, and the aspects
considered as facilitating are listed in this paper.

Keywords – regulation (EU) 2016/679; general data protection
regulation; ISO/IEC 27001.

In recent years, data protection has become a forefront issue

in cyber security. The issues introduced by recurring
organizational data breaches, social media and the Internet of
Things (IoT) have raised the stakes even further [1, 2]. The EU
GDPR, enforced from May 25 2018, is an attempt to address
such data protection. The GDPR makes for stronger, unified data
protection throughout the EU.

The EU GDPR states that organizations must adopt
appropriate policies, procedures and processes to protect the
personal data they hold.

The International Organization for Standardization (ISO)
/International Electrotechnical Commission (IEC) 27000 series
is a set of information security standards that provide best-
practice recommendations for information security management

This international standard for information security, ISO
27001, provides an excellent starting point for achieving the
technical and operational requirements necessary to reduce the
risk of a breach.

Not all data is protected by the GDPR, since it is only
applicable to personal data. This is defined in Article 4 as
follows [4]:

“personal data” means any information relating to an
identified or identifiable natural person (’data subject’); an

Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.