Marking Guide

PART 1 (60 marks) : ANALYZE STRIDE PER ELEMENT

Spoofing (6 marks) - entity and process.

Tampering (9 marks) - data flow, data store and process.

Repudiation (3 marks) - entity.

Information disclosure (9 marks) - data stores and data flows.

Denial of service (9 marks) - process, data stores and data flows.

Elevation of privilege (3 marks) - process.

We choose the BEST entry for each combination and give up to three marks each based on one mark for each of these three elements:
  • correct application as an attack
  • application to the right victim
  • impact of threat makes sense in the context of the system

Work done (three possibilities):
  • less than one threat per row (0 marks)
  • more than one threat per row (11 marks)
  • a threat for each applicable cell (21 marks)

PART 2 (20 marks): SUMMARISE THREATS AND APPLY DREAD

We find the best answers for TWO threats, one mark per:
  • description
  • damage potential
  • reproducibility
  • exploitability
  • affected customers

Work done:
  • one mark per unique threat up to ten marks (10 marks)

PART 3 (20 marks): DECIDE HOW TO HANDLE RISKS

Find the best example of each of these types of strategies:
  • mitigation (4 marks)
  • elimination (4 marks)
  • transfer (4 marks)
  • accept risk (4 marks)

Work done:
  • half mark per answer up to eight marks (4 marks)