Assignment 4

Introduction

What is Slack?

Slack is “a powerful workplace collaboration tool used by companies of all sizes for communication and file sharing”.
It offers features like:

  • Channels — Organized spaces for team or project-specific discussions.
  • Direct Messaging — One-on-one or small group conversations.
  • File Sharing — Easy exchange of documents, images, and more.
  • Integrations — Seamless connection with apps like Google Drive, Zoom, and others.

Security, Risk, and Investment in Online Tools

Like any online tool, Slack stores and processes potentially sensitive company information. The videos you watched for the class on March 13 discussed the key concepts you’ll be applying to the Slack use case:

  • How we measure the strength of a system’s defences (e.g., number of patched vulnerabilities, speed of incident response) — Security Metrics
  • Identifying potential threats and actions to reduce their likelihood or impact — Risk Management
  • The financial commitment a company makes to protecting its data and systems — Security Investment

Problem 1: Economic, Organizational, and Political Aspects of Cybersecurity (in the lab)

Your goal today is to analyze the ideas from the videos and:

  • (3 points) Assess how you would measure Slack’s security.
  • (4 points) Design a plan to deal with potential threats to company data on Slack.
  • (5 points) Explain why investing in Slack’s security is crucial.
  • (3 points) Suggest operational practices to make day-to-day Slack usage more secure.

Check below the detailed description of each task.

(3 points) Slack Security Assessment

Develop a list (up to 3) of critical security metrics that would be most relevant when evaluating Slack’s security level. Explain why each metric is important in the context of a collaboration platform like Slack.

(4 points) Risk Mitigation Plan for Slack

Design a risk mitigation plan specifically for Slack. Address the following:

  • Identify three significant risks a company could face when using Slack.
  • For each risk, propose up to 2 reduction/mitigation strategies (consider strategies that use a mix of technical, administrative, and physical controls).

(5 points) Justifying Security Investments in Slack

Build an argument to convince a company’s executives of the need to invest heavily in Slack’s cybersecurity. Your argument must:

  • Connect potential security risks faced by Slack to financial or reputational losses for the company. (Risks/Costs)
  • Propose a potential budget allocation for security (for example, in % of annual revenue), demonstrating how this investment would outweigh the potential cost of breaches. (Investment/Loss)

(3 points) Operational Security for a Slack-using Company

Draft a list of best practices in operational security management for a company using Slack.

  • Identify up to 5 specific best practices related to access controls, data management, and incident response within Slack.
  • Explain how each practice mitigates risks discussed in previous tasks.

Notes

Aim for roughly 20 minutes per task to have time to outline the report.

Problem 2: Economic, Organizational, and Political Aspects of Cybersecurity (at home)

Analyzing Information Sharing Failures

Analyze why information sharing about cyber attacks between companies often fails.

  • (3 points) Identify at least two ways this resembles a market failure situation.
  • (3 points) Propose ONE policy intervention that could incentivize better information sharing, explaining how it would counter the specific market failures you identified.

PCI DSS Compliance and Market

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements created by major card brands (Visa, Mastercard, etc.). Any business that stores, processes, or transmits credit card data must comply with these standards. The key goals of PCI DSS are to:

  • Build and Maintain a Secure Network. This includes things like firewalls and secure system configurations.
  • Protect Cardholder Data. This involves encryption, both while data is stored and while being sent online.
  • Regularly Monitor and Test Networks. Businesses must conduct vulnerability scans and penetration testing.
  • Maintain an Information Security Policy. This covers how a business handles all aspects of data security.

You may see a more detailed introduction here (5:05):
https://www.youtube.com/watch?v=szVmMxWORBc

  • (3 points) Explain two potential market failures in the credit card industry that PCI DSS aims to correct. Be specific about the type of failure (externality, lack of information, etc.).
  • (3 points) Argue whether PCI DSS is likely to be more effective as a government-mandated regulation or as an industry-led standard. Justify your answer, referencing potential benefits and drawbacks of each approach.
  • (7 points) Could PCI DSS have unintended consequences? Discuss up to three potential negative outcomes for consumers, smaller businesses, or possible future innovations within the payment industry.