-
- QUESTION
Assessed intended learning outcomes
On successful completion of this assessment, you will be able to:
Knowledge and Understanding
On successful completion of the module the student will be able to:
- Locate, synthesise and critically evaluate recent/current information from a wide range of published literature in the areas of Procurement, Risk, and Contract Management.
- Apply knowledge of the theory and practice of Procurement, Risk, and Contract Management to develop insights into and solve current problems.
- Critically evaluate the use of complex models of Procurement, Risk, and Contract Management; systematically and creatively making sound judgements based on the systematic analysis and creative synthesis of ideas.
- Critically and effectively assess the value of theories, concepts and models to the practice of Procurement, Risk, and Contract Management.
Practical, Professional or Subject Specific Skills
- Leads by example - as high levels of self-awareness, emotional and social intelligence, empathy and compassion, and able to identify mental well-being in others. Work collaboratively enabling empowerment and delegation - acts with humility and authenticity, is credible, confident and resilient.
- Judgement and Challenge - Takes personal accountability aligned to clear values. Demonstrates flexibility and willingness to challenge when making decisions and solving problems - instils confidence demonstrating honesty, integrity, openness, and trust.
- Courage & Curiosity - is confident and brave, willing to innovate, seeks new ideas and looks for contingencies. Manages complexity and ambiguity, comfortable in uncertainty, and is pragmatic.
- Valuing Difference - engaging with all, is ethical and demonstrates inclusivity, recognising diversity, championing, and enabling cultural inclusion. Empowers and motivates to inspire and support others.
- Professional Reflects on own performance, demonstrates professional standards in relation behaviour and ongoing development. Advocates the use of good practice within and outside the organisation.
Transferable Skills and other Attributes
1. Develop their critical skills, especially in relation to published literature in the field.
2. Work independently and with others in analysing and presenting solutions to Procurement, Risk, and Contract Management problems.
3. Locate and synthesise information from a range of published literature and electronic sources and present this effectively in both oral and written forms.
4. Take responsibility for personal learning and continuous professional development.
5. Make decisions in complex and unpredictable situations.
Module Aims
· Allow students to develop an in-depth understanding of Procurement, Risk, and Contract Management.
· Provide students with an overview of project risk in order to maximize the probability and consequences of positive events and to minimize the probability and consequences of adverse events to project objectives.
· Provide students with the skills to effectively manage procurement processes in a multitude of environments.
Word count/ duration (if applicable)
The maximum word count is 3000 words (+/- 10%). Your word count is from the introduction to conclusion sections. Therefore, it does not include title page, contents page, reference section, appendices etc. If the assignment exceeds these limits, the work in excess of 3’300 words is not marked.
Feedback arrangements
You can expect to receive feedback
· Two working weeks (excluding University Seasonal Closing) after the submission date.
· Marks and written feedback will be available on the OnlineCampus
o You will need to log into the full site to access the written feedback.
o An announcement will be made informing you of the release.
Support arrangements
You can obtain support for this assessment by attending your module lectures and through the dedicated forum thread.
askUS
The University offers a range of support services for students through askUS.
Good Academic Conduct and Academic Misconduct
Students are expected to learn and demonstrate skills associated with good academic conduct (academic integrity). Good academic conduct includes the use of clear and correct referencing of source materials. Here is a link to where you can find out more about the skills which students require http://www.salford.ac.uk/skills-for-learning.
Academic Misconduct is an action which may give you an unfair advantage in your academic work. This includes plagiarism, asking someone else to write your assessment for you or taking notes into an exam. The University takes all forms of academic misconduct seriously. You can find out how to avoid academic misconduct here https://www.salford.ac.uk/skills-for-learning.
Personal Mitigating Circumstances
If personal mitigating circumstances may have affected your ability to complete this assessment, you can find more information about personal mitigating circumstances procedure here.
Student Progression Administrator
If you have any concerns about your studies, contact StudentCare.
Assessment Criteria
You should look at the assessment criteria to find out what we are specifically looking at during the assessment.
Marking Scheme
Criteria
Marks
Use of theory
30
Examples
30
Quality of argument
10
Reference to course ideas
10
Citation and References
10
Conclusions
10
This is the Level 7 undergraduate Generic Grade Descriptors for ‘Knowledge’
· Outstanding - 100-90
o Outstanding knowledge. Theory is linked to practice to an exceptional level and may be used to formulate new questions, ideas or challenges.
· Excellent – 80-89
o Integrates the complexity of a range of knowledge and excellent understanding of its relevance.
o Excellent depth of knowledge in a variety of contexts. Coherent and systematic application of theory to practice
· Very Good – 70-79
o Comprehensive knowledge demonstrating very good depth and breadth. Clear insight into links between theory and practice. Demonstrates ability to transfer knowledge between different contexts appropriately. Consistently accurate level of knowledge in depth and breath.
· Good – 60-69
o Consistently relevant accurate knowledge with good depth and breadth. Clear and relevant application of theory to practice. Good identification of key themes. Good demonstration of depth and breadth of knowledge.
· Fair – 50-59
o Mostly accurate knowledge with satisfactory depth and breadth of knowledge. Sound integration of theory and practice with satisfactory identification of key themes. Fair demonstration of depth and breadth of knowledge.
· Adequate – 40-49
o Basic knowledge with occasional inaccuracies appropriate yet basic integration of theory and practice. Superficial depth or limited breadth with unsatisfactory identification of key themes. Basic knowledge demonstrated with some inaccuracies.
· Unsatisfactory – 30-39
o Limited evidence of knowledge. Inappropriate links between theory and practice.
o Inadequate identification of key themes.
· Poor – 20-29
o Inconsistent or inaccurate knowledge. Limited and inappropriate or inaccurate links between theory and practice. Poor identification of key themes.
· Very Poor – 10-19
o Virtually no relevant knowledge demonstrated. Fails to adequately demonstrate links between theory and practice. Very poor identification of key themes.
· Extremely Poor – 1-9
o Totally inadequate demonstration of required knowledge. Not able to link theory to practice. No appropriate themes identified.
You should consult Level 7 Generic Grade Descriptors for detailed grade/mark descriptors.
Criterion / Mark range
90-100
80-89
70-79
60-69
50-59
40-49
0-39
Overall level
(indicative – not for grading)
Standard comparable to journal publication
Standard comparable to conference paper publication
Distinctive work for Masters level
Merit work for Masters level
Acceptable for Masters
Below Masters pass standard
Significantly below Masters pass standard
Scope
Outstanding clarity of focus, includes what is important, and excludes irrelevant issues.
Excellent clarity of focus, boundaries set with no significant omissions or unnecessary issues.
Clear focus. Very good setting of boundaries includes most of what is relevant.
Clear scope and focus, with some omissions or unnecessary issues.
Scope evident and satisfactory but with some omissions and unnecessary issues.
Poorly scoped, with significant omissions and unnecessary issues.
Little or no scope or focus evident.
Understanding of subject matter
Outstanding with critical awareness of relevance of issues. Outstanding expression of ideas.
Excellent with critical awareness of relevance of issues. Excellent expression of ideas.
Very good with critical awareness of relevance of issues. Outstanding expression of ideas.
Good with some awareness of relevance of issues. Ideas are expressed, with some limitation.
Basic with limited awareness of relevance of issues. Limited expression of ideas.
Poor with little awareness of relevance of issues
Little or no understanding of subject matter is demonstrated.
Literature
Comprehensive literature review. Evaluation and synthesis of source material to produce an outstanding contribution.
Excellent independent secondary research. Sources are evaluated and synthesized to produce an excellent contribution.
Very good independent secondary research. Sources are evaluated and synthesized to produce a very good contribution.
Good secondary research to extend taught materials. Evidence of evaluation of sources, with some deficiencies in choice and synthesis.
Limited secondary research to extend taught materials. Limited evaluation of sources, deficiencies in choice and synthesis.
Little or no extension of taught materials. Poor choice and synthesis of materials.
Poor use of taught materials. No synthesis.
Critical analysis based on evidence
Standard of critical analysis – showing questioning of sources, understanding of bias, independence of thought
Excellent standard of critical analysis – excellence in questioning of sources, understanding of bias, independence of thought
A very good standard of critical analysis. Sources are questioned appropriately, and a very good understanding of bias, showing independence of thought
Critical analysis with some questioning of sources, understanding of bias, independence of thought.
Analysis evident but uncritical. Sources are not always questioned, with limited independence of thought.
Little or no analysis.
No valid analysis.
Structure of argument, leading to conclusion
Well structured, compelling and persuasive argument that leads to a valuable contribution to the field of study, paving the way for future work
Argument has excellent structure and persuasiveness, leading to very significant insights and relevant future work.
Well-structured and persuasive argument Insightful conclusion draws together key issues and possible future work.
Structured and fairly convincing argument leads to conclusion that summarises key issues.
Argument has some structure and development towards conclusion with limitations in summary of issues.
Argument is unstructured, no recognizable conclusion.
No evidence of argument or conclusion.
In Year Retrieval Scheme
Your assessment is not eligible for in year retrieval.
Reassessment
If you fail your assessment, and are eligible for reassessment, you will need to resubmit in a date that will be notified to you. For students with accepted personal mitigating circumstances, this will be your replacement assessment attempt. Students should be aware that there is no late submission period at reassessment (this includes those students who have an accepted PMC request from a previous attempt). If a student needs to be reassessed, s/he will be given a new assignment brief with a deadline, which will be provided by the School.
| Subject | Business | Pages | 24 | Style | APA |
|---|
Answer
Abstract
A growing number of projects are undertaken in contexts in which high complexity and uncertainty play prominent moderating roles. Extant literature acknowledges the efficacy of various strategies designed to be less rigid, more flexible, yet effective in management of risks. Accordingly, this paper attempts to present strategies for management of risks through methodical survey of literature. Specifically, this paper draws from qualitative studies on standard risk management as well as focused studies on risk management in iPhone Operating System (iOS) development projects to discuss risk management from the project management perspective. Evidence from reviewed literature suggests improvements to the iOS project development framework through multi-layered security, limited access of APIs to developers, mark out of points of interest for potential attackers, and data encryption, code-signing and sandboxing. Such improvements are expected to impact the Secure Development Strategy (SDS) and its three pillars: data storage, data access and data transfer as a way of managing risks in iOS development projects. The interventions are, however, expected to be mediated by specific design capabilities of host devices.
Keywords: risks, risk management, data encryption, code-signing, sandboxing
Contents
2.0 Critical Analysis of the Concept of Risk 4
2.2 Relationship between Risk and Risk Management 4
2.3 Interaction of Individual Attitudes to Risk and Organisational Risk Appetite 7
3.0 Measurement and Ranking of Risk 7
4.0 Risk Management Strategies and Impact on Minimizing Risk 9
4.1 Risk Management Strategies 9
4.1 .1 Multi-layered Security 9
4.1.2 Limitation of Developers to High-level Capability Coding API 10
4.1.3 Delimitation of Points of Interest for Attackers 11
4.1.4 Data Encryption, Code-signing and Sandboxing 12
4.2 Impact on Minimizing Risk 13
4.2.1 Data Storage Security Model 14
4.2.2 Data Access Security Model 15
4.2.3. Data Transfer Security Model 16
1.0 Introduction
Challenges facing long-term projects have received extensive coverage from many authors. For instance, Qazi, Quigley, Dickson and Kirytopoulos (2016; p. 1184) argue that most of the challenges revolve around new product development (NPD) and often lead to crippling delays in implementation and cost overruns. Consequently, considering the intricacy of such projects, it is particularly imperative to contemplate occurrence of risks so as to design the most suitable risk management strategies. Complexities in projects also generally involve cascading of tasks into structural and dynamic components as well as considering the impacts of intersection of these elements across wider spheres of “technical, organisational and environmental domains” (Qazi, Quigley, Dickson and Kirytopoulos 2016; p. 1184). This report provides a critical analysis of the concept of risk discusses how it can be measured and ranked and outlines how a project risk management strategy may be constructed for iOS development projects involving stakeholders in Europe, Saudi Arabia, and the United States.
2.0 Critical Analysis of the Concept of Risk
This step involves definition of risk from the project management perspective, relationship between risk and risk management in theoretical terms, interaction of individual attitudes to risk and organisational risk appetite, and measurement and ranking of risks.
2.1 Definition of Risk
In the project management context, Kerzner (2017, p. 601) and Martinsuo, Korhonen and Laine (2014, p.733) define risk as the degree of probability of and consequence of not attaining a definite project objective.
2.2 Relationship between Risk and Risk Management
Risks in contemporary projects are most often perceived in terms of their mediating impact on undesirable events related with project tasks. Extant literature demarcates various approaches to characterization of risks. Specifically, taking note of the fact that the concept of risk hinges on the perception of “uncertainty” risk identification attempts to answer pertinent questions in the project cycle. For instance, project implementers may be interested in the possibility developing computers within stipulated timelines at the budgeted cost. Similarly, concerns on whether timely product introductions can be made to preclude project overruns may be necessary from the marketing perspective. However, all factors considered, project risks and associated uncertainties are delineated as mutually exclusive. In light of the questions above, and the definition of risk considered, a clearer understanding of risk may be internalized from the insurance industry definition, that delimit risk as ‘‘Loss’’ multiplied by ‘‘Likelihood’’ (Martinsuo, Korhonen and Laine 2014, p.733) . Essentially, risk is more aptly defined as the probable outcome of an event and the prospect of its occurrence. On the other hand, risk management focuses on delimitation and evaluation of risks to gain in depth understanding of the risks and approaches to managing those risks to lessen their impact on projects. This view fundamentally concedes to the impossibility of engendering “risk-free projects” since countless possibilities of occurrences that could deleteriously impact the project still exist. As a result, elimination of risks does not feature in the purview of risk management. Instead, risk management is intended to guide project managers to “identify, assess, and manage risk” (Kendrick 2015, pp. 5-6). Further, demarcation of risk management in projects calls for escalation of interventions beyond sheer project planning, to specific risk planning as well. Risk planning steps generally recommend review of preliminary project assumptions. Internally accessible information is generally found in project charters, datasheets, or other documents that could aid the commencement of a project and mostly include data on risk, goals, recruitment, and suppositions. Particular attention should be focused on the antecedent information as risk data have been idealized for its accuracy in delineating risky as such. In the same way, projects that are categorized as low-risk may rely on suppositions that could instigate the possibility of unrealistically low staffing and funding. Therefore, it is recommended that project implementation should concentrate on every subtle variance in opinions regarding project risk whether expressly documented or implicitly stated by project financiers. As such, risk planning is expected to find anchorage on a robust framework that is congruent with the general expectations and project goals. Specific attention at this stage of risk management should be weighted in favor of deeper understanding of anticipations of interested parties, and underlying assumptions that inform strategies appropriate to the immediate contexts in which the project is implemented. This entails demarcation and execution of tasks related to stakeholder risk tolerance. However, Kendrick (2015, pp. 5-6) observes that risk management strategies should not override prevailing organizational cultures, as various groups employ unique approaches to the handling of risk. For instance, start-ups and speculative ventures, such as players in the oil industry, could exhibit high tolerance for risk. As several of such projects are expected to fold within the first six months of operation, the high rate of failure could be compensated for by the few outliers who survive. In contrast, conventional entities that charge fees for services and solutions are generally perceived to be risk intolerant. Such projects are generally associated with modest but regular income for projects undertaken. Additionally, organizational risk tolerance can be interpreted from institutional guidelines as evidenced by policies that do not pursue fixed-price contract projects. In addition, the stakeholders of the project may have strong individual opinions on project risk (Kendrick 2015, pp.5-6). Once more, it is important to take note of apparent lack of agreement among stakeholders as demonstrated by varying degrees of risk-tolerance. Irrespective of the state of team work, or lack of it, it is necessary for project implementers to reduce risky outcomes. Projects involving technical work tend to favor low risk.
2.3 Interaction of Individual Attitudes to Risk and Organisational Risk Appetite
Intricate ways in which individual attitudes to risk and organisational risk appetite interact have been discussed by a number of scholars. For instance, Kpodo and Agyekum (2015, p.682) delineates organizational risk appetite as a subset of organizational culture from which impacts of behavioral patterns of internal clients can be gleaned. Accordingly, organizational risk culture promotes the idea of organisational culture as a panacea to managing the collective capability to manage risk. The impact of interaction of individual attitudes to risk and organisational risk appetite was idealized following the cataclysmic responses of organisations at the focal point of the Global Financial Crisis. A cross-sequential study by Kpodo and Agyekum (2015, p.682) attributes the poorly coordinated and ineffectual responses to “weak risk cultures”. The study further highlights evidence from numerous literary sources to exemplify corporate rascality exhibited by the business community as was exhibited by the Lehman Brothers and the latest London Interbank Offered Rate (LIBOR) scandal. These views tend to buttress the position that organisational performance and indeed the robustness of organisations are positively correlated with prevailing risk appetite and culture (Kpodo and Agyekum 2015, p.682). Numerous studies have similarly established that resilient risk culture leads to elevated organizational performance. While freely conceding to novelty of risk management in African context of project management, studies have highlighted a disconcerting dearth of risk management practices on the continent. However, the preceding situation does not outline risk culture as a completely foreign concept.
3.0 Measurement and Ranking of Risk
A study by Kendrick (2015, p.165) provides insight on how risk can be measured and ranked by defining risk as an intersection of two factors, namely, the projected results of the tasks and the likelihood of occurrence may facilitate categorization of risk on the basis of number of undesirable events.
Similar studies by Dziadosz and Rejment (2015, pp.262-262) describe risk measurement and ranking as the systematic sequencing of risks by apparent severity. This criteria comprises of methodical evaluation of products of ‘‘loss’’ and ‘‘likelihood’’ for every risk, and subsequently arranging the scores on a grid. In this arrangement, the greatest scores are recorded near the top while lower scores are subsequently placed at the bottom. Many scholars recommend shorter grids as they facilitate the arrangement of lists by a few pairs, roughly in a two by two matrix, allowing the “switching of adjacent risks” as ones with greater severity is placed lower on the grid. However, risks with greatest exposures will generally be placed at the top as the ns categorized as small will assigned the bottom spaces of the list.
Furthermore, Kendrick (2015, pp.165-166) recommends an analogous technique, connected to Delphi, which amalgamates information from lists separately organized by individual team members. This method is actuated by allocating each risk a score according to their locus on the list, and subsequently summing up scores for individual risks. The risk with the least aggregate score tops the amalgamated list while remaining risks are sequenced in increasing order. This approach puts extra emphasis on variations in the lists. For instance, lists with huge variances, as may be discovered by ‘‘clumping’’ in the combined scores, are recommended for further deliberation by team members. Investigations by Dziadosz and Rejment (2015, pp.262-262) Kendrick (2015, pp.165-166) endorse use of Delphi estimation for objectively considered consensus. The outcome of this is a more credible tool for measuring and ranking of risks, and achieves better results than a ordered lists from individuals. However, for its wide acceptance, risk matrices are limited in use, and only revealing “relative risk severity”, and excludes details of exposure inherent in each risk (Kendrick 2015, pp.165-166).
Correspondingly, Fang, Marle and Xie (2016, p. 1550) propose a standard project risk analysis model, the risk network model developed to map out project risks and their behavioral facilitators. Specifically, the approach supports Risk Criticality, the cumulative amount of risk significance and the “product of risk probability and impact” as the basis of establishing the severity of risk. Under this criterion, qualitative measures are frequently employed delineate risk prospects on a scale of 5 to 10, ranging from very rare, rare, unlikely, likely, and very likely. However, to preclude statistical errors the qualitative scales must have quantitative values of risk probability.
4.0 Risk Management Strategies and Impact on Minimizing Risk
This section focuses on risk control approaches and resultant impacts by Apple Inc. in Applications Development Projects on the iOS platform by stakeholders I Europe, Saudi Arabia, and the United States.
4.1 Risk Management Strategies
4.1 .1 Multi-layered Security
Analysis of the security architecture and risks in the iOS application development exposes layers of security embedded at the core of the iOS operating system. Indeed, several mechanisms have been executed in the iOS platform with the goal of defending the device and attendant data without the knowledge of the handset owner and well outside interference of the developer. The Apple Inc., the parent company delivers superior safeguards concerning system security in addition to protection of installed applications from third-party applications. Additionally, the “file system, network services and device control” are also targets of security upgrades (Michalska and Poniszewska-Maranda 2015). Thus, the overall framework of the iOS system is anchored on multilayered security as shown in Fig. 1 below. The implication of this is that, both installed and running applications and the hardware do not need to interact directly. Instead, communications between software and hardware components are mediated by arrays of public APIs which execute all system requests. From the application development side, the iOS permits limited use of its APIs to developers. By so doing, Apple significantly restricts the developer to a small number of operations through these APIs.
4.1.2 Limitation of Developers to High-level Capability Coding API
Apple simultaneously manages possible risks from developers who may attempt to perform prohibited operations through the “code-signing” process.
Figure 1: Overview of layered iOS architecture (Michalska and Poniszewska-Maranda 2015, p. 125)
The iOS environment offer high-level layer capabilities with more “specific and sophisticated interfaces” to the developers to fast-track the application development process. High –level capabilities make coding and application development more comprehensible and reachable through use of abstract classes and encapsulation capabilities. As a rule of the thumb, Apple recommends the high-level interfaces to developers as it offers the company a better chance of monitoring activities of mobile application developers. In addition, high-level interface facilitates adherence to “Apple implementation standards during code verification” (Michalska and Poniszewska-Maranda 2015, p. 125). The core security capabilities executed within the iOS security framework include, stratified architecture which assigns public APIs for to application developers. Other security functionalities include “vetting process, System Software, Authorization process, Encryption mechanisms, Data Protection feature, Keychain and code-signing” (Michalska and Poniszewska-Maranda 2015, p. 125).
4.1.3 Delimitation of Points of Interest for Attackers
Identification of flaws in the mobile application environment has been idealized as a necessary first step in the discovery of possible vulnerabilities that potential attackers could exploit. This step involves determination of motivations for hackers. Most literature cites the urge to steal confidential information such as passwords, account numbers, personal identification numbers and other vital information. Other motivations for security breaches on iOS platforms include unlawful acquisition of multimedia data such as videos, photos, stored information in the address book, electronic mail, or information on the whereabouts of the user. Some hackers may be motivated by the “to omit some licensing issues” or perform such acts for the sake of it. The points of interest from which substantial threats to the iOS operating system may be targeted include theft of classified data in key-chains storage, breaches by unpermitted applications utilizing internal system calls, executing mysterious code on the device through “jailbreaking the device”, method swizzling, the illegal act of hijacking running code during execution, massive trading of privileged personal data for “statistical and advertising purposes” (Michalska and Poniszewska-Maranda 2015, p. 126). Further, on the basis of the possible motivations of attackers, bearing in mind the inherent vulnerabilities, the attacker may fashion attack capabilities by targeting data storage points, permission management policy, application file system, and any kind of configuration files that may be stored within the device”. Accordingly, Apple’s security report venerates the design basis of the iOS framework as its security. Undoubtedly, considerable capital and technical skill has been invested to attain expected degree of safety by integrating data encryption, code signing and sandboxing as shown in figure 2 below.
Figure.2 iOS security architecture Michalska and Poniszewska-Maranda (2015, p. 126)
4.1.4 Data Encryption, Code-signing and Sandboxing
Encryption has gained extensive use as an ordinary mechanism for deterrence of unauthorized persons and entities from decrypting data in the event that they are captured (D'Orazio, Lu, Choo and Vasilakos 2017, p.4). Code-signing is associated with stringent protocols requiring new applications to be published in the AppStore as a way of preluding below par applications. Incidentally, only permits the used of certain high-level functionalities encased in API's methods. Sandboxing, a popular functionality facilitates the running of programs independently of the rest of system resources to ensure complete control over pertinent authorizations as well as permissible access (Michalska and Poniszewska-Maranda 2015; D'Orazio, Lu, Choo and Vasilakos 2017, p.15). Sandboxing is preferred when suspicious programs which have been previously run on the device are usable for preventing downloaded application from using resources assigned to other applications, the system or “accessing the kernel resources that they are not allowed” (Michalska and Poniszewska-Maranda 2015; D'Orazio, Lu, Choo and Vasilakos 2017, p.24).
4.2 Impact on Minimizing Risk
Having demarcated 4 components of risk management strategies in the iOS application development projects as involving multi-layered security, limiting developers to high-level capability coding APIs only, proper identification of most susceptible system components, Secure Development Strategy (SDS) technology, and data encryption, code-signing and sandboxing, current focus now turns to the impact of minimizing risks (Majchrzycka and Poniszewska-Marańda 2016, p. 496). In the iOS environment, risk management strategies aimed at precluding occurrence of risks and the impacts the system through the Secure Development Strategy (SDS); the impacts of which are focused on safeguards during storage, access, and transfer of data as represented in figure 3. The preceding strategy is applied to the iOS development projects to minimize vulnerability from “external attacks and leaks of sensitive data” (Michalska and Poniszewska-Maranda 2015, p.129).
Figure.3. Pillars of Secure Development Strategy for mobile applications (Apple 2014)
Popular strategies to application security have focused primarily on safety during transmission of privileged data to external services but this option is generally not desired. Nevertheless, transfer of data between mobile and external devices is undeniably a fundamental phase and remains critical to the security of mobile applications. The risk management thresholds for application development project security are subsequently discussed in terms of the three priority areas of “storage, access and transfer of sensitive data” (Michalska and Poniszewska-Maranda 2015; Majchrzycka and Poniszewska-Marańda 2016, p. 496).
4.2.1 Data Storage Security Model
A representation of the storage model of the SDS strategy an application-side development model for iOS is represented in figure 4 below. Majchrzycka and Poniszewska-Marańda (2016, p. 496) venerates this approach for employing data storage patterns, encryption of sensitive data, limitation and restriction of access.
Figure.4 Data storage model (Majchrzycka and Poniszewska-Marańda 2016, p. 496)
Under the data storage security model, security interventions focus on the two main data storage components as potential risk points. These are keychain, also known as keychain in iOS development, and file system. Three protocols are utilized to secure storage, principally through the encryption of sensitive data in keychains and other storage places (Majchrzycka and Poniszewska-Marańda 2016, p. 497; Michalska and Poniszewska-Maranda 2015, p. 130). This means that privileged data should by no means be stored as plain text. The second protocol permits storage of sensitive data in the application database files but recommends the coding of stored data using “encryption keys stored in the external server databases” to restrict unauthorized access. Thirdly, the iOS application project protocol assigns access to internal storage objects to function calls only.
4.2.2 Data Access Security Model
The second model under the SDS intervention minimizes iOS project risks by controlling access to data. Focused studies by Michalska and Poniszewska-Maranda (2015, p.131) acknowledge vulnerabilities arising from interactions of mobile applications with outside services and third-party applications. Similar studies by Majchrzycka and Poniszewska-Marańda (2016, p. 498) identify key actions recommended for this the access facet of data security in iOS applications development projects with regular updates on current location of the device as a precondition for access to sensitive data, the requirement that every mobile application should have a digital signature, which containing exclusive device identifier, and the requirement that constrains the server to ascertain that device session is close before any requests are processed. The mainstays of access model is shown in figure 5.
Figure.5 Assumptions of data access model
4.2.3. Data Transfer Security Model
The data transfer model discusses to strategies involving interchange of data involving mobile application and external services. This involves the assimilation of extra safety measures such as “data encryption, the use of security keys and check of requests integrity” (Michalska and Poniszewska-Maranda 2015, p. 132).
Figure.6 Assumptions of data transfer model (Michalska and Poniszewska-Maranda 2015, p.132)
The data access security model, the terminal stage of the SDS strategy also appears to be the most vulnerable link in the mobile project development. Both Michalska and Poniszewska-Maranda (2015, p.132) and Majchrzycka and Poniszewska-Marańda (2016, p. 500) attribute this vulnerability to “the man in the middle” which exploit public internet connections to intercept data. All manifestations of man in the middle attack can be effectively ameliorated through encryption and use of security keys.
Conclusion
In the management of iOS application development projects, it is guaranteed that a tradeoff between performance, quality and data security will have to be realized. However, in the final analysis, no one of the aforestated areas should be given preferential treatment. In addition, at present, there is no conventionally adopted approach for developing risk-resistant iOS application projects. Incidentally, sustained development of better responses to data security infringements seems to herald the development of formidable vulnerabilities. Conclusively, this paper proposes improvements to the Secure Development Strategy (SDS) and its three pillars: data storage, data access and data transfer as a way of managing risks in iOS development projects. However, mar assumptions in the SDS approach should be interrogated further to the application to enhance security in such projects.
References
|
Dai Zovi, D. A., 2011. Apple iOS 4 security evaluation. Black Hat USA, 24, 37. D'Orazio, C.J., Lu, R., Choo, K.K.R. and Vasilakos, A.V., 2017. A Markov adversary model to detect vulnerable iOS devices and vulnerabilities in iOS apps. Applied Mathematics and Computation, 293, pp.523-544. Kendrick, T., 2015. Identifying and managing project risk: essential tools for failure-proofing your project. Amacom. Kerzner, H., 2017. Project management: a systems approach to planning, scheduling, and controlling. John Wiley & Sons. Kpodo, B. and Agyekum, K., 2015. The effects of risk culture on organisational performance-The cases of some selected financial institutions in Ghana. Majchrzycka, A. and Poniszewska-Marańda, A., 2016. Secure development model for mobile applications. Bulletin of the Polish Academy of Sciences. Technical Sciences, 64(3). Martinsuo, M., Korhonen, T. and Laine, T., 2014. Identifying, framing and managing uncertainties in project portfolios. International Journal of Project Management, 32(5), pp.732-746. Michalska, A., & Poniszewska-Maranda, A., 2015. Security risks and their prevention capabilities in mobile application development. Information Systems in Management, 4. Qazi, A., Quigley, J., Dickson, A. and Kirytopoulos, K., 2016. Project Complexity and Risk Management (ProCRiM): Towards modelling project complexity driven risk paths in construction projects. International journal of project management, 34(7), pp.1183-1198 Fang, C., Marle, F. and Xie, M., 2016. Applying importance measures to risk analysis in engineering project using a risk network model. IEEE Systems Journal, 11(3), pp.1548-1556. Dziadosz, A. and Rejment, M., 2015. Risk analysis in construction project-chosen methods. Procedia Engineering, 122, pp.258-265.
Appendix
|
|