Reflections

The aim of this unit was to analyze the basic principles of information security management, to gain an understanding of the meaning and definition of the terms threat and vulnerability in the context of information security, and to gain a knowledge about different roles for eliminating vulnerabilities in programs, systems and networks. In the Collaborative Discussion 1, cyber threats related to medical devices were discussed using the example of a medical mannequin. A team contract was also drawn up, which should regulate future work in the group. The insight into the principles of information security management gave me an overview of the general requirements in the area of information security management. The information obtained was nothing new to me, as this was already discussed in the previous module. However, the renewed examination of the principles showed me the importance. The mantra of the CIA is a fundamental part of the development and troubleshooting of network applications and offers me the anchor points of my work for my professional future (Fenrich, 2008). In relation to this, an initial examination of cyber threats to medical devices has shown me the practical importance of the principles. By dealing with a topic that was completely new for me, the medical industry and its developments in the field of IoMT, I was able to examine the central threats and vulnerabilities, deal with potential consequences and consider possible preventive measures for the threats. This examination of the subject has shown me the importance of protective measures and the direct consequences of disregarding them in the field of cyber security. It was interesting to see the manifold possibilities for the corruption of medical devices and which solutions are available for prevention (Xu et al., 2019). It was a shocking finding that optimal protection with regard to all technical aspects and their requirements, especially in the area of implants, proves to be extremely difficult, since functions, areas of application and necessary measures often interfere with one another. For example, the size of an implant, its longest possible runtime and necessary protective measures, through firewalls and filters. This realization gives me the incentive to find solutions to these problems in order to be able to make a contribution to social and medical development in the future. However, this also shows me that I still have to learn a lot of experience and skills in order to be able to make this contribution. The cooperation in my team and the joint development of the team contract sent a positive signal to me. Even if individual team members did not show up on time for the meeting, the contract could be drawn up together in a constructive manner. My previously drawn up contract, which was used as the basis for the mutual agreement, was useful here. All points listed by me have been taken over completely or in a modified form. So my work has had positive benefits for my team. However, it would have been nice if all team members had participated more evenly. However, it is to be expected that this will be the case in the next team meetings. The first meeting with my team showed me that there is a respectful approach and that all group members have a fundamental interest.

• Xu, Y., Tran, D., Tian, Y., Alemzadeh, H. (2019) Poster Abstract: Analysis of Cyber-Security Vulnerabilities of Interconnected Medical Devices. International Conference on Connected Health: Applications, Systems and Engineering Technologies. Available from: https://ieeexplore.ieee.org/document/8908638 [Accessed 16 November 2021].
• Fenrich, K. (2008) Securing your control system: the „CIA triad“ is widley used benchmark for evaluation information system security effectiveness. Power Engineering. 112(2):44-45. Available from: https://go.gale.com/ps/i.do?id=GALE%7CA177028777&sid=googleScholar&v=2.1&it=r&linkaccess=abs&issn=00325961&p=AONE&sw=w&userGroupName=anon%7E97b0e51b [Accessed 14 November 2021].

In this unit, vulnerabilities of modern electronic devices were examined and possibilities were determined with which threats can be classified and vulnerabilities can be analyzed with regard to their hazard potential. Two of the analysis tools that can be used in any cyber security environment are the STRIDE and DREAD tools. For the seminar 1 session, the DREAD analysis tool was used to assess potential threats in relation to the medical devices discussed in Collaborative Discussion 1 and the IoMT according to their potential danger. The results determined by the respective groups were presented and compared in seminar 1. The analysis tools (STRIDE and DREAD) offer a good basic analysis of vulnerabilities and threats from network components and are therefore useful in all conceivable sectors of cyber security, as well as in medical health care (Alhassan et al., 2016). While I was already familiar with the STRIDE analysis tool, working with the DREAD tool gave me additional skills in cyber threat analysis. I see the knowledge that both analysis tools symbiosis extremely well with each other as particularly beneficial. While the STRIDE tool offers a qualitative assessment of the possible threats, the DREAD tool enables a quantitative assessment, whereby an assessment of the prioritization of the vulnerabilities to be closed can be carried out. The SRIDE tool thus offers a first starting point and overview of potential dangers and the DREAD tool a further step to evaluate these through a ranking. The work in the team was of great benefit to me, as I did not found the source on which the presentation of the groups in the seminar session should be based. Therefore, I first researched other sources and found what I was looking for in an empirical study of cyber vulnerabilities in a medical context (Xu et al., 2019). With this source it was possible to develop a ranking of possible vulnerabilities, but did not fulfill the stated task, which aimed to develop a personal assessment of threats. My team helped me here by having a team member find the source and share it with us. In the further exchange, the task could be completed satisfactorily. Both assessment approaches can be found in Seminar 1 Powerpoint. The productive exchange in my group was therefore an extremely profitable result for me, as it resulted in a discussion which, through my personal assessment, broadened my personal knowledge horizon. It should be noted here, however, that the participation in the team of the respective members is very different and some show a greater motivation to work together than others.

• Alhassan, J., Abba, E., Olaniyi, O. & Waziri, O. (2016) Threat Modeling of Electronic Healt Systems and Mitigating Countermeasures. International Conference of Information and Communiction Technology and its Application (ICTA 2016). Federal University of Technology, Minna, Nigeria. Available from: http://repository.futminna.edu.ng:8080/xmlui/handle/123456789/9522 [Accessed 20 November 2021].
• Xu, Y., Tran, D., Tian, Y., Alemzadeh, H. (2019) Poster Abstract: Analysis of Cyber-Security Vulnerabilities of Interconnected Medical Devices. 2019 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies. Available from: https://ieeexplore.ieee.org/document/8908638 [Accessed 16 November 2021].

This unit focused on the fundamental concepts of networks, how they enable data transmission and which tools can be used for network analysis to identify potential problems. The standards of the Internet Protocols (IP) of IPv4 and IPv6 were also compared. Furthermore, the Collaborative Disscussion 1 was completed in this unit. The literature provided and the Lecturecast have built on my existing knowledge and expanded my knowledge with new information and findings. I was familiar with the Internet structures, such as the TCP / IP model used for data transmission and its structure and functionality. The ISO / OSI 7-layer model, on the other hand, was unknown to me up to this point and a comparison of these two models, which have similarities and yet differences from one another, gave me a better understanding of the TCP / IP model and showed me that it exists next to the standard in use other approaches for the Internet. Tools for examining networks and troubleshooting were previously unknown to me. It was extremely interesting to use these basic tools and to find out information about the routers used and the hosting service provider for the website. Since I work with a Windows 10 OS, some tools, such as the dig command, were not available without further installations. Since I initially wanted to refrain from installing these tools, I tried other programs and online offers to obtain the information. It was amazing how easy it was to get information about service providers and free applications. However, this also made me wonder how easy it is for malicious people to obtain information from websites in order to spy on them for possible cyber attacks. A first examination of the tools for scanning a website piqued my interest in the applied examination of websites and troubleshooting. However, I quickly realized that my knowledge is still extremely limited in this context and that I have to develop further in this direction in order to become a competent cyber security specialist. The Collaborative Discussion 1 was extremely productive from my point of view. Some responses were made to my initial post, which gave me a lot of additional information and was able to look at it from different perspectives. This multitude of aspects and perspectives made it easy for me to write a summary post that takes up the topic and rounds it off. However, the word limit has presented a challenge, as it has proven extremely difficult for me to limit such a complex and comprehensive topic to 300 words. The summary post can be found under the Artefacts.

The core of the unit were practical exercises with tools for basic troubleshooting. With the help of the tools, the results were analyzed and discussed within and between the teams. The ISO / OSI 7-layer and TCP / IP models should also be compared and a discussion should be prepared as to whether the Internet that exists today would be better with the OSI / ISO 7-layer model. Both topics were addressed in the seminar session. As noted in the previous unit, the tools for basic troubleshooting were new to me. Also because of the Windows 10 operating system I used, I had initial problems doing some of the investigations I wanted. I was able to receive help and exchange from a team member who already had a deeper understanding of the subject and thus answered a few questions and supported me in my practical investigation. The teamwork was of great benefit to me here, as I was able to develop a lot of information and networked understanding in a short time. Unfortunately, only the two of us took part in the discussion, otherwise other team members could have benefited from the discussion or contributed to mutual development through their input. Also, due to the lack of participation in the group meetings and the lack of communication, it must be assumed that two of the team members will no longer participate in the module. Although this is sad for the further module, it is also an experience that can occur in a professional environment. It can always happen that individual team members of a project are absent and therefore a new planning of the action plan of a project has to be made. Flexibility and the ability to adapt to new circumstances are therefore skills that are of high priority in professional practice (Horwitz & Townshend, 2006). The seminar session in Unit 4 comprised two thematic blocks. While the presentation and discussion of the results of the practical team activity from Unit 3 can be rated as extremely profitable by me, I had higher expectations from the discussion about the TCP / IP and ISO / OSI 7-layer models. So I found it very interesting to compare the respective results of the groups with my own and to find that these, apart from the traceroute investigation, which differed due to the respective location of the investigation, yielded the same results. Thus, the own work could be validated and the different approaches could be compared. In my investigation and evaluation of the models with regard to the question of whether the Internet that exists today would be a better one with the ISO / OSI layer model, I did not come to a clear conclusion. A discussion in the seminar would have made sense for me under certain circumstances, since different opinions and perspectives could have led me to a more well-founded decision. Unfortunately, the other seminar participants were not sufficiently informed to have an active discussion. Therefore my arguments could only be discussed with the tutor, which confirmed my assessment and was able to get a more solid picture. However, further perspectives and arguments from my fellow students could have led to an even more comprehensive understanding.

• Horwitz, F. & Townshend, M. (2006) Elements in participation, teamwork and flexibility in South Africa. The International Journal of Human Resource Managemen. 4(4):917-932. Available from: https://www.tandfonline.com/doi/pdf/10.1080/09585199300000064?needAccess=true [Accessed 05 December 2021].

The subject of this unit was to develop an understanding of network components. Various penetration testing tools were also examined and evaluated according to their handling and possible applications in troubleshooting. As part of the collaborative discussion 2, the respective investigations were discussed and further tests were carried out. The Lecturecast “Network Tools and Components” gave me a good overview of the components used in networks and encouraged me to do further research. While the areas of application and functionality of LAN and WAN were already known, it was very interesting for me to see how far the historical development of Network Operating Systems (NOS) goes back and which hurdles had to be overcome. The consideration of cloud systems and VM models was also extremely interesting. Although I was aware of cloud providers, I hadn't thought about the respective classification and their respective benefits beforehand. Since a shift from print files to digital storage of files can be observed due to the advancing development of computers and networks in the last decades and with the introduction of cloud computing a renewed shift of the storage of files from local machines to clouds can be observed, clouds and their service providers present new opportunities in the coming future, but also dangers in relation to malicious interference by hackers (Singh & Chatterjee, 2017). In order to examine websites and networks for their vulnerabilities, there are a large number of penetration testing tools, which are available for a fee or as a free version and provide various analysis options. Because of this large number, it makes sense to first evaluate selected analysis tools. The evaluation exercise helped me to get an overview of the wide range of these tools. Since I was not previously aware of any of these tools, I considered it extremely beneficial to further investigate these tools discussed in the source (Geer, 2015). I would probably not have undertaken such a targeted examination of the tools without the exercise. It was of great use, however, as it gave me, in addition to the considerations in terms of practicality, thoughts about the aspects of privacy. A reflection on the personal provision of information to third parties should be of central importance for every person who works with confidential information from companies, which applies to the profession of cyber security specialist. Since the results of the basic troubleshooting from the previous units were discussed in Collaborative Discussion 2, which presented a new challenge for me, I focused on carrying out further investigations with various online tools. It was also important to me to run the analysis tools on my OS, so I installed tools for the CMD app on my OS, for example to be able to perform the dig command on my Windows 10. This enabled me to re-validate my previous results and to gain some troubleshooting skills.

• Geer, D. (2015) 8 Penetration Testing Tools That Will Do the Job. Network World. Available from: https://www.networkworld.com/article/2944811/8-penetration-testing-tools-that-will-do-the-job.html [Accessed 12 December 2021].
• Singh, A. & Chatterjee, K. (2017) Cloud security issues and challenges: A survey. Journal of Network and Computer Applications. 79: 88-115. Available from: https://www.sciencedirect.com/science/article/pii/S1084804516302983 [Accessed 12 December 2021].

In this unit the assessments were submitted and the network scanning tools and their respective evaluation were discussed in the seminar. Since I was limited in time this week, I started working on the team project early on. From Unit 2 I worked on a section of the project every week, so that at the beginning of Unit 5 a rough plan of the assessment was in place and made available to my team. On the basis of this preliminary work and the extremely productive processing and addition of a team member, the design document for the assessment was drawn up. The creation of this document took up the aspects of Network and Information Security Management discussed in the previous units well and placed them in a practical context. This enabled the knowledge gained to be applied to a case study and an analysis of it to be carried out. Working together on this project was profitable for me, as the exchange resulted in additional arguments and aspects that I did not take into account in the final work and thus broadened my knowledge horizon. Since two of my team members no longer take part in the module and the work in my team is very different, it was a challenge for me to create the peer review design document. It has turned out to be difficult to give a fair evaluation of my team members, as it intuitively seemed unfair to evaluate someone worse and thus to have a negative influence on the grading. However, after a few deliberations and reflections, I decided to make an appropriate assessment of my team members, as an inadequate appreciation of the people who contributed significantly to the creation of this assessment would also not correspond to the aspect of fairness. When discussing network scanning tools, it turned out that both teams that presented their results had similar results. The ratings were the same in many respects, such as the rating of Jawfish as the worst tool of the presented ones. However, both teams rated another tool as the best. Based on the overlap and the differences, it can be determined that a rating of the tools cannot be viewed as one-dimensional and completely objective. Different aspects and arguments, which speak for or against a tool, are differently important to the users of the tools. This also explains the wide range of penetration testing tools. Users have different interests and priorities that the tools have to meet. When comparing the two results of the teams, it is noticeable that most of the tools examined are rated close together, so that it is difficult to clearly distinguish between good and bad tools. It should therefore always be considered in which context the respective application is used.

The subject of this unit was to reflect on the term risk in the context of information security management. It was determined how risks can be reduced and which standards can be applied for this. Furthermore, technical possibilities for penetration testing were learned as part of a practical exercise with Kali Linux. Since the word risk can have different meanings in general usage in different contexts, it was of great interest to precisely define the term, which is important for network and information security management. It was interesting for me to see how differently the meaning can be interpreted, for example in business, financial, or security risk management (Hubbard, 2019). Since successful cooperation is largely dependent on communication, it is important that such terms are clearly defined in order to be able to ensure that what is conveyed is understood as intended. Ambiguities and mix-ups can not only hinder work progress, but also lead to incorrect results. A targeted examination of this meaning of the term was therefore not only interesting, but also profitable for me, since I had not previously assumed that there was such a diverse understanding of the definition. This also formed the basis for reflecting on the meaning of the standards. While some of the standards discussed, such as GDPR, ISO and PCI-DSS, were already known, I was able to get to know new ones, such as COBIT and ITIL, in the course of examining various standards. Especially the comparison of COBIT and ITIL with their respective different approaches was an interesting consideration for me, as well as a comparison of clearly defined standards like the GDPR and the more flexible ones like the COBIT was a knowledge horizon expanding learning process. Working with Kali Linux and the variety of penetration testing tools was a big challenge for me. Since I had not previously delved into the Linux OS in depth, I experienced a strong learning curve. Embedding Kali Linux in a VM, setting up the OS, such as creating target directories, and penetration testing with the initially overwhelming number of tools initially turned out to be a difficult task for me, which was rewarded with great success. The demanding task with few instructions and the freedom that Kali Linux offers with its tools have made a large, in-depth research necessary for me to obtain useful information with the tools and to filter them. However, this time-consuming effort has more than paid off and I have now come to love Kali Linux. The possibilities that Kali Linux offers in terms of ethical hacking are immense and since the OS is so customizable and extensive operations can be carried out with the terminal in a time-saving manner, it is highly recommended for advanced and professional cyber security specialists. Working with the tools, I also understood the power that comes from Nmap and OWASP-ZAP. While I initially found Nmap to be cumbersome and not very user-friendly when used with a Windows OS, I have now understood the potential behind it and I am enthusiastic about the tool. Despite my great progress, which I have made with Kali Linux and the respective tools in the last 20 hours or so, there are still many possibilities to draw from the tools and it will take me many hours before I can use the full potential of Kali Linux .

• Hubbard, D. (2019) The Failure of Rist Management: Why It’s Broken and How to Fix It. Gildan Media. Available from: https://web.p.ebscohost.com/ehost/detail/detail?vid=0&sid=09e58527-ced1-4215-b79a-65f69b175706%40redis&bdata=JnNpdGU9ZWhvc3QtbGl2ZQ%3d%3d#AN=2381255&db=nlebk [Accessed 16 January 2022].

In this unit, standards of security conformance in various industries were examined. For this purpose, a closer look was taken at the General Data Protection Regulation (GDPR), as well as the financial standards of the PCI and the HIPAA. In various case studies, the standards identified were examined for their practical implementation and violations. While the GDPR regulations were largely known to me and have already been discussed in various places, looking at the PCI and HIPAA standards has resulted in more industry-specific investigations of requirements for companies. On the one hand, it was found that the basic standards for regulating security aspects overlap strongly with those of the industry-specific recommendations in relation to the recommendations to ensure them (PCI, 2022). On the other hand, the standards of the financial and healthcare sectors are more focused on their sub-areas and thus offer a more detailed breakdown of the respective requirement areas. The HIPAA standards in particular provide detailed guidance on what data is collected in a medical context and how it must be treated and protected (HIPAA, 2020). Dealing with the case studies is another building block that contributes to competent handling of regulations and standards in information security. Practical examples of violations, which the case studies deal with, make it clear what a variety of aspects have to be considered and what dimensions a violation can take on. When comparing the respective case studies, I noticed that a violation is often based on incorrect programming or automation of the website and its systems (Data Protection Commission, 2020). A first in-depth look at the GDPR regulations and industry-specific standards was carried out, but the number of more than 1000 legal hearings in the European Union from 2018, which has led to the respective accused being punished, shows how often violations occur and how important they are for companies grows to meet the standards (CMS, 2022).

• PCI (2022) PCI Security Standards Overview. Security Standards Council. Available from: https://www.pcisecuritystandards.org/pci_security/standards_overview [Accessed 16 January 2022].
• HIPAA (2020) HIPAA For Dummies. Available from: https://www.hipaaguide.net/hipaa-for-dummies/ [Accessed 20 January 2022].

The aim of this unit was to gain an overview and understanding of a number of techniques and tools that can be used for logging, monitoring and testing systems. Furthermore, the regulations and standards from the previous unit were further discussed in the context of the collaborative discussion. The use of logging and monitoring systems forms the basis of forensic investigative capabilities. Therefore, an understanding of tools is essential to perform the job of cyber security specialist satisfactorily. The overview that the lecturecast gave me is a good first step for me to delve deeper into logging and forensic tools. Since there is a large number of offers, it made sense for me to first keep the distinction between these two tool categories in mind, but also to have a list of recommended tools available so that I can deal with them in a structured way. It was once again amazing for me to see how much potential Kali Linux offers, as it also offers forensic options (Hertzog et al., 2017). It was just as interesting to see that the looging tools pursue different priorities, such as the use of more precise timestamps and the regulated use of TCP links by Syslog-ng, the monitoring and active checking of transfers by Nagios or the network intrusion detection system (NIDS ) and the sniffing possibilities that Snort offers. It was also interesting to be made aware of the SIEM system, which, due to its complex structure by correlating, aggregating and analyzing logs, is able to create a report for rule-based recommendations and implement warnings for common attacks ( Kotenko & Chechulin, 2012). The consideration of various case studies as part of the Collaborative Discussion 3 prompted me to delve deeper into the GDPR. Through the mail from my fellow students, I was encouraged to look at the regulations from different perspectives and as applied in different circumstances. It was particularly interesting for me to see how the individual articles of the regulations are interwoven and thus offer comprehensive standards for the personal data protection of people. When the GDPR was introduced in 2018, I saw the new laws more as a hindrance than as a benefit. I now have to reconsider this assessment, as the benefits of the regulations for private individuals are enormous and, especially when considering progressive digitized networking and the access to personal data and their use as well as sale to third parties, can represent an intrusion into the private sphere of individuals , which can have far-reaching consequences for people and must therefore be prevented and prevented.

• Hertzog, R., O’Gorman, J. & Mati Aharoni (2017) Kali Linux Revealed, Mastering the Penetration Testing Distribution. Cornelius, USA: Offsec Press. Available from: https://d1wqtxts1xzle7.cloudfront.net/63524487/ch120200604-27390-1kbkd1l-with-cover-page-v2.pdf?Expires=1643292106&Signature=AhbYhiCfDehTUVhL05pv8WS3PY4Yr6rjufdtwhzjKRb1~26W4B2sN2oCEvme5ACV-JSNk2WTg1yzAa0NPMnNm7ccpVIKcU3Js0czcJo5BxCroA34vwXcuVD6tJC3nbmXTFtSML4-V-nAJR-UsXRtP4CSKnmc7NMoQJXClybUURadVG0sej~MeXLU8zMC3v7-On4YAFGsJZUgKyO9cDicNOQ4kSfIQ0nqjcAb-AZnapRjlXBiuBiXHk46GaZ6zRpQ-GtV-i7zvXKEz3Th6UrD3snTkrzANXvu67kVxSTBBnOkTGojvdJ72L~6x5ISikYaUwgA-ZVUIoYra3GXEJEwmw__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA [Accessed 31 January 2022].
• Kotenko, I. & Chechulin, A. (2012) Attack Modeling and Security Evaluation in SIEM Systems. St. Petersburg Institute for Informatics and Automation (SPIIRAS). Saint-Petersburg, Russia. Available from: http://siwn.org.uk/press/sai/itssa0008/itssa.0008.2012.041.pdf [Accessed 27 January 2022].

The subject of this unit was to examine and discuss the biggest cyber security breaches of the 21st century, which were discussed in the seminar session. In addition, Collaborative Discussion 3 has ended. Dealing with the biggest violations of data security in the last 22 years has shown that, in addition to small companies that can only muster few staff for cyber security, large corporations are not protected from data breaches and hackers and are victims of attacks despite well-developed security structures can become. The number of people affected in such a case can easily exceed 100 million and is therefore often an international crime. When examining the case studies, it is particularly striking that in most cases there is no clear traceability to the perpetrators and only assumptions can be made without concrete evidence (Hill & Swinhoe, 2021). When presenting and comparing different case studies in the seminar, it was noticed that various circumstances can lead to security gaps, be it through outdated software, encryption methods or insufficiently protected databases. Here more examples and presentations by fellow students could have led to an even more comprehensive picture. The conclusion of the Collaborative Discussion 3 gave me an expanded picture of the GDPR due to the many interesting and stimulating contributions and showed me that it is worthwhile to consider topics repeatedly and in depth, so that one's own mind set and knowledge horizon is expanded. The article on the Privacy and Electronic Communications Regulation (PECR) drew my attention to new regulations and standards that must be applied in the context of marketing communication (ICO, 2014). Also, the realization that Art. 5 of the GDPR is the article that is violated most often was an extremely interesting realization, which can be of great use to me in relation to my professional future, since it can be concluded from this that principles such as data minimization , lawfulness, fairness and transparency, as well as purpose limitation are often not properly understood and are therefore violated. The principle of data minimization in particular has a major impact on the work of a cyber security specialist.

• Hill, M. & Swinhoe, D. (2021) The 15 biggest data breaches oft he 21st century. CSO Online. Available from: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html [Accessed 05 February 2022].
• ICO (2014) Audit: a guide to ICO privacy and electronic communications regulations audits. Available from: https://ico.org.uk/media/for-organisations/documents/2784/guide-to-ico-pecr-audits.pdf [Accessed 02 February 2022].

The focus of this unit was on the consideration of future challenges, trends and technologies in the field of networking. The executive summary was also fully developed and submitted. In order to meet the increasing requirements and opportunities, but also the new potential dangers associated with them, in the field of cyber security and to be up to date, possible future trends and technologies must be considered. This includes on the one hand the IP standard (v4 vs. V6), which has already been discussed at various points, but also new security protocols such as the Encapsulating Security Payload (ESP) and technologies such as the software defined network stacks. Since opportunities and advantages usually go hand in hand with risks, a projected view of future development is necessary for the personal development of competencies. I was shown the latest approaches for future projections of Internet architectures, which enable me to develop an understanding of the current priorities of Internet development and its design. With this knowledge, I can develop intellectual structures at an early stage, which can contribute to solving challenges in the area of Internet architecture and its threat and vulnerability analysis. Of course, such outlooks also offer exciting and stimulating ideas that are used to assess the expected requirements for the Internet of the future. Such an outlook was already made in the first collaborative discussion, in which the IoMT was discussed, which will certainly gain more importance in the future and especially from the point of view of averting danger and minimizing vulnerabilities due to the potentially direct consequences for affected patients in the event of a successful hacking attack will be of high priority for cyber security specialists. The final development of the executive summary was a particular challenge in this unit. A comprehensive presentation of the results obtained, which is not too technical and therefore easy to understand for non-experts and is nevertheless kept short, requires a consistent choice of priorities and a reflective decision about how to present results, ratings, and recommendations. This challenge therefore also offered great opportunities to develop knowledge and skills in relation to risk management. Here I got to know new methods, such as the risk management method Information System Security Risk Management (ISSRM) and was able to supplement them with already known analysis models such as the STRIDE, so that my horizon of experience was enormously expanded (Affia et al., 2020 ). The practical work on the case study also taught me how to develop and structure a risk assessment, so that this can be of great benefit to me in my professional future. In particular, I found the stimulated, motivated and productive exchange between my remaining team to be a profitable experience. Through the discussions, my knowledge was expanded and new ways of looking at possible solutions were developed. However, more active participants in the team could have led to further insights here, as more potential different perspectives and ideas could have led to even more exchange. In this way, more scanning test results could have been determined, since towards the end of the module all available IP addresses of our team were blocked from the website and even a VPN did not produce the hoped-for solution.

• Affia, A., Matulevicius, R. & Nolte, A. (2020) Security Risk Management in E-commerce Systems: A Threat-driven Approach. Baltic J. Modern Computing 8(2): 213-240. Available from: https://pdfs.semanticscholar.org/19b0/9b3b3e203f1cf09b5434dca168d3a9253bc1.pdf [Accessed 10 February 2022].

At the end of the Network and Information Security Management module, the aim was to consider the possibilities of future Internet architecture. During the seminar, different approaches were presented and compared. Furthermore, upon completion of the module, the e-portfolio was also submitted, which took up a significant part of the working time, but also contributed to the reflection of the module to the same extent. Comparing the different approaches to the potential architecture of the future Internet was quite interesting. Especially since different perspectives were taken and arguments were developed from them, it could be determined that a clear answer to the question of which architecture makes the most sense for the future of the Internet is not easy, or is not possible at all. All approaches offer their own advantages, but also harbour their own dangers. As a result, no final choice could be made during the seminar with regard to the assessment of the best architecture. However, it must also be noted here that only a few participants took part in the seminar and thus also in the discussion, so that a discussion only took place to a limited extent. More participants would certainly have included more arguments and perspectives, which would have led to a clearer decision in the end. A retrospective reflection on the topic has shown for me that the approach to determine an architecture for the Internet of the future may not go far enough. Each of the architectures has its own advantages and it is quite possible that each of the architectures mentioned will be used in the future. For example, peer-to-peer networking approaches are already being used within the framework of TOR, as is the mobility first approach, as the example of the Canadian police has shown (Bradford, 2019). So it is quite possible that different structures exist side by side. The final processing of the e-portfolio showed me again what personal development was achieved in the course of the module. Through the concluding reflection, the module was looked at retrospectively, whereby situational challenges, but also avoidance and solution strategies could be considered from other perspectives. The aspect of teamwork, which in my case turned out to be particularly challenging in terms of reflection, was particularly interesting. Through reflection, not only problems and challenges could be identified, but also the experiences and the knowledge and personal progress developed on the basis of the complications. The concluding summary of the module was therefore extremely helpful in processing and embedding what was learned in the context of personal development in relation to cyber security professionalism.

• Bradford, M. (2019) #MobilityFirst: Doing More, With Less. MediaEdge Blogging. Available from: http://mediaedgedigital.com/supplierinsights/oacp/mobilityfirst-doing-more-with-less/ [Accessed 18 February 2022].

The Network and Information Security Management module had three primary task areas that were formative for the module. These were the Design Document, the Executive Summary and the teamwork that accompanied the entire module. In the following, these areas of responsibility are reflected in detail under the aspects of the challenges and problems that have been encountered, how they have been overcome and what experiences, competencies and developments they have yielded.
Design Document:
The subject of the Design Document was to examine a company for its industry-specific regulations and the associated authorities. On the basis of this investigation, potential security gaps that are relevant to the industry were identified and recommendations and potential remedial measures were then made that can reduce the identified risks. The Design Document was an enlightening task, as it enabled a practical application of the theory learned, but also to develop it further. The realistic case study made a structured analysis of vulnerabilities under industry-specific aspects, which gave me deeper insights into the threat analysis of e-commerce providers. In this context, I was also trained in how to deal with and apply standards in a considered manner, which was discussed in more detail in the following units. With regard to the Executive Summary, the Design Document offered the opportunity to develop an initial overview in order to carry out an in-depth investigation of the website for threats and vulnerabilities. Thus, a starting point for further work was created here. Finding all the responsible authorities was a challenge, as they rarely refer to each other. I perceived the exchange of results in the team to be an enrichment. Working on the Design Document has therefore trained my reflective skills. The practical work also taught me planning skills for projects, since the assessment represented a typical analysis and evaluation process by a consultant for a company. In this way, I was also taught practical application skills for my professional future.
Executive Summary:
The aim of the Executive Summary was to analyze the website theoretically examined in the previous design document in depth through practically applied penetration testing, to identify vulnerabilities and to develop mitigation suggestions in order to be able to better protect the website from hacking attacks. Troubleshooting and penetration testing was done via the Kali Linux OS, which initially offered an overwhelming number of pre-installed hacking tools for me. Since ethical hacking was a new experience for me, I was not familiar with most of the tools and how to use them, so this was a challenge for me. However, through research, testing and exchange within the team, this challenge was quickly overcome. The practical experience and skills that I was able to gain through penetration testing help me to develop a reflected understanding of threats and vulnerabilities of websites and represent a logical further step after the theoretical consideration in the Design Document in terms of my personal development. Cyber security exercises offer a great opportunity to develop a better understanding of system structures and security applications and to promote one's own skills (Karjalainen et al., 2019). The development of the Executive Summary taught me how a structured examination of websites for vulnerabilities can be carried out, how the information obtained is processed and how this can be presented in a non-technical way that is understandable for non-cyber security specialists and yet comprehensive. The change of perspective in the role of an ethical hacker showed me which approach malicious hackers take to obtain information about websites and their vulnerabilities and use them to infiltrate. In this context, I was able to train my analysis skills and assessment skills in relation to risk management and further develop threat mitigation strategies.
Teamwork:
The mutual exchange of knowledge and perspectives and the structured development of results in the team within the framework of the Design Document, the Executive Summary, as well as presentations in the seminar sessions, was an essential part of the module. This type of collaborative work offers great opportunities for maximizing the increase in knowledge and skills while at the same time dividing the work and thus the workload and can lead to better results, especially with regard to cyber security, if the cooperation is successful (Simonson et al., 2020). While studies have validated that training team skills can increase performance by up to 20% (Salas et al., 2008), teamwork also presents challenges that need to be overcome. The full potential of a team can only be used if communication and thus planning and exchange work smoothly. Technical support can be provided by applications such as Webex, which is used for written communication and data sharing in the context of a chat, but also allows video and audio exchange in the form of meetings (Cisco, 2022). Planning and time management are significantly simplified by confirmation and automatic reminder emails, so that in theory a smooth process can be enabled. While the technical options for an organized, regular exchange via the application were available to us, in practice the individual behaviour of the team members posed a challenge. A lack of attendance and communication led to planning problems, since it was not clear to what extent individual team members would still participate in the module. It was only after the Design Document had been submitted that the firm realization came that two of the team members would no longer participate in the module, which was repeated for another team member when the Executive Summary was submitted. While this led to challenges in terms of our planning, since the planning of the distribution of tasks had to be spontaneously rescheduled and could only be compensated for by the committed and structured cooperation of the remaining team members, a danger in the business environment for teamwork is also evident. Action plans must be designed in such a way that spontaneously occurring complications, be they related to content or personnel, are planned to a certain extent so that deadlines can be met. A change in the team constellation must also be taken into account. However, these challenges have also led to an increase in efficiency in the team being observed, since these challenges were not only demanding, but also beneficial. My personal time management was put to the test in order to meet deadlines, but also team management, since such structural and spontaneous changes within the team were a new experience for me. I was also able to show developments in relation to my reflective handling of team dynamics, which can be seen in the peer reviews.

• Cisco (2022) Webex – Find out More About Webex. Available from: https://www.webex.com/dg/meetings-0621.html?utm_medium=Paid_Search&utm_source=Google&utm_campaign=fy22q3_enterprise_campaign&utm_term=webex&team=Perf&gclid=Cj0KCQiAmKiQBhClARIsAKtSj-meg2goZkMKwy3HMLNTJEjEGkXC-dNnso3FHMy2vwPs992XvtX5ya4aAqRqEALw_wcB&gclsrc=aw.ds [Accessed 15 February 2022].
• Karjalainen, M., Kokkonen, T. & Puuska, S. (2019) Paedagogical Aspects of Cyber Security Exercises. IEEE European Symposium on Security and Privacy Workshops. 103-108. Available from: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8802450 [Accessed 14 February 2022].
• Salas, E., DiazGrandos, D., Klein, C., Burke, S. & Stagl, K. (2008) Does Team Training Improve Team Performance? A Meta-Analysis. University of Central Florida, Orlando. 50(6): 903-933. Available from: https://journals.sagepub.com/doi/pdf/10.1518/001872008X375009 [Accessed 18 February 2022].
• Simonson, R., Keebler, J., Lessmiller, M., Richards, T. & Lee, J. (2020) Cybersecurity Teamwork: A Review of Current Practices and Suggested Improvements, in: Proceedings of the Human Factors and Ergonomics Society Annual Meeting. SAGE Publications. 64(1):451-455. Available from: https://journals.sagepub.com/doi/pdf/10.1177/1071181320641101 [Accessed 18 February 2022].

The Design Document, in which the legal foundations, standards and regulations of the examined website in the e-commerce industry were examined and on the basis of which threats, vulnerabilities and recommendations were made, served as the basis for the tests carried out in the Executive Summary. Thus, the Design Document could be used as a point of reference for ethical hacking and offered a kind of checklist. Since the Design Document contained a detailed consideration of the standards and regulations relating to the website we examined, the knowledge gained could be fully incorporated into further work. However, the knowledge was deepened and consolidated through further considerations in the following units (see Reflection Unit 8-10). The vulnerability analysis, which was carried out in the Design Document, could be confirmed in the Executive Summary, although not all vulnerabilities could be examined effectively. For example, DoS attacks should be avoided as part of ethical hacking. Even brute force attacks were only partially successful, since this possibility and its ease of practical implementation could be proven, but were not carried out effectively, since a limited login attempt option is suspected, which led to login timeouts. A complete scan of the available user lists of more than 100 users and password lists of one million of the most frequently used passwords would have taken more than 5000 hours, which would have exceeded the time frame. Furthermore, it is noticeable that the design document is much more superficial than the Executive Summary. This can be traced back to the fact that the Design Document should only be a theoretical consideration of the website under the aspects typical in the e-commerce industry. Although this theoretical approach offered a general basis for further work, it could not provide such detailed information as the findings from the Executive Summary provide. Looking back at the Design Document, however, it can be stated that all the concerns raised in relation to vulnerabilities have their right to be mentioned, so that even after the Executive Summary has been completed, no changes or corrections need to be made to the Design Document. In this way, the correctness of the initial work could also be confirmed.