X-Golf Australia Cybersecurity Risk Assessment Case Study

LEARNING

OUTCOMES

The

targeted

Course

Learning

Outcomes

for

this

assessment

are:

●

CLO1

Critically

assess

the

information

security

state

of

an

organisation

from

a

holistic

perspective

to

evaluate

current

practices,

standards,

and

policies.

●

CLO2

Evaluate

potential

security

risks

to

an

organisation

to

prioritise

appropriate

short

and

long-term

countermeasures.

●

CLO3

Critically

appraises

the

balance

between

business

information

needs

and

security

concerns

to

strengthen

their

alignment.

●

CLO5

Develop

information

security

policies

and

programs

to

address

relevant

issues

and

security

concerns.

●

CLO6

Communicates

individual

and/or

team

research

findings

on

information

security

problems

in

complex

business

contexts.

ASSESSMENT

DETAILS

You

are

a

team

of

consultants

hired

by

the

National

Work

Safety

Department

(NWSD)

to

perform

risk

analysis

and

prepare

a

project

plan

for

mitigating

identified

risks.

The

purpose

of

this

assignment

is

to

demonstrate

your

findings

to

the

board

of

directors

at

the

National

Work

Safety

Department

(NWSD)

and

convince

them

to

hire

your

team

for

the

implementation

of

this

project

too.

An

important

part

of

this

project

involves

analysis

and

justification

of

how

you

discovered

their

information

assets,

the

value

of

those

assets,

threats

and

vulnerabilities

for

those

assets,

and

finally

their

corresponding

mitigation

strategies.

Your

“fact-finding”

begins

with

no

prior

knowledge

of

the

business.

You

begin

this

task

with

the

information

provided

below

as

part

of

your

discovery

and

continue

with

further

investigation.

You

may

use

the

threats

and

vulnerabilities

that

are

consistent

with

the

given

scenario

(shown

below),

but

your

“analysis”

must

not

stop

there.

You

are

expected

to

School of Accounting, Information Systems and Supply Chain Semester 1 – 2026
Digital Risk Management and Information Security Page 1 of 7
continue with your “discovery” to find additional threats by making reasonable assumptions about the
business.
As part of your narrative of the report and presentation, you should describe the techniques you used
to discover information assets, threats, and vulnerabilities. In the case of some unusual threats, such
as any threat associated with critical infrastructure, you should provide more details of your discovery.
After the fact-finding, you will produce a quantitative risk analysis of the form discussed in lectures
and tutorials. You will then produce a qualitative analysis derived rigorously from the quantitative
analysis. You need to specify the process you followed to move from the quantitative to the qualitative
analysis.
————————————————————————————————————————————-
X-Golf Australia Cybersecurity Risk Assessment Case Study
Organisational Overview
X-Golf Australia operates a franchise network of indoor golf entertainment venues (32 sites in Aus and
NZ) that combine sports simulation technology, hospitality services, and digital customer experiences.
The business has grown rapidly over the past decade and now operates through a mix of
corporate-owned and franchise venues across Australia. Each venue provides customers with access
to advanced golf simulators, food and beverage services, coaching, social competitions, and
entertainment events. Customers interact with the business through a combination of: (i) Venue
point-of-sale systems; (i) Online booking platforms; (ii) Customer membership accounts and ID
creation for online play and data capture (profile and statistics); (iii) Digital competition and scoring
systems (results, awards, leaderboards, rankings); (iv) Venue Wi-Fi and mobile applications; (v) CRM
and loyalty system (Liven Engage). The company manages a national digital ecosystem that supports
venue operations, customer engagement, and business analytics and looks to integrate all customer
data to a central point and dashboard to improve customer experience.
Operational Structure
Venue Operations
Each venue is responsible for delivering the customer experience and managing local operations. Roles
typically include Franchise Owners, Venue Managers, Assistant Managers and Coordinators, and casual
team members. Franchise owners and venue managers are generally responsible for hardware and
software actions and processes.
Current Technology Landscape
X-Golf venues rely heavily on digital technology to deliver their services. Each venue includes multiple
interconnected systems supporting both customer experiences and operational management.
Core Systems
Golf Simulator Systems: High-performance simulation hardware and software (X-Green Software using
Unity programming); Integrated scoring, analytics and game modes (X-Green Software and Log In);
Connected to local venue networks and cloud services (AWS).
Booking and Customer Management Platform (i) Online booking system used by customers to reserve
simulator bays (Meriq Booking system) (ii) Customer profiles and membership accounts (X-Green
software log in) (iii) Competition and leaderboard management (displayed at player log in page
School of Accounting, Information Systems and Supply Chain
Digital Risk Management and Information Security
Semester 1 – 2026
Page 2 of 7
References: – Meriq Booking Flow X-Golf Surrey Hills, VIC – Internet Reservations by Meriq
X-Green Log In and Player Profile Creation: X-GOLF Member
X-Golf Ranking & Leaderboard Display: Your Tour Tournament Leaderboard | X-Golf Player Rankings
Point of Sale (POS) Systems: (i) Food and beverage sales (Abacus POS system); (ii) Integrated payment
processing (Nominee ordering and delivery).
Venue Networks: (i) Local Wi-Fi networks for customers and staff; (ii) Network connectivity for
simulators and POS systems – AWS data flow managed by Korean head Quarters and a company called
XPGA); (iii) Internet access for cloud-based services.
Cloud Services and Data Storage: (i) Centralised storage for customer accounts and booking records
(Meriq and Abacus); (ii) Venue performance data and simulator analytics (X-Green player log in); (iii)
Marketing and CRM systems (Liven engage CRM drawing from all systems).
The Challenges / Problem
Technology Environment Challenges: As the business has expanded rapidly, its technology
environment has evolved organically and now presents several operational and security challenges.
The management and ownership teams are looking to spend efficiently and effectively in the
development and data flow in the eco system with a key focus on: (i) Customer Data Management and
Security; (ii) Cyber Security Governance; (iii) Customer Data segmentation and delivery to CRM and
Customer facing platforms (App Driven); (iv) Minimising data security risks throughout the hardware
and software environment
Cybersecurity and Risk Assessment Task: As part of planning this digital transformation initiative,
X-Golf Australia has engaged your cybersecurity consulting team to conduct a preliminary cyber risk
and asset assessment.
————————————————————————————————————————————-
Part A Specification and Requirements
Objective: In Week 8, present your findings in front of the board of directors of the company, covering
key assets, top threats/impacts, and mitigation strategies with costs and benefits. If you present a
convincing analysis and mitigation approach, the board is likely to hire your team for the next phase of
the work, that is, implementation. Therefore, it is important to deliver a convincing presentation.
Goal: secure approval for implementation (security budget).
Format: 8 min + Q&A, professional, well-practised, and visual. The exact schedule will be confirmed by
the tutor the week before.
Part B Specification and Requirements
Objective: Submit a final report addressing questions from your presentation and detailing findings,
recommendations, costs, and visuals for clarity. You need to pay special attention to the questions
raised during your presentation and make a genuine attempt to address them in the report. Please
keep in mind that your goal is to secure a contract from this company and you need to demonstrate
your eagerness and professionalism in your report.
Submission
Before the specified deadline on Canvas you are required to submit the following documents.
School of Accounting, Information Systems and Supply Chain
Digital Risk Management and Information Security
Semester 1 – 2026
Page 3 of 7
Deliverable
Format
Key Requirements
Risk Analysis Report .docx
Risk Calculation
Spreadsheet
.xlsx
Responsibility Matrix .docx
Peer-reviewed
Articles
Presentation Slides
2 PDFs
PPTX
Executive Summary, Introduction, Fact-Finding, Quantitative & Qualitative Analysis,
Conclusion, References, Appendix
≥15 risks (≥2 accept), mapped to ISO/IEC 27001 Table A.1, AV/EF/ARO justified via cell
comments, 5-year budget plan
Roles, contributions, timelines
Highlight sections used in the report
Professional, visual, 2nd slide with team photos/names/course, equal speaking time
*Only ONE team member (Team Leader) needs to submit on behalf of each team.
Please see the following details about the required documents:
1. Risk Analysis Report Structure
● Executive Summary: Concise, clear, persuasive
● Introduction: Try to convey to the Board what you want to do- Purpose, relevance, structure
● Fact-Finding/Discovery: Method, examples, short narrative for 5 risks (2 via questionnaire with
Likert question)
● Quantitative Analysis: This contains an effective summary of your spreadsheet.
● Qualitative Analysis: Convert 5 discovered risks from ALE to risk matrix (clearly labelled
cells/bin boundaries)
● Conclusion: Main recommendations and rationale
● References: RMIT Harvard
● Appendix: Supporting detail
You are encouraged to further organise the report content into meaningful subsections.
Discovery Requirements
Select a fact-finding technique (e.g., interview, survey, document review, observation) and write a
short paragraph explaining how you identified each of five risks.
● Two of the five must be from a questionnaire, with one sample Likert-scale question.
● In each case, explain the threat revealed (e.g., “Survey results showed low awareness of
phishing, indicating a high likelihood of email compromise”).
● For questionnaire results, you may assume a typical response (e.g., median, mean, or standard
deviation). Example of a Likert scale question: “How strongly do you agree with the statement:
‘Our staff is well-trained to recognize phishing emails’?”: Strongly disagree, Disagree, Neither
agree nor disagree, Agree, Strongly agree.
Keep each discovery explanation brief, specific, and clearly linked to the risk identified.
Qualitative Analysis
Convert the ALE results for the five discovered risks into a risk matrix (three separate matrices, clearly
labelled). The matrix must:
● Be derived directly from the quantitative analysis
School of Accounting, Information Systems and Supply Chain
Digital Risk Management and Information Security
Semester 1 – 2026
Page 4 of 7
● Show clear cell/bin boundaries
● Use your own levels if desired, but ensure they match the quantitative results
Referencing Requirements
● Use minimum 6 references, including 4 peer-reviewed (journals or conference papers).
● Submit 2 peer-reviewed PDFs with highlighted sections used in the report.
● Follow RMIT Harvard style.
● All references must be used meaningfully; superficial use will lose marks.
● Cite reputable, recent sources (e.g., Gartner, industry standards, trusted bodies).
Word Count and Formatting
● Report: ~2500 words (+/- 10%), excluding references, appendices, and tables.
● Tables must be editable in Word (no images).
● Professional formatting: clear section headings, numbered sections/pages, appropriate fonts,
and error-free grammar/spelling.
2. Risk Calculation Spreadsheet
The assignment page on Canvas contains a spreadsheet template. This template needs to be used for
ALE risk analysis as per the discussions during class.
Your spreadsheet must contain at least 15 risks. Not all risks decisions should be “transfer” or
“mitigate”. At least two must be “accept”. Seek permission from your lecturer/tutor to include any
“avoid” decisions. In one of the risks, the control should be some form of policy.
Each control in the quantitative analysis should be clearly mapped against a control in Table A.1 in
ISO/IEC 27001:2013. This will require additional columns to be added to the template. Give the code
for the control and a brief name of the control. For example, with A.5.1.1, give A.5.1.1, Policies for
information security in the sheet.
All Asset Values (AV), Exposure Factors (EF0
and EFS
), Annual Rate of Occurrences (ARO0
and AROS
)
values in the Excel spreadsheet require to be supported with appropriate justifications. This must be
done by adding a cell comment (not note) to each cell to include your explanation. To add a comment
to a cell, right-click the cell and then click New Comment (read more here and here). Unjustified
values will be regarded as incorrect.
Annual Budget, Risk Prioritisation, and Five-Year Budgeting
● Add an Annual Budget worksheet with a 5-year plan for addressing identified risks.
● Base prioritisation on course factors, assuming the annual security budget = 50–60% of total
mitigation costs, same each year.
● Limited funds may require delaying some controls.
● Submit the spreadsheet with two named, professionally formatted worksheets (ALE analysis
+ budget plan).
3. Responsibility Matrix
In the early weeks of the semester, discuss in your team how each member will contribute to the
assignment. Ensure everyone understands their responsibilities and delivery timelines. The document
should reflect each member’s actual contribution to the report, which may require further discussion
School of Accounting, Information Systems and Supply Chain
Digital Risk Management and Information Security
Semester 1 – 2026
Page 5 of 7
and consensus. If disputes arise, the lecturer/tutor will review the development history to allocate
marks proportionately. Please alert your tutor to any issues as early as possible.
4. Two Peer-reviewed articles
As part of your Part B submission, you need to submit two peer-reviewed articles that you have used
in your report. You need to highlight the sections that you have incorporated in your report. Articles
without highlights will not be considered as valid references.
5. Presentation and Slides
● Week 8 tutorial; In-class presentation: 8 min max/team + Q&A.
● Professional, well-structured, and visual – avoid messy or unclear slides.
● Slide 2: photos, names, course, and degree of all team members to showcase team skills.
● Rehearse for smooth delivery.
● Exact time/order announced one week prior by your tutor.
General Requirements
Team Formation
● Group work; max 7 members, same class
● Form teams by end of Week 4 (coordinate in class or via MS Teams channel)
● Marks may differ based on contribution; disputes resolved via interviews and proof of work
● Report major issues early to lecturer/tutor
Proof of Work Requirements
● To receive marks, you must show a complete record of assignment file development in MS Teams
(linked with SharePoint). This ensures transparency and fairness for all groups.
● Compliant examples (tracked edits, version history in Teams, comments in files, and shared
working drafts in the General channel) & Non-compliant examples (offline edits not uploaded,
email file exchanges, or using platforms outside Teams).
● If proof of work is missing, marks may be heavily reduced (up to zero) regardless of report quality.
This rule applies equally to all groups and is intended to protect students from disputes over
contribution. If unsure, check with your lecturer/tutor before starting – missing history cannot be
recreated later.
REFERENCING GUIDELINES
● Use RMIT Harvard to an external site. referencing style for this assessment.
● You must acknowledge all the courses of information you have used in your assessments.
● Refer to the RMIT Easy Cite to an external site. referencing tool to see examples and tips on how to
reference in the appropriate style. You can also refer to the library referencing page for more tools
such as EndNote, referencing tutorials and referencing guides for printing.
ACADEMIC INTEGRITY AND PLAGIARISM
Academic integrity is about the honest presentation of your academic work. It means
acknowledging the work of others while developing your own insights, knowledge, and ideas. You
should take extreme care that you have:
● Acknowledged words, data, diagrams, models, frameworks, and/or ideas of others you have
School of Accounting, Information Systems and Supply Chain
Digital Risk Management and Information Security
Semester 1 – 2026
Page 6 of 7
quoted (i.e. directly copied), summarised, paraphrased, discussed, or mentioned in your
assessment through the appropriate referencing methods,
● Provide a reference list of the publication details so your reader can locate the source if
necessary. This includes material taken from Internet sites.
If you do not acknowledge the sources of your material, you may be accused of plagiarism because
you have passed off the work and ideas of another person without appropriate referencing, as if
they were your own.
RMIT University treats plagiarism as a very serious offence constituting misconduct. Plagiarism
covers a variety of inappropriate behaviours, including:
● Failure to properly document a source
● Copyright material from the internet or databases
● Collusion between students
For
further information on our policies and procedures, please refer to
https://www.rmit.edu.au/students/student-essentials/rights-and-responsibilities/academic-integrity
Marking Guide
Please check the Canvas page for Submission to find the details about the marking guide, which will be
used for assessing this task.
ASSESSMENT DECLARATION
When you submit work electronically, you agree to the assessment declaration to an external site.
School of Accounting, Information Systems and Supply Chain
Digital Risk Management and Information Security
Semester 1 – 2026
Page 7 of 7

 

KV5035 Assessment Part 2