How to make organizations resilient to cybersecurity risks?|
Enterprises are more and more dependent on Information Technology. This dependency creates risks: business continuity risks, data quality risks, compliance risks, and strategic risks. Increasingly, the security of one enterprise depends on other enterprises in a network, and can no longer be dealt on its own. Moreover, the impact of a breach of security now extends into physical reality, potentially affecting powerplants, traffic control systems and the lives of millions of people. The complex domain of interdependent physical and information security is called cybersecurity.
Most managers regard security as a technical issue. This attitude is limited. Instead, managers need to view cybersecurity from a business perspective, focusing on the potential impact of security threats to the organization. Risk management is about assessing the likelihood and impact of a risk, and making trade-offs in taking measures to prevent, detect, respond to and recover from incidents. The purpose is to make organizations resilient to risks.
This course will give an overview of common cybersecurity and risk management approaches, and explain which approach is suitable for which kind of risk. The course covers security engineering (Anderson, 2008), cyber risk management (Refsdal, Solhaug, & Stolen, 2015), and practical approaches to cyber resilience (PAS 555: 2013), contrasted with a scientific perspective on the role of security in society (Helbing, 2013; Power, 2007). In particular, the ethical and legal aspects will be discussed (privacy, data protection, GDPR). At the end of the course, students are able to
- Describe common frameworks for cyber security and resilience (ISO 27001/2, PAS 555),
- Distinguish various types of security risks (confidentiality, integrity, availability)
- Analyze a system and perform a systematic risk assessment (likelihood and impact)
- Explain the use of common types of security measures, including cryptography, to address these risks
- Discuss ethical and legal aspects of security, including privacy and data protection (GDPR)
- Appreciate the multi-disciplinary nature of security risks and their impact on society.
Students are expected to have a basic understanding of computer science, in particular computer architecture, operating systems and networks, as these are the building blocks for information security. Students who lack such background knowledge can study the following book, in particular Ch 1 – 4.
- Brookshear, J. G. (2012). Computer Science: An Overview (11 ed.): Edison Wesley.
Cyber security covers a multidisciplinary application domain, shaped by ideas from computer science, engineering, sociology, psychology and economics. The course is designed in such a way that students will acquire sufficient theoretical background to solve actual cyber security challenges. |
Lectures address knowledge and theory, with frequent exercises. In addition, guest lectureswill provide examples of the application of theory to practice. Tutorialsaddress skills, such as systems analysis, risk assessment and debating skills. Some assignments must be handed in. Both lectures and tutorials are interactive, and discuss real cases. This only works, when students prepare the reading material or cases for that week. To test prior knowledge and preparation, each week we will do a quiz on Canvas (pass/fail).
The course ends with a term paper. Teams of four students work on a historical cybersecurity case, or on a case provided by the guest lecturers. All studies must follow the risk management method of the course: define security objectives, analyse the system in context, perform risk assessment, and make recommendations to improve security measures. Outcomes are presented in a presentation for a panel of experts, and a written report. A report is based on a literature review and case descriptions, taken from public sources or interviews. The length of a report is at most 4000 words. As always, a report meets academic standards concerning structure, style, argumentation, literature and conclusions.
The final grade is determined as a combination of indivuals quizzes, an individual written exam, and a combination of assignments and term papers in groups of four students. The relative weight is determined as follows:
- Quizzes on Canvas (pass/fail)
- Assignments and term paper in groups of four students (40%)
- Individual exam (60%)
Selected chapters from
- Anderson, R. (2008). Security Engineering: a guide to building dependable distributed systems (2nd ed.): Wiley NB. Chapters available online at https://www.cl.cam.ac.uk/~rja14/book.html.
- Refsdal, A., Solhaug, B., & Stolen, K. (2015). Cyber-Risk Management: Springer.
- Relevant articles to be made available on Canvas
|Course available for exchange students|
|Master level, conditions apply|
|Written test opportunities|
|Written test opportunities (HIST)|
|Schriftelijk (60%) / Written (60%)||EXAM_01||BLOK 1||1||25-10-2019|
|Schriftelijk (60%) / Written (60%)||EXAM_01||BLOK 1||2||10-01-2020||Required materials|
|relevant articles to be made available on Canvas|
|Anderson, R. (2008). Security Engineering: a guide to building dependable distributed systems (2nd ed.): Wiley Chapters available online at https://www.cl.cam.ac.uk/~rja14/book.html|
|Title||:||Security Engineering: a guide to building dependable distributed systems (2008)|
|Selected chapters from: Refsdal, A., Solhaug, B., & Stolen, K. (2015). Cyber-Risk Management: Springer.
|Author||:||Refsdal, A., Solhaug, B., & Stolen, K.|
|group assignments and term paper (40%)|