Cyber Security

Spring 2018
Erlan Bakiev, Ph.D. Office Hours: Thursday 2:15 p.m.-4:15 p.m.
Room: 220
Phone:
E-mail: erlanbakiev@gmail.com
Website: www.erlanbakiev.weebly.com

Required Textbook

Rhodes-Ousley, Mark. Information Security: The Complete Reference, Second Edition, .

Information Security Management: Concepts and Practice. New York, McGraw-Hill,
2013

A.
Course Description

This course concerns the study of information security from the strategic perspective of
the general manager in organizations and its applications to the functions, needs, and role
of management and implications in both private and public organizations. The ability to
secure information within a modern enterprise—large or small—is a growing challenge.
Threats to information security are global, persistent, and increasingly sophisticated.
Long gone are the days when managers could hope to secure the enterprise through ad
hoc means.
This course is designed to teach students how to engage all functional levels within the
enterprise to deliver information system security. To this end, the course addresses a
range of topics, each of which is vital to securing the modern organization. These topics
include inter alia plans and policies, enterprise roles, security metrics, risk management,
standards and regulations, physical security, and organization continuity. Each piece of
the puzzle must be in place for the enterprise to achieve its security goals; adversaries
will invariably find and exploit weak links.

Learning Objectives

This course introduces cybersecurity theories that will allow students to analyze cases
and their theoretical applications of organization system. Furthermore, students will
develop their management skills and awareness of information security by comparing it
to real organizational situations and interactions.
Upon successful completion of this course, the student will be able to:

1. Assess the current security landscape, including the nature of the threat, the
general status of common vulnerabilities, and the likely consequences of security
failures;
2. Appraise the interrelationships among elements that comprise a modern security
system, including hardware, software, policies, and people;

1
 Cyber Security

3. Assess how all domains of security interact to achieve effective system-wide

security at the enterprise level.
4. Compare the interrelationships among security roles and responsibilities in a
modern information-driven enterprise—to include interrelationships across
security domains (IT, physical, classification, personnel, and so on);
5. Assess the role of strategy and policy in determining the success of information
security;
6. Estimate the possible consequences of misaligning enterprise strategy, security
policy, and security plans;
7. Design a notional information security plan that incorporates relevant principles
of lifecycle management;
8. Evaluate the principles of risk and conduct a notional risk management exercise;
9. Assess the role of good metrics and key performance indicators (KPIs) in security
assessment and governance;
10. Create a good set of information security metrics;
11. Critique the current legal and regulatory environment as it applies to
cybersecurity;
12. Identify and contrast the most common security standards and associated
catalogues of security controls;

Course Requirements

Session Article Preparation, Presentation, and Discussion

Since session article preparation and discussion play a critical role in obtaining
knowledge and understanding of topics in this course, students are encouraged to read the
required readings for each session, and be ready to discuss in depth its essential ideas in
the class. Please be ready to present the key messages of the article to the class in a clear
and concise way and try to answer the following questions when you do your readings:
What are the main issues raised by the article? What are the research questions of the
article? What are the main arguments or findings of the article? Which theoretical
perspectives can be applied to real life situations mentioned in the article?

1) Assignments (10%) The number of homework assignments will be assigned over the
course of the semester.

2) Mid-term (30%) The mid-term will be an in-class exam designed to assess student
facility with concepts. There may be some objective format items such as multiple
choice.

3) Term Project (20%) Students will form groups, and conduct a team project to analyze
any public (nonprofit) organization or private company with the concepts and tools
discussed in the course. Please choose some specific organizational cyber security issues
and apply the concepts developed in the class to make diagnosis, analyses, and give
suggestions. If you plan to submit an empirical study the information on organizations

2
 Cyber Security

can be collected from public data sources, such as data banks of university, from
newspapers and magazines, and any other public sources.
Each group will present their Team Projects on the session of 12th of May 2016. Each
team will be given 10 minutes to present their project. For questions and discussion will
be given 5-10 minutes for each group.

The written report (article) of the Team Project should be returned on 5th of April 2016
and shouldn’t exceed 15 pages (not including cover page, using Times New Roman, font
size 12, double spaced). Please submit the report in electronic version (go green).

4) Final (40%) The final exam will be a semi-comprehensive exam comprised of

concepts and applications discussed in class.

NOTE: Students are always responsible for weekly reading assignments listed in this
syllabus after coming to class. Notes distributed in class and textbook material are to be
read following the class lecture in which the topics were discussed.

Grading Criteria
-Assignments %10
-Mid-Term %30
-Term Project%20
- Final %40

Attendance Policy
Attendance is important to stay on top of class material and homework assignments.
Students are encouraged to come to class, but are left with the responsibility of managing
their own attendance. Attendance will be taken for the purpose of explaining poor
performance should the need arise.

Evaluation Policy
Students will be allowed to make-up an exam or submit homework or other assignments
beyond a deadline only with written documentation (e.g., doctor’s letter) for extenuating
circumstances covered under IAU policy.

Caveat
The instructor reserves the right to change the schedule, assignments, and/or evaluation
criteria throughout the semester. Any changes will be announced to the class with
sufficient notice to prepare for the changes. It is your responsibility to keep informed
about discussion topics and assignments. If in doubt, check with your instructor.

3
 Cyber Security

B.
Tentative Agenda

Topic Assigned Reading

________________________________________________________________________

Week 1: Introduction to Cybersecurity: what is cyber extremism and terrorism.

Read Rhodes-Ousley text Chapter 1

Week 2: The Security Environment: Threats, vulnerabilities, and consequences

Read Rhodes-Ousley text Chapter 2

Week 3: Principles of Cybersecurity: The interrelated components of the computing

environment
Read Rhodes-Ousley text Chapter 4

Week 4: Cybersecurity Management Concepts: Security governance and

Management models, roles, and functions
Read Rhodes-Ousley text Chapter 5

Week 5: Enterprise Roles and Structures: Information security roles and positions
and Alternative enterprise structures and interfaces
Read Rhodes-Ousley text Chapter 6

Week 6: Strategy and Strategic Planning: Strategy, Strategic planning and security
strategy, the information security lifecycle and Architecting the
enterprise
Read Rhodes-Ousley text Chapter 7

Week 7: Security Plans and Policies: Levels of planning, Planning misalignment,

The System Security Plan (SSP) and Policy development and implementation
Read Mejia et al. text Chapter 8

Week 8: Midterm exam

Week 9: Laws and Regulatory Requirements

Read Mejia et al. text Chapter 3

Week 10: Security Standards and Controls

Read Mejia et al. text Chapter 30

Week 11: Risk Management: Principles of risk, Types of risk and Risk strategies
Read the material

Week 12: Security Metrics and Key Performance Indicators (KPIs): The challenge

4
 Cyber Security

of security metrics. What makes a good metric? Approaches to security

metrics
Read Mejia et al. text Chapter 13

Week 13: Term Project Presentations

Week 14: Final Exam

5
 Cyber Security

C.
CLASS SCHEDULE
Weekly Schedule/Assignment
Assignment
Week/Date Session/Topic (Turn in the beginning of
class session)

1 Introduction to Read the Chapter 1 and

January 16 Cybersecurity: what is assigned articles
cyber extremism and
terrorism.
2 The Security Read the Chapter 2 and
January 23 Environment: Threats, assigned articles;
vulnerabilities, and Form your groups on your
consequences term project and decide on
topic

3 Principles of Read the Chapter 4 and

January 30 Cybersecurity: The assigned articles;
interrelated components
of the computing
environment

4 Cybersecurity Read the Chapter 5 and

February 6 Management Concepts: assigned articles
Security governance
and Management
models, roles, and
functions
5 Enterprise Roles and Read the Chapter 6 and
February 13 Structures: Information assigned articles;
security roles and
positions and
Alternative enterprise
structures and
interfaces

6 Strategy and Strategic Read the Chapter 7 and

February 20 Planning: Strategy, assigned articles;
Strategic planning and
security strategy, the
information security
lifecycle and
Architecting the
enterprise

6
 Cyber Security

7 Security Plans and Read the Chapter 8 and

February 27 Policies: Levels of assigned articles;
planning, Planning Please submit draft of
misalignment, The your term project
System Security Plan
(SSP) and Policy
development and
implementation
8 Midterm Exam
March 6
9 Laws and Regulatory Read the Chapter 3 and
March 13 Requirements assigned articles;

10 Security Standards and Read the Chapter 30 and

March 20 Controls assigned articles
11 Risk Management: Read the assigned articles
March 27 Principles of risk,
Types of risk and Risk
strategies
12 Security Metrics and Read the Chapter 13 and
April 3 Key Performance assigned articles
Indicators (KPIs): The
challenge of security
metrics. What makes a
good metric?
Approaches to security
metrics

13 Term Project
April 10 Presentations
14 Final Exam
April 17