- When: Sep 5 – Oct 26, 2017. This is a 3-credit, semester-length course that is scheduled at an accelerated pace of 8 weeks. Each week is comprised of two 2-hour sessions.
- Where: Students can choose to take the class either 1) in-person at the UMass Center in Springfield, MA ; 2) or as remote participants. All class sessions will be recorded, which online students can view later in the day or week. Readings, discussion forums, and other interactive sessions are required of remote participants.
- Instructor: Mandy Andress
- Enroll now.
- This class can be applied towards the Information Security Certificate or as an outside elective for the CS MS degree.
This course reviews assessing, measuring, and managing information risk in today’s organizations. In this course, we will review the most contemporary literature as it is still developing on this topic as well as engage students in case studies that will allow them to make connections between the academic literature and actual practice.
Learning objectives of this course include:
- Defining risk in the context of information management
- Identifying discreet types of risk and relevant approaches to management
- Discerning risk appetite related to context
- Applying academic concepts to practice through case study process
There are no uniform exams for this course. Each student should be prepared to engage in Socratic dialogue with the instructor based on readings and the development of course content and to contribute on-going and original thought in class discussion. Group work will be incorporated into class exercises as well as student-student evaluation as an integral component of course work.
Students will also identify in consultation with the instructor a research topic. On-going consultation with the professor is encouraged throughout the duration of the research. Final product will be in the form of standard term paper and presentation of the material to the class. These presentations will be made throughout the course and do not have to coincide with the final paper. Students are further encouraged to consider topics early in the course.
Grading will be based on all of these components of the course.
Class One: Introduction
9/5 Course Objectives
Schedule and Syllabus
Overview of Information Risk Management
General Overview of Case Study Process
- Freund, Chapter 1
- Hubbard, Failure, Chapter 1
- PWC, Board Oversight of Risk: Defining Risk Appetite in Plain English, http://www.pwc.com/us/en/corporate-governance/publications/assets/pwc-risk-appetite-management.pdf
- Deloitte, Risk Appetite Frameworks, https://www2.deloitte.com/content/dam/Deloitte/au/Documents/risk/deloitte-au-risk-appetite-frameworks-financial-services-0614.pdf
- RSA, Cyber Risk Appetite, https://www.rsa.com/content/dam/rsa/PDF/2016/05/h15150-cyber-risk-appetite-wp.pdf
Class Two: Basic Risk Concepts
9/7 Introduction to FAIR and risk frameworks
Readings: Freund, Chapters 2-3
Hubbard, Failure, Chapter 2-3
Class Three: Understanding FAIR
Readings: Freund, Chapter 4
Hubbard, Failure, Chapter 4-5
Class Four: Introduction to Measurement
Readings: Freund, Chapter 5
Hubbard, Failure, Chapter 6
Hubbard, How to Measure, Chapters 1-2
Class Five: Introduction to Measurement
Readings: Hubbard, Failure, Chapter 7
Hubbard, How to Measure, Chapters 3-4
Class Six: Risk Analysis
Readings: Freund, Chapters 9-10
Hubbard, Failure, Chapter 8
Hubbard, How to Measure, Chapters 5
Class Seven: Measurement Methods
Readings: Hubbard, Failure, Chapter 10
Hubbard, How to Measure, Chapters 6-7
Class Eight: Putting the Concepts Together, Using Frameworks
Readings: Freund, Chapters 12 and 14
Hubbard, Failure, Chapter 12
Class Nine: Advanced Measurement
Readings: Hubbard, How to Measure, Chapters 8-9
Class Ten: Risk Analysis
Readings: Freund, Chapters 6-8
Hubbard, How to Measure, Chapters 10-12
Class Eleven: Controls
Readings: Freund, Chapter 11
Class Twelve: Managing Risk
Readings: Freund, Chapter 13
Class Thirteen: Mitigating Risk
- 4D5A Security, To Insure or Not to Insure, That is the Question, http://4d5asecurity.com/to-insure-or-not-to-insure-that-is-the-question-cyber-risk-liability-insurance-primer
- Bentz, Thomas, Protecting Against Cyber Risk, https://www.hklaw.com/PrivacyBlog/Protecting-Against-Cyber-Risk-A-Primer-on-Cyber-Insurance-01-15-2015/
- Raptis, Steve, Analyzing Cyber Risk Coverage, http://www.riskandinsurance.com/analyzing-cyber-risk-coverage/
- Reisch, Alan, Cyber/Privacy Insurance, https://bostonbarjournal.com/2015/10/21/cyberprivacy-insurance-a-very-brief-primer/
Class Fourteen: Building a Risk Management Program
Class Fifteen: Presentations
Class Sixteen: Presentations and Wrap Up - PAPERS DUE END OF DAY
General Course Information, Academic Integrity and Disability Services
For information about University of Massachusetts Amherst Student Disability Services, please see: http://www.umass.edu/disability/students.html
Also, please review the University of Massachusetts Amherst Academic Honesty Policy and Procedures, to be found starting at this page: http://www.umass.edu/honesty/
Contact information, office hours and other logistics to be addressed on site at the first class.
- Freund, Jack and Jones, Jack, Measuring and Managing Information Risk: A FAIR Approach, Elsivier, 2015, Amazon information: http://www.amazon.com/Measuring-Managing-Information-Risk-Approach/dp/0124202314
- Hubbard, Douglas, The Failure of Risk Management: Why It’s Broken and How to Fix It, Wiley, 2009, Amazon information: https://www.amazon.com/gp/product/0470387955/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1
- Hubbard, Douglas, How to Measure Anything in Cybersecurity Risk, Wiley, 2016, Amazon information: https://www.amazon.com/How-Measure-Anything-Cybersecurity-Risk/dp/1119085292/ref=sr_1_1?ie=UTF8&qid=1503447060&sr=8-1&keywords=how+to+measure+anything+in+cyber+security+risk