FAIR UNIVERSITY SYLLABUS
Course Code: Information Security Risk Management
Semester
Credit Hours: |
Enter Credit Hours |
Class Details: |
Classroom Location |
|
Class days / times |
Instructor Contact Information: |
Name |
|
Phone |
|
|
|
Office: Location and Hours |
Course Description
This course will introduce quantitative risk measurement and management methods applicable to a broad spectrum of industries. Principally, it will delve deeply into FAIR (Factor Analysis of Information Risk)—an industry standard risk model—which caters to information security and operational risk. To help contextualize these methods and model, the students will compile a case study that entails: researching a risk topic, scoping an analysis, using the FAIR-U tool to perform the risk analysis, and presenting the results.
Course Goals
Students who successfully complete this course will demonstrate an ability to:
- Think critically about risk measurement and management methods
- Define, calculate and analyze risk in a defensible way
- Leverage a probabilistic mindset when evaluating risk
- Demonstrate a working familiarity with the FAIR model
- Translate risk analysis into meaningful business decisions
- Explain how the FAIR model can augment the NIST Cybersecurity Framework (CSF)
Required Reading Materials
All books are available on Amazon.com or at the University bookstore.
The Failure of Risk Management: Why It's Broken and How to Fix It, Wiley, 2009, by Douglas Hubbard. ISBN 978-0-470-38795-5
https://www.amazon.com/gp/product/0470387955/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1
How to Measure Anything in Cybersecurity Risk, 1st Edition, Wiley, 2016, by Douglas Hubbard. ISBN 978-1119085294
https://www.amazon.com/How-Measure-Anything-Cybersecurity-Risk/dp/1119085292
Measuring and Managing Information Risk: A FAIR Approach, Butterworth-Heinemann, 2015, by Jack Freund and Jack Jones. ISBN 978-0-12-420231-3
http://www.amazon.com/Measuring-Managing-Information-Risk-Approach/dp/0124202314
Jones, Jack. “NIST CSF & FAIR - Parts 1-5.” Web blog post. The FAIR Institute Blog. The FAIR Institute, Mar. 2016. http://www.fairinstitute.org/blog/nist-csf-fair-part-1
Suggested Reading
Available through The Open Group:
O-RT Risk Taxonomy Standard, The Open Group.
https://www2.opengroup.org/ogsys/catalog/C13K
O-RA Risk Analysis Standard, The Open Group.
https://www2.opengroup.org/ogsys/catalog/C13G
Other technology requirements / equipment / material
To succeed in this course, students will need access to a computer with internet access, along with Microsoft Word, PowerPoint, and Excel.
Course Requirements and Assignments
Class Participation
All assigned reading must be completed prior to the start of each class. Students are expected to actively listen, ask questions, and engage in constructive dialogue during class. To maximize the learning experience, students should come to class prepared to share a particular insight based on the readings, and/or bring an article related to the class topic.
In-class exercises will occur intermittently throughout the semester; these exercises will include both individual and group work.
Case Study
The Case Study consists of two deliverables: A Presentation and a Risk Analysis Paper. Presentations will be scheduled within the first few weeks of the semester, then occur throughout the duration of the course. The Risk Analysis Paper is due the last class period (see assignment schedule).
Each student will be given the opportunity to identify a risk analysis topic; subject to the instructor’s approval. Once a topic is approved, the students are expected to research the topic and then perform a risk analysis in the FAIR-U tool. Access to and instructions for the tool will be provided by the instructor.
More specific details about the schedule and structure of the Case Study be provided by the instructor via an in-class handout. For an optimal Case Study experience, students are encouraged to seek ongoing consultation with the instructor during the project.
Note on Exams:
There are no Midterm or Final exams for this course.
Grading Chart
97-100% |
A+ |
87-89.9% |
B+ |
77-79.9% |
C+ |
67-69.9% |
D+ |
<60% |
F |
94-96.9% |
A |
84-86.9% |
B |
74-76.9 |
C |
64-66.9% |
D |
|
|
90-93.9% |
A- |
80-83.9% |
B- |
70-73.9% |
C- |
60-63.9% |
D- |
|
|
Grading
Your final grade will be calculated based on the following weights:
Class Participation |
40% |
Case Study: Risk Analysis Paper |
30% |
Case Study: Presentation |
15% |
In-class exercises |
15% |
University Expectations and Policies
< Insert any applicable material (e.g. Disability, Academic Honesty, Make-Up Policies etc.) >
Class Assignment / Reading Schedule*
(*Subject to change; notice of amendments will be provided by instructor.)
Week |
Date |
Topic |
Readings/Assignments |
1 |
dd-mmm |
Introductions; Syllabus & Class Overview |
|
|
|
Current Crisis |
Failure, Ch. 1-2 |
2 |
|
Evaluation Methods |
Failure, Ch. 3 |
|
|
The Broken State of Risk Management |
Failure, Ch. 4-6 |
3 |
|
Overcoming Bad Practices |
Failure, Ch. 7-9 |
|
|
Implementing Improvements |
Failure, Ch. 10-11 |
4 |
|
The Risk Community |
Failure, Ch. 12 |
|
|
The Primer for Cybersecurity |
How to Measure-2 |
5 |
|
Quantitative Methods to Cybersecurity |
How to Measure, Ch. 3-4 |
|
|
Unpacking the Details |
How to Measure, Ch. 5-6 |
6 |
|
Estimates and Uncertainties |
How to Measure, Ch.7-8 |
|
|
Powerful Models and Metrics |
How to Measure, Ch. 9-10 |
7 |
|
Working Together to Move Forward |
How to Measure, Ch. 11-12 |
|
|
Introduction to FAIR |
FAIR, Ch. 1 |
8 |
|
Basic Risk Concepts |
FAIR, Ch. 2 |
|
|
The FAIR Risk Ontology |
FAIR, Ch. 3 |
9 |
|
FAIR Terminology |
FAIR, Ch. 4 |
|
|
Measurement |
FAIR, Ch. 5 |
10 |
|
Analysis Process |
FAIR, Ch. 6 |
|
|
Interpreting Results |
FAIR, Ch. 7 |
11 |
|
Risk Analysis Examples |
FAIR, Ch. 8 |
|
|
Thinking about Risk Scenarios Using FAIR |
FAIR, Ch. 9 |
12 |
|
Common Mistakes |
FAIR, Ch. 10 |
|
|
Controls |
FAIR, Ch. 11 |
13 |
|
Risk Management |
FAIR, Ch. 12 |
|
|
Information Security Metrics |
FAIR, Ch. 13 |
14 |
|
Implementing Risk Management |
FAIR, Ch. 14 |
|
|
FAIR and NIST CSF |
“NIST CSF & FAIR - Parts 1-5.” The FAIR Institute Blog. |
15 |
|
Guest Speaker |
|
|
|
TBA |
|
16 |
|
Presentations |
Reference: in-class Case Study handout |
|
|
Presentations; Risk Analysis Papers |
Reference: in-class Case Study handout |