Teaching information security management: reflections and experiences

Purpose – The purpose of this paper is to describe the development, design, delivery and evaluation of a postgraduate information security subject that focuses on a managerial, rather than the more frequently reported technical perspective. The authors aimed to create an atmosphere of intellectual excitement and discovery so that students felt empowered by new ideas, tools and techniques and realized the potential value of what they were learning in the industry. Design/methodology/approach – The paper develops fundamental principles and arguments that inform the design and development of the teaching curriculum. The curriculum is aimed at security management professionals in general and consultants in particular. The paper explains the teaching method in detail including the specific topics of lectures, representative reading material, assessment tasks and feedback mechanisms. Finally, lessons learned by the authors and their conclusions are presented as a form of reflection. Findings – The instructors r...

[1]  R. Grant Toward a Knowledge-Based Theory of the Firm,” Strategic Management Journal (17), pp. , 1996 .

[2]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[3]  A. B. Ruighaver,et al.  Security Policy Quality: A Multiple Constituency Perspective , 2007 .

[4]  Simson L. Garfinkel,et al.  Practical UNIX and Internet Security , 1996 .

[5]  J. Paul Myers,et al.  Taming the diversity of information assurance & security , 2008 .

[6]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[7]  S. Malladi,et al.  Experiences and lessons learned in the design and implementation of an Information Assurance curriculum , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[8]  Maik Moeller Managing Information Security Risks The Octave Approach , 2016 .

[9]  Atif Ahmad,et al.  Exploring the relationship between organizational culture and information security culture , 2009 .

[10]  Indranil Bose,et al.  Unveiling the Mask of Phishing: Threats, Preventive Measures, and Responsibilities , 2007, Commun. Assoc. Inf. Syst..

[11]  M. Bouaziz,et al.  An Introduction to Computer Security , 2012 .

[12]  Mark B. Desman The Ten Commandments of Information Security Awareness Training , 2003, Inf. Secur. J. A Glob. Perspect..

[13]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[14]  Atif Ahmad,et al.  Incident Handling: Where the need for planning is often not recognised , 2003, Australian Computer, Network & Information Forensics Conference.

[15]  Anat Hovav,et al.  Deterring internal information systems misuse , 2007, CACM.

[16]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[17]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[18]  Donn B. Parker,et al.  Risks of risk-based security , 2007, Commun. ACM.

[19]  Atif Ahmad,et al.  Incorporating a knowledge perspective into security risk assessments , 2011 .

[20]  A. B. Ruighaver,et al.  Security Governance: Its Impact on Security Culture , 2005, AISM.

[21]  Jan H. P. Eloff,et al.  A taxonomy for information security technologies , 2003, Comput. Secur..

[22]  M. Olson,et al.  Enhancing Adult Motivation to Learn: A Comprehensive Guide for Teaching All Adults , 2010 .

[23]  Jan H. P. Eloff,et al.  Feature: What Makes an Effective Information Security Policy? , 2002 .

[24]  W. Tirenin,et al.  A concept for strategic cyber defense , 1999, MILCOM 1999. IEEE Military Communications. Conference Proceedings (Cat. No.99CH36341).

[25]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[26]  A. B. Ruighaver,et al.  Ethical decision making: Improving the quality of acceptable use policies , 2010, Comput. Secur..

[27]  Atif Ahmad,et al.  A Comparison Of Information Security Curricula In China And The USA , 2013 .

[28]  Gurpreet Dhillon,et al.  Principles of information systems security - text and cases , 2006 .

[29]  Manpreet Dhillon,et al.  Towards Changes in Information Security Education , 2006, J. Inf. Technol. Educ..

[30]  Barry M. Lunt,et al.  Integrating Information Assurance and Security into IT Education: A Look at the Model Curriculum and Emerging Practice , 2006, J. Inf. Technol. Educ..

[31]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[32]  Deborah A. Frincke,et al.  Achieving Learning Objectives through E-Voting Case Studies , 2007, IEEE Security & Privacy.

[33]  Todd Fitzgerald Clarifying the Roles of Information Security: 13 Questions the CEO, CIO, and CISO Must Ask Each Other , 2007, Inf. Secur. J. A Glob. Perspect..

[34]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[35]  E.Eugene Schultz,et al.  Mobile computing: The next Pandora's Box , 2007, Comput. Secur..

[36]  Sushil K. Sharma,et al.  Teaching information systems security courses: A hands-onapproach , 2007, Comput. Secur..

[37]  Mo Adam Mahmood,et al.  Technical opinionAre employees putting your company at risk by not following information security policies? , 2009, Commun. ACM.

[38]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[39]  Mikko T. Siponen,et al.  Information security standards focus on the existence of process, not its content , 2006, CACM.

[40]  A. B. Ruighaver,et al.  An information-centric approach to data security in organizations , 2005, TENCON 2005 - 2005 IEEE Region 10 Conference.

[41]  Ernest T. Pascarella,et al.  How College Affects Students: Findings and Insights from Twenty Years of Research , 1992 .

[42]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[43]  Denis Zenkin Fighting Against the Invisible Enemy - Methods for detecting an unknown virus , 2001, Comput. Secur..

[44]  Terry L. Wiant,et al.  Information security policy's impact on reporting security incidents , 2005, Comput. Secur..

[45]  Eoghan Casey,et al.  Investigating sophisticated security breaches , 2006, CACM.

[46]  D. Teece,et al.  DYNAMIC CAPABILITIES AND STRATEGIC MANAGEMENT , 1997 .

[47]  Shanton Chang,et al.  Information Leakage through Online Social Networking: Opening the Doorway for Advanced Persistence Threats , 2010, AISM 2010.

[48]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[49]  W. H. Dalton,et al.  Intelligence: From Secrets to Policy , 2002 .

[50]  Michelle L. Kaarst-Brown,et al.  Sensitive information: A review and research agenda , 2005, J. Assoc. Inf. Sci. Technol..

[51]  W. Martin Davies,et al.  Intensive Teaching Formats: A Review. , 2006 .

[52]  Bruce Schneier,et al.  Beyond fear - thinking sensibly about security in an uncertain world , 2003 .

[53]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[54]  Atif Ahmad,et al.  Risk Management Standards - The Perception of Ease of Use , 2006 .

[55]  Whitfield Diffie Information security: 50 years behind, 50 years ahead , 2008, CACM.

[56]  Robert F. Mills,et al.  How the Cyber Defense Exercise Shaped an Information-Assurance Curriculum , 2007, IEEE Security & Privacy.

[57]  M. Gordon,et al.  PUBLICATION RECORDS AND TENURE DECISIONS IN THE FIELD OF STRATEGIC MANAGEMENT , 1996 .

[58]  Ernest T. Pascarella,et al.  How college affects students : findings and insights from twenty years of research , 1992 .

[59]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[60]  Robert M. Grant,et al.  The knowledge-based view of the firm: Implications for management practice , 1997 .

[61]  Steve Purser Why access control is difficult , 2002, Comput. Secur..

[62]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.