English   Danish

2018/2019  KAN-CCMVI2075U  Information Security Management

English Title
Information Security Management

Course information

Language English
Course ECTS 7.5 ECTS
Type Elective
Level Full Degree Master
Duration Summer
Start time of the course Summer
Timetable Course schedule will be posted at calendar.cbs.dk
Max. participants 60
Study board
Study Board for MSc in Economics and Business Administration
Course coordinator
  • Course instructor - Michelle C. Antero, Assistant Professor, Zayed University, Michelle.Antero@zu.ac.ae
    Sven Bislev - Department of Management, Society and Communication (MSC)
In case of any academic questions related to the course, please contact the course instructor or ISUP academic director, Sven Bislev at sb.msc@cbs.dk
Main academic disciplines
  • Corporate governance
  • Information technology
  • Management
Teaching methods
  • Face-to-face teaching
Last updated on 10/12/2018

Relevant links

Learning objectives
To achieve the grade 12, students should meet the following learning objectives with no or only minor mistakes or errors:
  • Identifying and analyzing vulnerabilities, threats and exploits.
  • Develop an appropriate risk management strategy based on the assets and activities that need to be protected.
  • Investigate and report on the importance of policy specification, user awareness, and process standards in a program for information security..
  • Describe and perform the steps of contigency planning to prepare an enterprise for unexpected events.
  • Define the role of the information security program, and of information security professionals and managers within an enterprise.
  • Critically assess the information security posture of the organization from the perspective of an employee. 
Course prerequisites
Completed Bachelor degree or equivalent
Information Security Management:
Exam ECTS 7.5
Examination form Home assignment - written product
Individual or group exam Individual exam
Size of written product Max. 15 pages
Assignment type Project
Duration Written product to be submitted on specified date and time.
Grading scale 7-step scale
Examiner(s) One internal examiner
Exam period Summer, Ordinary exam: Home Assignment: 25/26 June - 29 July 2019. Please note that exam will start on the first teaching day and will run in parallel with the course.
Retake exam: Home Assignment: 72-hour home assignment: 8-11 October 2019 - for all ISUP courses simultaneously.
3rd attempt (2nd retake) exam: 72-hour home assignment: 25-28 November 2019 - for all ISUP courses simultaneously.
Exam schedules available on https:/​/​www.cbs.dk/​uddannelse/​international-summer-university-programme-isup/​course-and-exams
Make-up exam/re-exam
Same examination form as the ordinary exam
Retake exam: 72-hour home project assignment, max. 10 pages, new exam question.

Exam form for 3rd attempt (2nd retake): 72-hour home project assignment, max. 10 pages, new exam question.
Course content and structure

This course presents the concepts of information security presented in a systems engineering approach to provide managers with tools and understanding needed to allocate scarce security resources effectively. The course covers an introduction to security attributes and policies, threats, vulnerabilities, and risk managment concepts. A case study of the architecture of an enterprise security sytem is developed to include a needs analysis, levels of protection, detection strategies and correction/recovery with crisis manangement, risk analysis, and business continuity plans.


Preliminary assignment: Identify a company and a recent cybersecurity threat to be discussed in class

Class 1:What is Cybersecurity?
Class 2: Exploiting Threats and Vulnerabilities
Class 3: Risk Management 
Class 4: Planning for Security: Information Security Policies
Class 5: Planning for Security: Contingency Planning 
Class 6: Planning for Security: Disaster Recovery Plans

Feedback activity: The topic for the home assignment needs to be approved by the instructor. This assignment will be done individually.

Class 7: Planning for Security: Incident Response Plans
Class 8:Security Management Models
Class 9: Protection Mechanisms
Class 10: Personnel and Controls
Class 11: Developing a Security, Education, Training and Awareness Program

Description of the teaching methods
Lectures, Case-based teaching, Group discussion
Feedback during the teaching period
The students are required to present their proposal for the home assignment. The topic for the home assignment needs to be approved by the instructor. This assignment will be done individually.

All Home Project Assignments/mini projects are based uopn a research question (problem formulation) formulated by the students individually, and must be handend in to the course instructor for his/her approval no later than 11 July 2019. The instruction must approve the research question (problem formulation) no later than 16 July 2019. The approval is a feedback to the student about the instructor's assessment of the problem's relevance and the possibilities of producing a good report.
Student workload
Preliminary assignment 20 hours
Classroom attendance 33 hours
Preparation 126 hours
Feedback activity 7 hours
Examination 20 hours
Further Information

Preliminary Assignment: To help students get maximum value from ISUP courses, instructors provide a reading or a small number of readings or video clips to be read or viewed before the start of classes with a related task scheduled for class 1 in order to 'jump-start' the learning process.


Course timetable is available on https://www.cbs.dk/uddannelse/international-summer-university-programme-isup/courses-and-exams


We reserve the right to cancel the course if we do not get enough applications. This will be communicated on https://www.cbs.dk/uddannelse/international-summer-university-programme-isup/courses-and-exams end February 2019 at the latest.


Expected literature

Mandatory readings:


Class 1:What is Cybersecurity?

Garfinkel, S. (2012). Inside Risks: The Cybersecurity Risk. Communications of the ACM, 55(6), 29-32. doi:10.1145/​2184319.2184330

Gault, M. (2015). “The CIA Secret to Cybersecurity That No One Seems to Get,” Wired, accessed https:/​/​www.wired.com/​2015/​12/​the-cia-secret-to-cybersecurity-that-no-one-seems-to-get/​ 

Murphy, B., Boren, R., & Schlarman, S. (2000). Enterprise Security Architecture. Information Systems Security, 9(2), 18.


Class 2: Exploiting Threats and Vulnerabilities

Esteves, J., Ramalho, E., & De Haro, G. (2017). To Improve Cybersecurity, Think Like a Hacker. MIT Sloan Management Review, 58(3), 71-77.

A. Sadeghi et al. , (2017) Vulnerability and Security Risk Assessment of a Thermal Power Plant Using SVA Technique, Journal of Integrated Security Science 2017 (1) 16-28. 

Carolyn P. Meinel  (1998) “How Hackers Break In ... and How They Are Caught,”Scientific 

American, October 1998. 


Robert D. Austin and Chris A. R. Darby (2003) “The Myth of Secure Computing,” Harvard Business 

Review, June 2003, p. 140. 


Class 3: Risk Management 

Eirik Bjorheim Abrahamsen, Kenneth Pettersen, Terje Aven, Mareile Kaufmann & Tony Rosqvist (2017) A framework for selection of strategy for management of security measures, Journal of Risk Research, 20:3, 404-417, DOI: 10.1080/​13669877.2015.1057205

Pettigrew, J. & Ryan, J. (2012). Making Successful Security Decisions: A Qualitative Evaluation., IEEE Computer and Reliability Societies, January-February 2012.

Alan D. Smith, William T. Rupp, (2002) "Issues in cybersecurity; understanding the potential risks associated with hackers/crackers", Information Management & Computer Security, Vol. 10 Issue: 4, pp.178-183, https:// doi.org/​10.1108/​09685220210436976


Class 4: Planning for Security: Information Security Policies

Lambrinoudakis, C., et.al., (2003). Security requirements for e-government services: A Methodological Approach for Developing a Common PKI-based Security Policy, Computer Communications, 26, pp., 1873-1883.

NIST Policy Templates



Class 5: Planning for Security: Contingency Planning 

Cerullo, V., & Cerullo, M. J. (2004). Business Continuity Planning: A Comprehensive Approach. Information Systems Management, 21(3), 70-78.

Ives, B., & Junglas, I. (2006). Information Systems at Northrop Grumman Ship Systems Sector: The Hurricane Katrina Recovery. Communications of the Association for Information Systems, 18557-577.

Devargas, M. (1999). Survival is Not Compulsory: An Introduction to Business Continuity Planning. Computers & Security, 18(1), 35.

HBR Case: Austin, R., Leibrock, L., & Murray, A.  iPremier (A): Denial of Service Attack (Graphic Novel Version), Harvard Business Review, accessed from https:/​/​hbr.org/​product/​ipremier-co-a-denial-of-service-attack/​an/​601114-PDF-ENG?Ntt=iPremier 


Class 6: Planning for Security: Disaster Recovery Plans

Gupta, M., Chaturvedi, A., & Mehta, S. (2011). Economic Analysis of Tradeoffs Between Security and Disaster Recovery. Communications Of The Association For Information Systems, 281-16.

Powell, J. L. (1993). Rightsizing the IS department. Information Systems Management, 10(2), 81.

Harreld, H., & Fonseca, B. (2001). Guarding against cyberterrorism. Infoworld, 23(43), 34.

Feedback activity: In groups, students will apply concepts of cybersecurity to a case and present it to the class.


Class 7: Planning for Security: Incident Response Plans

Mitrof, I & Alpaslan, Murat (2003). “Preparing for Evil,” Harvard Business Review, 

Reddy, H., Venter, H.S. (2013). “The Architecture of a Digital Forensics Readiness Management System,” Computers and Security 32, pp. 73-89.

• http:/​/​csrc.nist.gov/​publications/​nistpubs/​index.html:

o SP 800-12 An Introduction to Computer Security: The NIST Handbook

o SP 800-26 Security Self-Assessment Guide for Information Technology Systems

o SP 800-30 Risk Management Guide for Information Technology Systems

o SP 800-34 Contingency Planning Guide for Information Technology Systems


Class 8:Security Management Models

• Handbook of Information Security Management:  


• International Information Security Management Systems Users Group:  http://www.xisec.com/

• Information Technology Security Management Code of Practice: 



Class 9: Protection Mechanisms

Barnes, Paul H., Charles, M., Branagan, M., and Alistair, K. (2007). “Intelligence and Anticipation: Issues in Security, Risk and Crisis Management,” International Journal of Risk Assessment & Management 7(8), pp. 1209- 1223.

• Activity: Case Study: IBM Zone Trusted Information Channel (ZTIC) URL: http:/​/​www.youtube.com/​watch?v=mPZrkeHMDJ8 (Discuss Authentication Factors - Authentication factors are classified into three groups: human factors (biometrics, for example, “something you are”), personal factors (“something you know”), and technical factors (“something you have”). 


Class 10: Personnel and Controls & Class 11: Developing a Security, Education, Training and Awareness Program

Davinson, N & Sillence, E. (2010) “It won’t happen to me: Promoting Secure Behavior Among Internet Users,” Computers in Human Behavior 26 pp 1739-1747.

Albrechtsen, E., Houden, J., (2009)., “ The Information Security Digital Divide Between Information Security Managers and Users. Computers & Security 28, pp., 476-490.

Additional Cases:


A Conversation with Yvette Smith, Microsoft General Manager for Global Customer Support and Services



Last updated on 10/12/2018