2022/2023 KAN-CBUSV1707U Cybersecurity: Risk in Business Management (B)
English Title | |
Cybersecurity: Risk in Business Management (B) |
Course information |
|
Language | English |
Course ECTS | 7.5 ECTS |
Type | Elective |
Level | Full Degree Master |
Duration | One Semester |
Start time of the course | Autumn |
Timetable | Course schedule will be posted at calendar.cbs.dk |
Max. participants | 60 |
Study board |
BUS Study Board for BSc/MSc in Business Administration and
Information Systems, MSc
|
Course coordinator | |
|
|
Main academic disciplines | |
|
|
Teaching methods | |
|
|
Last updated on 01-02-2022 |
Relevant links |
Learning objectives | ||||||||||||||||||||||||
At the end of the semester, students should be
able to:
|
||||||||||||||||||||||||
Prerequisites for registering for the exam (activities during the teaching period) | ||||||||||||||||||||||||
Number of compulsory
activities which must be approved (see section 13 of the Programme
Regulations): 2
Compulsory home
assignments
Each assignment is made individually. The first task will be to compile a draft company cyber security policy (min. 5 pages). Such documents explain a company’s general approach to cyber security and the procedures that all employees have to follow when accessing company networks or handling company data. Having such a document in place is a regulatory requirement in an increasing number of sectors. Students can base it on any company they know well. The second task is to write a draft cyber incident response plan (min. 5 pages) which sets out how the organization’s response will be organized if its networks are breached and who will be assigned to fulfill what tasks. Having such a document in place is a regulatory requirement in an increasing number of sectors. Students can base it on any company they know well. Retake of both assignments: If a student cannot participate in one or two of the compulsory activities due to documented illness, or if a student does not get the activities approved in spite of making a real attempt, then the student will be given an extra attempt before the ordinary exam date. This extra attempt will be a written response to a set question relating to company cyber security (min. 5 pages). |
||||||||||||||||||||||||
Examination | ||||||||||||||||||||||||
|
||||||||||||||||||||||||
Course content, structure and pedagogical approach | ||||||||||||||||||||||||
Over the last two years we have become used to learning in the news about a major company being hacked at least once a week. Even the largest companies struggle to keep up with the everchanging threat from cyber criminals and state hackers. In smaller companies and organizations board members and executives often feel overwhelmed by the complexity of the cyber threat and the emerging regulatory landscape. This is why business leaders consistently rank cyber security as one of their biggest worries in risk surveys yet only a minority of companies is confident they have appropriate strategies in place to deal with the escalating threat from ransomware and other cyber attacks. However, given the huge impact a cyber attack can have on business performance and continuity the status quo is increasingly seen as unacceptable. This course will cut through the complexity of cybersecurity and look at how companies can achieve the right balance of security, cost and usability of their IT systems. We will establish what questions business leaders in large or medium-sized companies should ask their IT department, and how effective cyber security can be achieved in a small company or organization. Students will learn about the interplay of technical, commercial, organizational and legal considerations that have to be balanced to develop an appropriate company strategy to deal with cyber risk. This involves setting up an organization in a way that minimizes the risk of experiencing a cyber attack and ensures it is prepared to mitigate the damage and recover quickly if systems are breached. In addition, the course will cover upcoming EU cybersecurity regulation that will require many companies to step up their efforts considerably – just as GDPR did for data protection. We will investigate what changes are coming, how they might be implemented and how the supply chain relationships between large and small companies will develop. Students who complete this course will be able to assess the cyber security needs of any company and develop appropriate risk management strategies and policy guidelines. These skills are in high demand among employers who struggle to find candidates who have any understanding of cyber risk. The course will use pre-recorded video lectures to introduce the subject matter and we will explore the topics in more depth in classroom discussions. The seminars will rely on active learning methods such as simulations and role-play to facilitate a good discussion, culminating in an incident response cyber war game. In addition, guest lecturers will provide insights on how leading Danish and international companies deal with the cyber risk to their IT systems and supply chains. Students from all eligible programmes at CBS can sign up for this elective, and there are no formal prerequisites for this course. The course complements KAN-CBUSV2033U Business Cyber Security: Analyzing and responding to threats in a digital world (B). That course has a more pronounced technical perspective while we will focus on business management and understanding the regulatory and political environment. Both courses can also be taken independently of each other.
Course structure:
What stakeholders are involved? How should boards handle cyber risk? What is the role of the IT department, and what does a CISO do?
3. Preparing and managing Incident response How do you prepare for a network breach, and how do you practice your response? What do you do when you have been breached, who do you call, what are your legal duties, who are your stakeholders? Is it smarter to just pay the ransom and move on?
4. EU cybersecurity regulation (I): the present
That is why EU Cybersecurity Regulation is both important and complex. Discussion of NIS Directive and the role of ENISA What EU or national regulation exists in which sectors, what do companies have to do to comply?
5. EU Cybersecurity regulation (II): what will happen next? NIS 2 and the expansion of ‘critical infrastructure’ and ‘essential services’ Explaining the scale of the changes this new regulation and its cybersecurity requirements will mean for hundreds of thousands of businesses in the EU Cyber Resilience Act (digital product security) EU Certification schemes How are all these new rules going to be implemented in Denmark
and elsewhere?
6. Measuring company cyber risk: risk monitoring, standards and insurance Do companies need cybersecurity insurance, and how does it work? How can cyber risk be measured and quantified? Cyber risk supply chain monitoring The physical side of cyber security What IT security standards exist, and should my company seek certification?
7. Cyber Security Risk management for SMEs and startups How is cyber security risk management done in small companies? What do they need to improve (and remain in supply chains)? Could cyber security could be a business opportunity for startups?
8. Cyber security risk and critical infrastructure Threatened by cyber crime gangs and state actors alike, what is being done to protect the pillars of Danish society from cyber risk? Is there a difference between publicly owned and privately owned critical infrastructure? What does the National Cyber Security Centre do?
9. Cyber war game Tabletop exercise simulating a cyber attack and the response to it
10. Cybersecurity Awareness and role-based training Who does staff awareness training, what is good practice and how do we know it works? Is spear-phishing your own employees a good idea or not? Should an IT department be trusted or feared? How could gamification help?
11. The future of cyber risk What will change once cyber security or the entire business moves to the cloud? What will be the impact of AI or 5G and IoT on cyber security? Can cyber risk ever be tackled effectively? What should companies do today to prepare for future risks?
12. Cyber security risk as an international issue: the UN meets Big Tech Cybersecurity at the United Nations
|
||||||||||||||||||||||||
Description of the teaching methods | ||||||||||||||||||||||||
The course will use pre-recorded online lectures
to introduce the subject matter and classroom discussions to
explore it in more depth.
The seminars will rely on active learning methods such as simulations and role-play to facilitate a good discussion, culminating in an incident response cyber war game. |
||||||||||||||||||||||||
Feedback during the teaching period | ||||||||||||||||||||||||
After each written assignment, the teacher will provide collective feedback on issues students should bear in mind or work on until the exam. | ||||||||||||||||||||||||
Student workload | ||||||||||||||||||||||||
|
||||||||||||||||||||||||
Expected literature | ||||||||||||||||||||||||
The literature will be shared via Canvas before the semester starts. Due to the fast-changing nature of the field, additions and changes may be made throughout the course – these will always be communicated via Canvas. Students are advised to check the syllabus on Canvas before they buy any material.
Sample literature: Rothrock, Kaplan et al, 'The Board's Role in Managing Cybersecurity Risks', MIT Sloan Management Review, Vol. 59 Issue 2 (Winter 2018), p. 12-15.
Krueger and Brauchle, 'The European Union, Cybersecurity, and the Financial Sector: A Primer', Carnegie Endowment paper series, 16 March 2021
Various EU regulations such as NIS 2 and IT security standards such as NIST, ISO 270001 and Cyber Essentials (UK). |