English   Danish

2025/2026  KAN-CDIBV1001U  Cybersecurity: Risk in Business Management

English Title
Cybersecurity: Risk in Business Management

Course information

Language English
Course ECTS 7.5 ECTS
Type Elective
Level Full Degree Master
Duration One Semester
Start time of the course Autumn
Timetable Course schedule will be posted at calendar.cbs.dk
Max. participants 60
Study board
Study Board of Technology & Digitalisation
Course coordinator
  • Jan Lemnitzer - Department of Digitalisation (DIGI)
Main academic disciplines
  • Corporate governance
  • Information technology
  • Strategy
Teaching methods
  • Blended learning
Last updated on 17-03-2025

Relevant links

Learning objectives
At the end of the semester, students should be able to:
  • Reflect on the evolution of the cyber threat landscape and the ways in which this endangers the prosperity or survival of businesses
  • Analyse the specific cyber risks faced by any company and explain the steps businesses need to take to prepare for and manage this risk
  • Evaluate the trade-offs and strategic decisions that must be made when establishing a businesses’ cyber security posture and risk appetite
  • Account for the regulatory, political and technological developments that set the framework for business cyber security
  • Understand the role of cybersecurity in supply chains and why it is changing
  • Understand the roles and functions that the board and the managers of individual business units such as IT, compliance and operations have to fulfil to create and maintain a high level of company cybersecurity
  • Understand the concept of cybersecurity culture and why it depend both on the board as a role model and employee awareness
Course prerequisites
Students wishing to take this course should have completed the course Cybersecurity, Regulation and Policy in Digital Business or a similar introductory course in cybersecurity.
Prerequisites for registering for the exam (activities during the teaching period)
Number of compulsory activities which must be approved (see section 13 of the Programme Regulations): 2
Compulsory home assignments
Each assignment is made individually.

The first task will be to write a draft cyber incident response plan (min. 5 pages) which sets out how the organization’s response will be organized if its networks are breached and who will be assigned to fulfill what tasks. Having such a document in place is a regulatory requirement in an increasing number of sectors. Students can base it on any company they know well.

The second task is to compile a draft company cyber security policy (min. 5 pages). Such documents explain a company’s general approach to cyber security and the procedures that all employees have to follow when accessing company networks or handling company data. Having such a document in place is a regulatory requirement in an increasing number of sectors. Students can base it on any company they know well.

Retake of both assignments:
If a student does not participate in one of the two compulsory assignments, or if a student does not get one of the submitted assignments approved, then the student can take part in a the third round just before the ordinary exam date to complete the missing assignment. Students cannot subnmit two missing assignments in the third round. .
Examination
Cypersecurity: Risk in Business Management:
Exam ECTS 7,5
Examination form Oral exam based on written product

In order to participate in the oral exam, the written product must be handed in before the oral exam; by the set deadline. The grade is based on an overall assessment of the written product and the individual oral performance, see also the rules about examination forms in the programme regulations.
Individual or group exam Individual exam
Size of written product Max. 5 pages
Assignment type Written assignment
Release of assignment The Assignment is released in Digital Exam (DE) at exam start
Duration
Written product to be submitted on specified date and time.
20 min. per student, including examiners' discussion of grade, and informing plus explaining the grade
Grading scale 7-point grading scale
Examiner(s) Internal examiner and second internal examiner
Exam period Winter
Make-up exam/re-exam
Same examination form as the ordinary exam
Description of the exam procedure

Students will be offered a choice of questions relating to the course content and learning aims and will prepare a written answer on one question of their choice (max. 5 pages). This paper will form the foundation of the oral examination.

Written product to be submitted on specified date and time.

Course content, structure and pedagogical approach

Over the last years we have become used to learning in the news about a major company being hacked at least once a week. Even the largest companies struggle to keep up with the everchanging threat from cyber criminals and state hackers. In smaller companies and organizations board members and executives often feel overwhelmed by the complexity of the cyber threat and the emerging regulatory landscape. This is why business leaders consistently rank cyber security as one of their biggest worries in risk surveys yet only a minority of companies is confident they have appropriate strategies in place to deal with the escalating threat from ransomware and other cyber attacks. However, given the huge impact a cyber attack can have on business performance and continuity the status quo is increasingly seen as unacceptable.

This course will cut through the complexity of cybersecurity and look at how companies can achieve the right balance of security, cost and usability of their IT systems. We will establish what questions business leaders in large or medium-sized companies should ask their IT department, and how effective cyber security can be achieved in a small company or organization. Students will learn about the interplay of technical, commercial, organizational and legal considerations that have to be balanced to develop an appropriate company strategy to deal with cyber risk. This involves setting up an organization in a way that minimizes the risk of experiencing a cyber attack and ensures it is prepared to mitigate the damage and recover quickly if systems are breached. In addition, the course will cover new EU cybersecurity regulation that will require many companies to step up their efforts considerably – just as GDPR did for data protection. We will investigate what changes are coming, how they might be implemented and how the supply chain relationships between large and small companies will develop.

Students who complete this course will be able to assess the cyber security needs of any company and develop appropriate risk management strategies and policy guidelines. These skills are in high demand among employers who struggle to find candidates who have any understanding of cyber risk.

The course will use pre-recorded video lectures to introduce the subject matter and we will explore the topics in more depth in classroom discussions. The seminars will rely on active learning methods such as simulations and role-play to facilitate a good discussion, culminating in an incident response cyber war game. In addition, guest lecturers will provide insights on how leading Danish and international companies deal with the cyber risk to their IT systems and supply chains.

Students from all eligible programmes at CBS can sign up for this elective, and there are no formal prerequisites for this course.

 

Course structure:

 

  1. Cyber threat assessment: what is going on out there, and how dangerous is it?
    Methods used by state hackers and cyber criminals
    Risks faced by business or organisations
    The scale of the damage suffered by companies each year
     
  2. Cyber defence
    What measures can companies take to defend their networks against Cyberthreats?
    What are NIST security controls, and which ones should companies implement?
     
  3. Understanding and managing company cyber risk
    What does good company cyber risk management look like?
    What stakeholders are involved?
    How should boards handle cyber risk?
    What is the role of the IT department, and what does a CISO do?

 

4 Preparing and managing Incident response

How do you prepare for a network breach, and how do you practice your response?

What do you do when you have been breached, who do you call, what are your legal duties, who are your stakeholders?

Is it smarter to just pay the ransom and move on?

 

5. Cybersecurity Culture, Awareness and role-based training

Who does staff awareness training, what is good practice and how do we know it works?

What is cybersecurity culture, and does every company need it?

Is spear-phishing your own employees a good idea or not?

Should an IT department be trusted or feared?

 

6. Measuring company cyber risk: risk monitoring, standards and insurance

Do companies need cybersecurity insurance, and how does it work?

How can cyber risk be measured and quantified?

Cyber risk supply chain monitoring

The physical side of cyber security

What IT security standards exist, and should my company seek certification?

 

7. Cyber Security Risk management for SMEs and startups

How is cyber security risk management done in small companies?

What do they need to improve (and remain in supply chains)?

What level of cybersecurity does a startup need at the point of launching?

 

8. EU cybersecurity regulation
Discussion of NIS 2 Directive and the role of ENISA

What EU or national regulation exists in which sectors, what do companies have to do to comply?

NIS 2 and the expansion of ‘critical infrastructure’ and ‘essential services’

Explaining the scale of the changes this new regulation and its cybersecurity requirements will mean for hundreds of thousands of businesses in the EU

.

9.Implementing NIS 2

What do companies have to do in practice to implement the requirements of the new Directive, and why do they struggle so often?

What does a good implementation plan look like, and how can you make sure that the entire company cooperates in this endeavour?

 

10. Supply Chain cybersecurity

Why has supply chain cybersecurity become such a hot topic in recent years?

How do criminals and state hackers exploit the supply chain to infiltrate well-protected targets?

How can companies manage these risks, especially if they have hundreds of suppliers?

 

11.. Cyber War Game

 

Tabletop exercise simulating a cyber attack and the response to it

 

 

 

 

 

 

 

 

Research-based teaching
CBS’ programmes and teaching are research-based. The following types of research-based knowledge and research-like activities are included in this course:
Research-based knowledge
  • New theory
  • Teacher’s own research
  • Models
  • Monitor and discuss research developments in the field
Research-like activities
  • Analysis
  • Discussion, critical reflection, modelling
  • Activities that contribute to new or existing research projects
Description of the teaching methods
The course will use pre-recorded online lectures to introduce the subject matter and classroom discussions to explore it in more depth.
The seminars will rely on active learning methods such as simulations and role-play to facilitate a good discussion, culminating in an incident response cyber war game.
Feedback during the teaching period
After each written assignment, the teacher will provide collective feedback on issues students should bear in mind or work on until the exam.
Student workload
Lectures 24 hours
Workshops/classes 24 hours
Reading/Preparation 100 hours
Assignment writing 58 hours
Expected literature

The literature will be shared via Canvas before the semester starts. Due to the fast-changing nature of the field, additions and changes may be made throughout the course – these will always be communicated via Canvas. Students are advised to check the syllabus on Canvas before they buy any material.

 

Sample literature:

Sean Joyce, Friso Van der Oord, Principles for Board Governance of Cyber Risk,  Harvard Law School Forum on Corporate Governance, 10 June 2021
 

Uchendu et al, Developing a cyber security culture: Current practices and future needs, Computers and Security (October 2021)

 

Laura Kocksch & Torben Elgaard Jensen, "Good" Organizational Reasons for "Bad" Cybersecurity – an Ethnographic Study of 30 Danish SMEs, Aalborg University 2023

 

Various EU regulations such as NIS 2 and IT security standards such as NIST, ISO 270001 and Cyber Essentials (UK).

Last updated on 17-03-2025
 



Course information

Language English
Course ECTS 7.5 ECTS
Type Elective
Level Full Degree Master
Duration One Semester
Start time of the course Autumn
Timetable Course schedule will be posted at calendar.cbs.dk
Max. participants 60
Study board
Study Board of Technology & Digitalisation
Course coordinator
  • Jan Lemnitzer - Department of Digitalisation (DIGI)
Main academic disciplines
  • Corporate governance
  • Information technology
  • Strategy
Teaching methods
  • Blended learning
Last updated on 17-03-2025