Organizational and Human Aspects of Information Security
2014-2015 - IMT4671 - 5 ECTS

On the basis of

Basics in awareness and risk management

Expected learning outcomes

The student is expected to have insight into:

  • Corporate organizations and policies, and how the security is embedded into organization, processes and corporate documentation framework.
  • Practical awareness and the ability to plan a corporate awareness campaign.
  • Security culture and its meaning for corporations.
  • Security planning in an unfriendly environment.
  • Security strategy, security innovation process and its implementation.
  • an understanding and exercising of presentations in front of management: The student nows, how to argue for and who to sell security.

Knowledge

  • The candidate will have a sound knowledge of corporate organizations and policies, and how the security is embedded into organization, processes and corporate documentation framework.
  • The candidate possesses thorough knowledge of practical awareness and the ability to plan a corporate awareness campaign
  • The candidate knows about security culture and means to measure and change the culture.
  • The candidate will have a sound knowledge of security strategy, security innovation process and its implementation.

Skills

  • He will be able to plan the set of required security documentations and to implement enterprise specific security organization and security policies
  • The student will be enabled to describe a target security culture and to make an implementation plan for a turn around.
  • The candidate is capable to plan a corporate awareness campaign.

General competence

  • The candidate is capable to distinguish between responsibility and delegation. The student will be enabled to provide security in an unfriendly environment with budget constraints and “lack of enthusiasm” for security.
  • The candidate is capable to present successfully in front of management: The student knows, how to argue for security and who to sell security.

The course will provide the student with the foundation required for implementing security and awareness systems in corporations and for research in this field.

Topic(s)

Part I Introduction :

  • Social networks and the power to the people
  • The roles of corporate positions: Everyone makes a difference

Part II Organisational issues

  • Incidents and crises: There’s no such thing as an isolated incident
  • Whom you can trust: Applied trust and identity in organizational management
  • Managing organization, culture and politics

Part III Changing the organization

  • Designing effective awareness programs
  • Transforming organization, attitudes and behavior
  • Gaining executive board and business buy-in

Teaching Methods

Other

Teaching Methods (additional text)

Termpaper with presentation at the end of the term, Readings and homework, Textbook, Powerpoint, Video-examples, Business and scientific papers, Computer Based Training, Repetition forms

The course will be made accessible for both campus and remote students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be given on campus and are open for both categories of students. All the lectures will also be available on Internet through GUC’s learning management system (Fronter).

Form(s) of Assessment

Other

Form(s) of Assessment (additional text)

One grade consisting of:

  • Oral exam (individually), 2/3
  • Term paper, 1/3
  • Fine grained grade is rounded by the professor.

25 minutes oral examination.

Hand-in task term paper.

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

Evaluated by the lecturer. An external examiner will be used every 4th year. Next time in the academic year 2017/2018.

Re-sit examination

25 minutes oral and term paper

Teaching Materials

http://www.amazon.co.uk/Managing-Human-Factor-Information-Security/dp/0470721995 by David Lacy

Additional Material will be provided on Fronter

Additional information

Who should attend?
Anybody who recognizes that information security is a people and cultural issue beside fundamental technology and procedural issue. This course will provide information for better performing as an information security officer, not depending whether you enter as a newcomer the security office or you have many years of experience.
More than 15 years of experience in consulting high level security officer and of designing and teaching courses for this community will enrich the discussions. True stories and mini cases will make the lectures vivid.

About the lecturer

Bernhard M. Haemmerli (master and PhD from ETH Zurich) was elected as a full professor in 1992 at the university of applied sciences in Lucerne. He built up computer science curriculum at this university; arranged an executive master degree in information security, CCNA, CCNP and Green-IT certification courses as well as the Master of Advanced Studies in IT- Network Management.
Furthermore, he is offering consulting services www.acris.ch  (website in English available) for governments, industries and service companies in the information security, critical information infrastructure protection and related topics. He has been running many conferences on these topics.
Furthermore, he is president of Swiss Informatics Society 2009-2014

More about the lecturer see: http://en.wikipedia.org/wiki/Bernhard_M._H%C3%A4mmerli