Risk and information management

Module specification

Risk assessments are used to identify, estimate, and prioritize risk to organisational operations (i.e., mission, functions, image, finance and reputation), organisational assets, individuals and other organisations, resulting from the operation and use of information systems.

In order to assess risk, the systems need to be explored for weaknesses, either technical or social. Reconnaissance methods emulate those of attackers.

This module examines:

• the methods and roles of those involved in attacking systems
• analysing system weaknesses
• assessing the associated risks and managing them

You will cover:

• the role of information security awareness and training
• behavioural analysis and security culture management in maintaining good information security
• the motivations and ways of thinking of different classes of threat actors, criminal intent, activism, state actors, hackers, and how this drives the behaviour of the threat actors
• tailoring mitigations for the different classes of threat actor
• social engineering and phishing
• insider threat
  • malicious intent and human error
• usable security
• creation of a reasoned argument employing evidence to support a position
• how threat actors’ actions appear in typical sources of information
• sourcing intelligence ethically so that it may be used as required
• methods attackers/threat actors may use to build knowledge of a system they have limited or no direct access to, such as:
  • phishing
  • exploiting an insider
  • port scanning
• open source intelligence
• asset valuation and management concepts
• risk analysis methodologies in common use
• risk appetite and risk tolerance concepts
• economics of security concepts
• different ways of treating risk (mitigate, transfer, accept etc.)
• principles of system risk modelling a system risk modelling methodology
• an enterprise modelling technique such as UML
• risk assessment and risk management methodologies
• approaches to risk treatment (mitigate, transfer, accept, etc.)
• risk management in practice
  • examples such as technical, business process, or other
• description of risk in qualitative, quantitative, or mixed terms
• role of risk owner, contrasting role with other stakeholders

The full assignment brief will be placed here when it is issued

Issued: End of block release week 2

Due: Start of block release week 3

Apprentices will be provided with a case study of a system (in document and physical form) for them to perform a complete risk assessment. They will submit a notebook of their findings and methods, which will inform a 30 minute oral examination of their work. This assessment also serves as a preparation for an End-Point-Assessment.

Issued: End of block release week 3

Due: Start of block release week 1 of next module

Apprentices will undertake a research-based assignment in which they investigate the (theoretical) roles and actions that people play in cyber security, both beneficial and harmful. They will write a 1500 word report on their findings.

All assignments will be submitted and feedback given on the UWE Blackboard system

Link

All questions about this module should be directed to the module leader.

Please contact via email, which is monitored continuously