UNIVERSITY OF WISCONSIN-MILWAUKEE
School of Information Studies
INFOST (784) – Information Security Management
Instructor : Dr Jacques du Plessis
Email : jacques@uwm.edu
Phone : 414.229.2856
Office Hours : Online: email, phone, web chat
Meeting Times : Online Asynchronous
Investigation of key aspects of information security management such as policy, risk analysis and management, education and awareness training, legal compliance, ethical and legal conduct. 3 credits.
This course prepares the graduate student to employ the theoretical and conceptual underpinnings to improve information security behavior and develop skills in a work-related context in private, public or government enterprises. The course is designed to assess decisions and policies to improve information security management. The academic engagement will cover the following topics: (i) policy development, (ii) risk analysis and management, (iii) security information dissemination, education and awareness training, (iv) legal compliance, and (v) ethical and legal conduct. Students will be prepared to reflectively respond to the human factors of information security management.
Graduate Student Status;
InfoSt 583 completed.
Software Wordprocessing - (GoogleDocs/MSWord/OpenOffice), Audio and Video Editing (Free: Audacity/Lightworks; or Commercial: e.g. Camtasia; UWM: Kaltura CaptureSpace Lite)
Hardware Computer OS - Windows, Mac, Linux;Video Hardware: Webcam, Camcorder, or Smartphone
Equipment Optional - Microphone, Pop filter, Lighting for video recording
Skills Recorded Oral Presentation - You need to be able to make a video recording of yourself and present it online. Able to edit your video and upload it online (such as your SOIS web location, YouTube, Vimeo, etc). The focus is on your presentation. You may use the technical support of others.
Upon completion of the course, students will be able to:
Week Time Allocation, Topics, and Objectives
[1:00] Lecture
[0:30] Ch1 - Zinatullin: Introduction]
[1:00] Readings: Social Engineering
[0:42] Video: DefCon 21: Social Engineering
[2:00] Research Questions: Human behavior and InfoSec
[0:52] Video: Human behavior and information security
[2:00] Research Questions: Social Engineering
[1:00] Assignment: Participate in unit discussions
[9:04] Total Time Commitment (Approx.)
[1:00] Lecture
[0:40] Ch2 - Zinatullin: Risk Management
[0:50] Ch3 - Zinatullin; Complexity of Risk Management
[2:20] Video: InfoSec Risk Management
[0:40] Readings: Risk Management
[2:00] Research Questions: InfoSec Risk Management
[2:00] Assignment: Participate in unit discussion
[8:10] Total Time Commitment (Approx.)
[1:00] Lecture
[0:50] Ch4 - Zinatullin: Stakeholders & Communication
[0:41] Video: Stakeholder Communication
[1:00] Readings: Lines of Communication
[1:00] Readings: Awareness Training; Education
[2:00] Research Questions: Awareness Training; Education
[2:00] Assignment: Participate in unit discussion
[8:31] Total Time Commitment (Approx.)
[0:50] Lecture
[1:00] Ch5 - Zinatullin: Information Security Governance
[1:00] Ch1 - Landoll: Introduction
[1:00] Ch2 - Landoll: Information Security Policy Basics
[1:00] Ch3 - Landoll: Information Security Policy Framework
[0:15] Video: InfoSec Governance (Part 1)
[0:15] Video: InfoSec Governance (Part 2)
[0:12] Video: InfoSec Governance (Part 3)
[0:14] Video: InfoSec Governance (Part 4)
[0:06] Video: InfoSec Governance (Part 5)
[2:00] Research Questions: InfoSec Governance
[2:00] Assignment: Participate in unit discussion
[9:52] Total Time Commitment (Approx.)
[1:00] Lecture
[0:40] Ch4 - Landoll: Information Security Policy Details
[0:40] Ch5 - Landoll: Information Security Procedures and Standards
[1:00] Ch6 - Zinatullin: Problems with Policies
[0:55] Video: InfoSec Policy Development
[2:00] Research Questions: Policy Management
[2:00] Assignment: Participate in unit discussion
[8:15] Total Time Commitment (Approx.)
[1:00] Lecture
[1:00] Ch7 - Zinatullin: Decision Making from a Managerial Perspective
[0:15] Video: Cyber and the Board
[1:00] Ch8 - Zinatullin: User Decision Making
[1:00] Research Questions: Decision Making
[2:00] Assignment: Participate in unit discussion
[8:15] Total Time Commitment (Approx.)
[1:00] Lecture
[1:00] Ch9 - Zinatullin: Security and Usability
[0:30] Video: Security and Usability
[2:00] Research Questions: Usability
[2:00] Assignment: Participate in unit discussion
[6:30] Total Time Commitment (Approx.)
[1:00] Lecture
[1:00] Ch10 - Zinatullin: Security Culture
[0:50] Video: Creating a Culture of Information Security
[1:00] Readings: Ethical Aspects
[0:04] Video: Computer Ethics
[0:40] Video: Computer Security Ethics
[1:00] Research Questions: Security Culture
[1:00] Research Questions: Ethics in InfoSec
[2:00] Assignment: Participate in unit discussion
[8:34] Total Time Commitment
[1:00] Lecture
[1:00] Ch 11 - Zinatullin: Psychology of Compliance
[1:00] Readings: Legal Compliance
[2:30] Video Research
[2:00] Research Questions: Usability
[2:00] Assignment: Participate in unit discussion
[9:30] Total Time Commitment (Approx.)
[1:00] Lecture
[1:00] Ch12 - Zinatullin: Changing the Approach to Security
[4:00] Schein: The Corporate Culture Survival Guide
[0:25] Video: Changing the Mindset
[0:50] Video: Change the Culture, Change the Game
[1:00] Research Questions: Changing the Culture
[2:00] Assignment: Participate in unit discussion
[10:15] Total Time Commitment (Approx.)
[1:00] Ch6 - Landoll: Information Security Policy Projects
[4:00] Assignment: Participate in unit discussion - Case Study
[2:00] Assignment: Oral Presentation Preparation
[7:00] Total Time Commitment (Approx.)
[6:00] Assignment: Fieldwork Report
[2:00] Assignment: Participate in unit discussion - Case Study
[1:00] Assignment: Oral Presentation Preparation
[9:00] Total Time Commitment (Approx.)
[6:00] Assignment: Fieldwork Report
[3:00] Assignment: Oral Presentation Preparation
[9:00] Total Time Commitment (Approx.)
[6:00] Assignment: Fieldwork Report
[2:00] Assignment: Oral Presentation
[2:00] Assignment: Unit Discussion on Oral Reports
[10:00] Total Time Commitment (Approx.)
[6:00] Assignment: Fieldwork Report Submission
[10:00] Total Time Commitment (Approx.)
[141:46] Total SEMESTER Time Commitment (Approx.)
Rules of academic conduct require that you not use the work of others without clearly indicating it as such. You may not resubmit work that has already been used in fulfillment of the requirement of this or any other course. Academic misconduct may result in a lowered grade, no credit for a given assignment, or removal from the course. It is expected students will consult and appropriately cite the research and professional literature where merited. This means citing a variety of credible sources. Limiting yourself to an online source like Wikipedia as the entirety of your research efforts is unacceptable. Grades will also be reduced for papers that include irrelevant content to “fill up space” with large white spaces, or language that is void of value, just to meet the length specifications for a paper.
Written assignments are due on the specified date, late work is not accepted unless an emergency is involved, then the student must contact the instructor as soon as possible. Papers are to be double-spaced using a 12-point kerned font such as Times New Roman with 1 inch margins. Rely on a commonly used style manual for your submissions (e.g. Turabian, Chicago, APA, MLA). These are available in the Library or UWM Bookstore or may be purchased through online book vendors.
DISCUSSION PARTICIPATION (26%):
Participation will be based on your regular and substantive weekly contributions in online discussions for units 1 – 12, and 14. Students are expected to engage in the online discussion on a weekly basis to interact with class members — to share findings, raise questions and insert new subtopics, specifically on the course objectives in bold on the Course Schedule. Absence from a unit's discussion will lower the student’s participation grade by two overall percentage points.
Oral Assignment Grading Rubric:
The two exams will be your documented reflections based on the questions for each of the 10 sections, each with its specific targeted learning outcomes.
Midterm: Units 1 - 6 are due as indicated on the CALENDAR page.
Final: Units 7 - 10 are due after week 14 on the CALENDAR page.
The instructor will arrange for collaboration with local companies. You are allowed to seek to work with a company of your choice. Your will focus on either COMPLIANCE, or POLICY. You will gather information about the chosen enterprise and your fieldwork report will be an analysis of either compliance or policy. In order to be effective you will first research best practices, then do an assessment of the company to evaluate how they got to their current status and what there future plans are. Based on their information provided, you will make your own assessments of how well they are meeting expectations. It is advisable to make a rubrics by which you can make your assessments. Confirm their achievements and highlight improvements to recommended and what it would take to action such items. Make sure that you change names and places and any identifying information to protect the image of the company. You will not be required to sign a non-disclosure agreements. For consideration: HR issues, management styles, awareness, political will, financial priorities, current commitments and future plans. The final report is to be at minimum 7 pages double-spaced with at least 12 references in the bibliography. You have to go beyond the ability to gather sources and synthesize the findings. Your own reflection is essential. It is your voice in your work that has to become clear.
Plagiarism Policy: If you are found guilty of plagiarism, depending on the case, you risk getting a failing grade for the course.
Topic Focus
Address on one of the following:
Training:
Awareness:
Leadership:
How to change behavior in the enterprise.
How to improve awareness of an important security issue. Ensure it empowers the audience to change behavior.
Present an issue to the enterprise leadership to persuade them to do differently. The "do differently" could be to hire a specific security-related position. It could be to address a vulnerability. It could be to provide infrastructure and effectively support the person on team to change behavior. It could be to purchase equipment and/or software and/or tools to avoid risk, or to mitigate risk, or to respond to an event (disaster recovery). Reflect throughout the semester about typical mistakes in communicating and execution. Interview practitioners. Bring insightful wisdom and knowledge to the table.
If you are addressing leadership, do a thorough analysis on paper of your approach, so that you can be systematic and to the point. The most common weakness in a presentation is to take forever to get to the point. Some of the following might help you in this process: clarify the context, like:
Technical Expectations:
EXCELLENT
4 ⇦ i. Succinct/pithy;
ii. Clear description of the issue;
iii. Within 2 minutes
5 ⇦ Elaborates on all reasonable approaches with credible insight (breadth and depth) about the merits and issues of alternative approaches.
5 ⇦ Clarity and a convincing voice in breadth and/or depth of the conclusions reached.
Totals Presenting: 14%
2 ⇦ The quality of the video appears fresh and crisp.
2 ⇦ The quality of the audio sounds fresh and crisp.
2 ⇦ The quality of the edits feels professional.
ACCEPTABLE
3 ⇦ Deficient in one of the three areas:
i. Succinct/pithy;
ii. Clear description of the issue;
iii. Within 2 minutes
4 ⇦ Lacking some breadth or depth in presenting the merits or issues of alternative approaches.
4 ⇦ Lacking some breadth and/or depth of the conclusions reached.
1.5 ⇦ The video quality does not draw attention to itself.
1.5 ⇦ The audio quality does not draw attention to itself.
1.5 ⇦ The edits do not draw attention to itself.
NEEDS IMPROVEMENT
2 ⇦ Deficient in two of the three areas:
i. Succinct/pithy;
ii. Clear description of the issue;
iii. Within 2 minutes
3 ⇦ Clear deficiency in breadth and/or depth of the presented merits or issues of alternative approaches.
3 ⇦ Clear deficiencies in breadth and/or depth of the conclusions reached.
1 ⇦ The video quality does draw some attention to itself.
1 ⇦ The audio quality does draw some attention to itself.
1 ⇦ The edits draw some attention to itself.
DEFICIENT
1 ⇦ Deficient in all three areas:
i. Succinct/pithy;
ii. Clear description of the issue;
iii. Within 2 minutes
1 ⇦ Stark deficiency in breadth and depth of the presented merits or issues of alternative approaches.
1 ⇦ Stark deficiencies in breadth and depth of the conclusions reached.
0 ⇦ The video quality is clearly inadequate and will not be acceptable in a professional setting.
0 ⇦ The audio quality is clearly inadequate and will not be acceptable in a professional setting.
0 ⇦ The edits are clearly inadequate and will not be acceptable in a professional setting.
A (100-96) A- (95-91)
B+ (90-87) B (86-84) B- (83-80)
C+ (79-77) C (76-74) C- (73-70)
D+ (69-67) D (66-64) D- (63-60)
F (Below 60)
UWM policies and resources to all students. Follow 'Syllabus Links' at: http://uwm.edu/secu/wp-content/uploads/sites/122/2016/12/Syllabus-Links.pdf
Panther Planner and Undergraduate Student Handbook useful to undergrads: http://www4.uwm.edu/dos/student-handbook.cfm
Master's Toolbox (For master's students): http://uwm.edu/graduateschool/masters-toolbox/
SOIS FAQ, Forms, Policies: https://uwm.edu/informationstudies/resources/faqs/