Info
Foto sezione
Logo Bocconi

Course 2019-2020 a.y.

20654 - STRATEGY AND GOVERNANCE FOR CYBER RISK

CYBER
Department of Management and Technology

Course taught in English

Go to class group/s: 25

CYBER (8 credits - II sem. - OB  |  3 credits SECS-P/07  |  5 credits SECS-P/08)
Course Director:
GIANLUCA SALVIOTTI

Classes: 25 (II sem.)
Instructors:
Class 25: GIANLUCA SALVIOTTI


Mission & Content Summary
MISSION

Cybersecurity is emerging as one of the most impacting area of technology and operational risk for modern organizations. Although executives and managers can count on various frameworks and collections of best practices for setting cyber risk governance, a one-size-fits-all approach is not recommended. To effectively govern cybersecurity, each organization needs to develop and execute its own strategy, based on a clear understanding of its goals, priorities, constraints and business relationships. The mission of this course is to provide students with the ability to design a framework for cyber risk governance aligned with the overall strategy of an organization, in order to prioritize the activities and maximize the return of cyber risk investments.

CONTENT SUMMARY

Part one: Understanding the organization and the environment for cyber risk governance. 

  • Understanding the environment for Cyber Risk Governance: cyber security analysis and threats,  issues in different industries, methods and tools to analyze the environment.
  • Corporate Governance & Corporate Strategy: how to read them and derive business drivers for Cyber Risk Governance.
  • Enterprise Risk Management, IT Governance & IT Risk Management: inputs for Cyber Risk Governance.
  • The 4 Domains of IT Risk: business disruption, relational, technology, governance.
  • Cyber Risk in the context of IT Risk Management: the IT Risk Simulation.

Part two: Cyber risk governance process, frameworks and tools. 

  • Setting-up the Cyber Risk Governance Process: three lines of defense.
  • Key roles and responsibilities.
  • Introduction to NIST Cybersecurity Framework.
  • Exploiting NIST Cybersecurity Framework.
  • Introduction to CobIT.
  • Implementing the NIST Cybersecurity Framework Using COBIT 5.
  • Other frameworks, tools and standards.

Part three: Cyber risk governance in action.

  • Cyber Risk Governance for critical infrastructures: energy, banking, transportation.
  • Interorganizational models and the role of the Intelligence.
  • Competencies and skills for Cyber Risk Governance.
  • Technologies and applications for Cyber Risk Governance: the role of AI.
  • Cloud, IoT, Blockchain and other new digital infrastructures.
  • Implementing the strategy for Cyber Risk Governance.

Intended Learning Outcomes (ILO)
KNOWLEDGE AND UNDERSTANDING
At the end of the course student will be able to...
  • Identify and represent the key cyber threats affecting the business landscape in different industries.
  • Interpret the main links between Corporate Governance, Enterprise Risk Management, IT Governance and IT Risk Management.
  • Position Cyber Risk Management and IT Risk Management.
  • Master the main frameworks and tools for Cyber Risk Governance.
  • Interact with executive and managers about the emerging trends and issues of Cyber Risk.
APPLYING KNOWLEDGE AND UNDERSTANDING
At the end of the course student will be able to...
  • Design a Cyber Risk Governance process aligned with the organization’s Environment, Corporate Governance, Enterprise Risk Management and IT Risk Management.
  • Derive, from the key framework and tools for Cyber Risk Governance, a specific approach for any kind of organization.
  • Implement a Cyber Risk Governance strategy with an open, collaborative and tech-savvy approach.

Teaching methods
  • Face-to-face lectures
  • Guest speaker's talks (in class or in distance)
  • Company visits
  • Case studies /Incidents (traditional, online)
  • Group assignments
  • Interactive class activities (role playing, business game, simulation, online forum, instant polls)
DETAILS
  • Guest speaker's talks (in class or in distance). Students have the chance to interact with experienced managers and executives dealing with Cyber Risk in order to discuss the main issues and trends in the field
  • Company visits. Company visits give students the opportunity to understand how critical infrastructures are organizing for Cyber Risk Governance, especially considering the complexity of their large IT infrastructures and facilities.
  • Case studies /Incidents (traditional, online). Discussions around relevant case studies build a common understanding of the topics introduced by the instructor.
  • Group assignments. A final group assignment give students the opportunity to discuss among peers and collaborate in the development of a Cyber Risk Governance plan for a company.
  • Interactive class activities (role playing, business game, simulation, online forum, instant polls). The IT Risk Simulation challenge students (divided into groups) in detecting the causes that have that led to major IT disasters in real cases.

Assessment methods
  Continuous assessment Partial exams General exam
  • Written individual exam (traditional/online)
  •   x  
  • Group assignment (report, exercise, presentation, project work etc.)
  • x x  
  • Active class participation (virtual, attendance)
  • x    
    ATTENDING STUDENTS

    With the purpose of measuring the Course expected learning outcomes, the assessment for attending students is based on:

    • A multiple-choice questionnaire on the first part of the course, aimed at testing:
      • Their knowledge about the key cyber threats.
      • Their capacity to link Corporate Governance, Enterprise Risk Management, IT Governance and IT Risk Management from a conceptual perspective.
      • Their ability to identify and position cyber risks within the broader concept of IT risk management.
    • A final group assignment on the second part of the course, specifically designed to measure the students’ ability to adapt the main frameworks and tools for Cyber Risk Governance to a specific organization in order to design a process aligned on the key pillars driving Cyber Risk strategy (organization’s Environment, Corporate Governance, Enterprise Risk Management and IT Risk Management).
    • Class participation and team assignments, since these two methods are crucial to understand and measure the acquisition of the ability to interact with executive and managers about the emerging trends and issues of Cyber Risk in order to build an open and collaborative approach to the course’s topics.
    NOT ATTENDING STUDENTS

    The assessment for not attending students is based on:

    • A multiple-choice questionnaire on the course, aimed at testing
      • Their knowledge about the key cyber threats.
      • Their capacity to link Corporate Governance, Enterprise Risk Management, IT Governance and IT Risk Management from a conceptual perspective.
      • Their ability to identify and position cyber risks within the broader concept of IT risk management.
      • Their knowledge of the main frameworks for cyber risk governance and strategy.
      • Their ability to align frameworks’ recommendations and best practices to address specific needs of different types of organizations.

    Teaching materials
    ATTENDING STUDENTS
    • P. TRIM, YANG-IM LEE, Cyber Security Management: A Governance, Risk and Compliance Framework, Routledge, 2016 (only selected chapters).

    • Cases, readings, slides, and other material available through Bboard.
    NOT ATTENDING STUDENTS
    Last change 06/06/2019 10:31