Info
Foto sezione
Logo Bocconi

Course 2022-2023 a.y.

20654 - STRATEGY AND GOVERNANCE FOR CYBER RISK

CYBER
Department of Management and Technology

Course taught in English

Go to class group/s: 25

CYBER (8 credits - II sem. - OB  |  3 credits SECS-P/07  |  5 credits SECS-P/08)
Course Director:
GIANLUCA SALVIOTTI

Classes: 25 (II sem.)
Instructors:
Class 25: GIANLUCA SALVIOTTI


Lezioni della classe erogate in presenza

Mission & Content Summary
MISSION

Cybersecurity is emerging as one of the most impacting area of technology and operational risk for modern organizations. Although executives and managers can count on various frameworks and collections of best practices for setting cyber risk governance, a "one-size-fits-all" approach is not recommended. To effectively govern cyber risk, each organization needs to design and execute a cyber strategy connected to current and perspective business models, priorities, constraints and business relationships. The mission of this course is to provide students with the capability to design a framework for cyber risk governance and strategy aligned with the overall digital transformation strategy of an organization, in order to properly prioritize the activities and maximize the returns of cyber risk investments.

CONTENT SUMMARY

Part 1| Understanding the context for cyber risk governance and strategy.  

  • Cyber Risk Governance (CRG) as a new field.
  • CRG, Corporate Governance, Enterprise Risk Management, IT Risk Management, IT Governance.
  • Building Organizational Cybersecurity Risk Awareness and Capability.
  • Business Strategy in the era of Digital Transformation: how to derive business drivers for Cyber Risk Governance and Strategy.
  • Identifying the crown jewels in transforming organizations: the Real Madrid Case Study.
  • Identifying the crown jewels in transforming organizations: the GE Case Study.
  • Linking Business Strategy to Cyber Risk Strategy.

 

Part 2 | Cyber risk governance processes, frameworks and tools. 

  • Introduction to Corporate Governance and Board Responsibilities.
  • Cyber Risk Governance: Board Responsibilities.
  • Simulation: Build a Cybersecurity Toolkit for Your Board
  • Cyber Risk Governance: from Board Responsibilities to other Leadership Structures, Processes, and Mechanisms.
  • Removing vulnerabilities through people and culture.
  • CISO Metrics & Reporting. Cyber Risk Governance Indicators: KPI and KRI.
  • Simulation: Your first 90 days as CISO

 

Part 3 | Cyber risk strategy in action.

In Part 3 students will have the chance to directly interact with the global community of CISOs and discuss with them the current trends 

related to cyber risk governance and strategy:

  • Current Challenges in Cybersecurity
  • Organization, Leadership and Competences
  • Risk Governance, Metrics, and Board Relationships
  • Security Operations
  • The human challenge
  • Product Security, OT and IoT 
  • 3rd Parties, Vendors and the Cloud

 


Intended Learning Outcomes (ILO)
KNOWLEDGE AND UNDERSTANDING
At the end of the course student will be able to...
  • Interpret the main links between Corporate Governance, Enterprise Risk Management, IT Governance, IT Risk Management and Cyber Risk Governance.

  • Align Digitalization and Digital Transformation strategies to Cyber Risk Governance and strategy.

  • Engage Board Members and Executives according to their responsibilities on Cyber Risk Governance and Strategy.

  • Promote a culture of Cyber Risk within the organization.

  • Master the main frameworks and tools for Cyber Risk Governance.

APPLYING KNOWLEDGE AND UNDERSTANDING
At the end of the course student will be able to...
  • Design a Cyber Risk Governance process aligned with the organization’s Corporate Governance, Enterprise Risk Management IT Governance and IT Risk Management.

  • Derive, from the key frameworks and tools for Cyber Risk Governance, a specific approach to protect the organization.

  • Implement a Cyber Risk Governance and a Cyber Risk Strategy with an open, collaborative and tech-savvy approach.

  • Build a measurement system for Cyber Risk.

  • Build a Cyber Risk Roadmap with budget constraints.

  • Interact with experienced CISOs about the emerging trends and issues of Cyber Risk.


Teaching methods
  • Face-to-face lectures
  • Online lectures
  • Guest speaker's talks (in class or in distance)
  • Case studies /Incidents (traditional, online)
  • Group assignments
  • Interactive class activities (role playing, business game, simulation, online forum, instant polls)
DETAILS
  • Guest speaker's talks (in class or in distance). Students have the chance to interact with experienced managers and executives dealing with Cyber Risk in order to discuss the main issues and trends in the field
  • Online Lectures. Asynchronous and synchronous Online Lectures to introduce concpets that will be applied throuh case studies, assignments and simulations.
  • Case studies /Incidents (traditional, online). Discussions around relevant case studies build a common understanding of the topics introduced by the instructor.
  • Group assignments. A final group assignment give students the opportunity to discuss among peers and collaborate in the development of a Cyber Risk Governance plan for a company.
  • Interactive class activities (role playing, business game, simulation, online forum, instant polls). The IT Risk Simulation challenge students (divided into groups) in detecting the causes that have that led to major IT disasters in real cases.

Assessment methods
  Continuous assessment Partial exams General exam
  • Written individual exam (traditional/online)
  •   x x
  • Group assignment (report, exercise, presentation, project work etc.)
  • x x  
  • Active class participation (virtual, attendance)
  • x    
    ATTENDING STUDENTS

    With the purpose of measuring the Course expected learning outcomes, attending students will be evaluated according to their capability to translate the key concepts and tool into actions. The Course will be taught in a very pragmatic way, this is why Attending Students will be asked to work on the following practice-oriented outputs.

    1. A group assignment on the first part of the course, aimed at

    • assessing the capability to align Digitalization and Digital Transformation strategies to the Cyber Risk Governance and strategy;
    • testing the ability to engage Board Members and Executives according to their responsibilities on Cyber Risk Governance and Strategy.

     

    2. A group simulation at the end of the second part of the course, aimed at assessing the capability to properly apply the main frameworks and tools for Cyber Risk Governance in the shoes if a CISO in his firt 90 days in a Company.

     

    3. An individual essay assignment at the end of the third part of the course, aimed at measuring the ability to interact with executive and managers about the emerging trends and issues of Cyber Risk in order to build an open and collaborative approach to the course’s topics.

    NOT ATTENDING STUDENTS

    The assessment for not attending students is based on an open essay question aimed at testing:

    • The overall understanding of the key concepst and principles related to Cyber Risk Governance and Strategy;
    • The capacity to critically read the Corporate and Digital Strategy of a Company and to desgin a consistent Cyber Risk Strategy;
    • The ability to effectively apply the tools and methods for the onboarding of Executives and Board Members in Cyber Risk Governance.   

    Teaching materials
    ATTENDING STUDENTS
    • Parenty T.J., Domet J.J., A Leader's Guide to Cybersecurity: Why Boards Need to Lead--and How to Do It, Harvard Business School Publishing, 2019 (only selected chapters).

    • Cases, readings, slides, and other material available through Bboard.
    NOT ATTENDING STUDENTS
    • Parenty T.J., Domet J.J., A Leader's Guide to Cybersecurity: Why Boards Need to Lead--and How to Do It, Harvard Business School Publishing, 2019 (Full Book)
    Last change 15/12/2022 21:13