Principles of Risk Management in IT Security
Awareness of the risks related to confidential information, intellectual property, and the consequences of disruptions to our IT infrastructure is going mainstream. But security leaders still must bridge an important language gap in their discussions of risk, by making a business connection between the "unrewarded" risks of security and compliance, and the “rewarded” risks of operations, innovation, and growth. This course will review practical methods for quantifying the uncertainties related to business decisions about information security, and for making risk-based decisions based on reducing those uncertainties by measurement and observation.
At the end of the course, students will be able to:
• Develop risk assessments in the security context of protecting value, defending assets, and minimizing downside
• Describe and connect such risk assessments in the business context of creating value, enabling assets, and maximizing upside
• Frame decisions about information security risk in terms of uncertainties
• Inform better decisions about information security based on using measurement and observation to reduce uncertainties