Professor Randall K Nichols

Course Description

Risk management is important simply because it is the best method available to determine the protection required for valuable assets at the most reasonable cost. Students will explore both technology and management issues related to managing the elements of holistic information security and risk assessment. Specific technologies and techniques used by terrorists, hackers, crackers, spies, and thieves to obtain access to sensitive, private information and domestic intelligence are discussed and explored. Students will complete a theoretical and practical risk assessment /management scenario dealing with applying risk assessment to a credible terrorist threat.

Textbooks

2) White, J. R. (2004). Defending the Homeland: Domestic Intelligence, Law Enforcement, and Security, New York: Thomson –Wadsworth.

References (course material may be drawn from these optional readings)

3) Whitman, M.E, & Mattord, H.J. (2004). Management of Information Security, New York: Thomson Course Technology.

4) Roper, C.A. (1999). Risk Management for Security Professionals, New York: Butterworth Heinemann.

Course Objectives

There are two main themes/ goals for this course:

1. Information security and cyber security
2. National critical assets and domestic intelligence / law enforcement

Objective No. 1 explores the theoretical, practical and best practices aspects of risk assessment and management.

Objective No. 2 is a group-oriented independent practicum on defense of the Homeland applying practical risk management and countermeasures to a serious simulated terrorist scenario.

Course Skills

Upon completion of this course, the student should be able to:

• Identify and critically assess issues and concepts related to the protection of information and information systems.
• Define security attributes: confidentiality, integrity and availability. Describe confidentiality requirements for an enterprise environment. Describe integrity requirements for an enterprise environment. Describe availability requirements for an enterprise environment. Place them in the Parker Analysis.
• Analyze and evaluate proposed or extant information security policies, practices and procedures in order to assess potential advantages and disadvantages that might flow from implementing them. Describe how confidentiality can be protected. Describe how integrity can be protected. Describe how availability can be protected. Describe how failures of protections can be protected. Describe how attacks can be detected. Describe how impacts from an attack can be mitigated.
• Use risk management principles to assess threats, vulnerabilities, countermeasures and impact contributions to risk in information systems and national critical infrastructures. Perform a risk analysis for a CIS sector or environment. Create a management plan for security in an environment.
• Evaluative policies, strategies and standard operating procedures for securing information and communication systems and CIS sectors.
• Identify and critically assess the legal, moral and ethical implications of behavior in an on-line world.

Course Pedagogy

This course will span 15 weeks with one (or part of one) module being taught each week in team format. The course will be broken up into two blocks of instruction. The former will concentrate on theoretical and practical risk assessment /management in a Homeland security environment. The latter block will focus on practical countermeasures for Homeland security. Teams will engage in risk assessment and presentation of appropriate countermeasures to respond to an alert for a hypothetical level 3 terrorist scenario called “the Day After Thanksgiving.” Here is a projected breakdown of the teaching modules:

Module 1 Introduction to Risk Assessment and Management –What is it and how can we use it to make our lives, critical assets and information systems safer?

Risk management is both an art and science. We first look at its purview.

1. Introduction, administrative messages, and “daily bullets”
2. The language of risk assessment: management, assessment, mitigation, threat levels, vulnerabilities, impact, countermeasures, probabilities, events Cost–effective responses and risk avoidance
3. INFOSEC: confidentiality, integrity, availability, protect, detect, correct, access, authentication, cryptography, non-repudiation, extended terms
4. Basic premises, the conventional risk management cycle (five phases), key Personnel roles, system characterization.
5. The conventional risk management model and risk assessment equation.

Module 2 Improving Conventional Wisdom: Security Needs Definition Matrix, Countermeasures, Systems System’s Approach – 30 Elements and Life Cycle

Conventional strategies to reduce / manage risk de-emphasize INFOSEC and Its relationship to countermeasures. Module 2 incorporates threats and vulnerabilities of computer systems into the risk model and emphasizes affects / costs of countermeasures chosen.

1. A better risk management equation (Ryan model)
2. The risk management process and dynamic model of risk.
3. Exploration of Information Security aspects and systems engineering
4. Holistic view of the risk management /mitigation process in terms of Policy, training awareness, research and development, vulnerability analysis, security response teams, acquisition, systems operations, PDC, CIA and impact.
5. The 12- block framework for IT organization and security management

Module 3 Mitigating Risk /Threat of Terrorism and other Risks

The development of strategies to reduce risk /threat of terrorism, or other Threats, involves a process in which the cost to mitigate is measured against savings in risk reduction.

1. Thinking sensibly about security in an uncertain world – Schneier model
2. How systems fail
3. Knowing the attacker
4. Technology creates security imbalances
5. Security and risk assessment is a weakest link problem
6. Brittleness makes bad security and increases risk
7. People!
8. Detection works where prevention fails, but is useless without response
9. Identification, authentication and authorization
10. All countermeasures have value but no one countermeasure is perfect

Module 4 Down in the mud: A walk through of the risk management process and work flow Theory and practice meet the same road in this module. The Parker analysis for enhanced CIA /PDC and the Roper model for risk management information flow are presented.

1. The Parker Analysis: preserving availability, utility, integrity, authenticity, availability, possession to meet a standard of due care, avoid loss, reduce loss, eliminate loss
2. The Roper Risk model +1 (Nichols): 5 steps
3. Asset Identification and loss impacts
4. Threat identification and characterization (site specific)
5. Vulnerability identification and assessment
6. Assess risk and determine priorities for asset protection
7. Perform cost- benefit analysis based on understanding the technology and countermeasures available

Module 5 Cryptography – the prime countermeasure?

Cryptography is a maturing science that has global-ranging applications in business and Government. Every commercial or government establishment that either markets its products internationally or uses computer networks for global communications and customer services must be concerned with protecting its information assets from a variety of attacks.

1. How cryptography works and lessons from classical cryptography
2. Key management, key size, entropy and crypto-strength
3. Modern cryptography, confidentiality, data integrity, authentication, non-repudiation, digital signatures and certificate authorities.
4. Cryptanalysis, traffic analysis, and pattern analysis, brute force
5. Biometric encryption and steganography – terrorist cryptograms
6. Wireless security –encryption features and increased risk
7. INFOSEC / INFOWAR = due diligence / terror measures, the risk is exponentially different
8. “Trust me its encrypted” – fallacies of cryptography as a countermeasure

Module 6: Defending The Homeland: Domestic Intelligence, Law Enforcement and Security

Risk assessment takes on a special meanings and problems when reviewed in the context of Homeland Security. There are so many critical issues at stake, such as civil liberties, domestic intelligence gathering, privacy rights, police Organization and structure, the relationship of federal and local law enforcement.

Module 6 will encompass more questions than answers for risk related issues:

1. Terrorism, patriotism and dilemmas of law enforcement
2. Intelligence gathering and civil liberties
3. Bureaucracy and interpretations or risk
4. Clauswitz, Sun Tsu and Asymmetry
5. Building intelligence systems based on risk identification
6. Defensive infrastructure and risk management
7. Terrorism and the future – CONPLAN (PDD39 & PDD 62)
8. How Al Qaeda sees risk
9. Asymmetric warfare is more than crime, less than all out war and very different in the commitment / fervor and planning of the terrorist participants

Module 7/8 Practicum: “2006: The Day After Thanksgiving Scenario”

Teams will be assigned a serious simulated terrorist attack (cyber, physical, psychological, diversions, and other) against a soft target of significant symbolic interest. Teams will identify critical assets that can be protected, evaluate technologies in place, security definition matrix, prepare / present the Risk Management / Assessment Policy for this scenario. Focus must include full-range of personnel, cryptographic and INFOSEC countermeasures, their implementation and effectiveness for defense. A short after-action report will be prepared and evaluated by the class.

Web Site

A wealth of supplementary information for our course is available at www.infosec-technologies.com. Material downloaded must be appropriately attributed to contributors in all team / individual papers.

E-Mail

All students are requested to obtain an e-mail account that can receive a lot of mail (Gmail seems to work well) (PPTs, notes, handouts, etc). If you have any questions about the course or need assistance, please contact me in person or by telephone during office hours; or by e-mail at any time. About mid-semester, I will send out a confidential “1 to 1” email to check on the progress of each student. Response is optional.

COURSE DELIVERABLES

The course deliverables are as follows:

Exams. There are normally two exams designed to help students improve their understanding of the concepts discussed in this course. A special collaborative project is generally used to substitute for the Midterm Exam and Final Exam.

Collaborative Team Research Paper / PowerPoint Presentation. Six (6) three-page papers and corresponding PowerPoint presentations will be due this semester (one team paper / presentation covering a particular Module).

Participation. Students are expected to prepare for each class meeting and participate in the homework discussion conferences. Questions based on the weekly lecturette and assigned text readings require students to contribute regularly. A rubric for participation is available as a benchmark.

Bullets. Students will prepare short Bullets on current items pertaining to this course (URLS, 30 - 60 second summaries of current security events, interesting IT/ INFOSEC finds, etc. or webliography items REGULARLY. Virus bullets (and AV product news) do not count. Duplicate bullets do not count. Bullet participation is generally a grade differentiator on participation. There are literally hundreds of security events happening around the world; INFOSEC newsletters, newspapers, formal /informal initiatives, homeland security, counter terrorism resources that provide raw high-grade material for bullets.

The instructor reserves the right to make changes to this syllabus at any time.

GRADING:

The final grade will be determined as follows:

Midterm Exam / Special Asymmetric Project-- 20%
Final Exam / Group Research Paper and PowerPoint Presentation-- 25%
Team Module Papers and Presentations--45%
Bullets -- regular submissions of "Bullets" or webliography are required -- 10%

GRADUATE SCHOOL GRADING GUIDELINES:

According to Graduate School grading policy, the following symbols are used: A = excellent; B = good; C = passing; and F = failure.

The grade of B represents the benchmark for the Graduate School. It indicates that the student has demonstrated competency in the subject matter of the course, e.g., has fulfilled all course requirements on time, has a clear grasp of the full range of course materials and concepts, and is able to present and apply these materials and concepts in clear, well-reasoned, well-organized, and grammatically correct responses, whether written or oral.

Only students who fully meet this standard and, in addition, demonstrate exceptional comprehension and application of the course subject matter earn a grade of A.

Students who do not meet the benchmark standard of competency fall within the C range or lower. They, in effect, have not met graduate level standards. Where this failure is substantial, they can earn an F.

WRITING STANDARDS:

Effective managers, leaders, and teachers are also effective communicators. Written communication is an important element of the total communication process. The Graduate School recognizes and expects exemplary writing to be the norm for course work. To this end, all papers, individual and group, must demonstrate graduate level writing and comply with the format requirements of the Publication Manual of the American Psychological Association, (5th Edition). Careful attention should be given to spelling, punctuation, source citations, references, and the presentation of tables and figures. It is expected that all course work will be presented on time and error free. Work submitted online should follow standard procedures for formatting and citations.

POLICY ON ACADEMIC INTEGRITY AND PLAGIARISM:

Academic integrity is central to the learning and teaching process. Students are expected to conduct themselves in a manner that will contribute to the maintenance of academic integrity by making all reasonable efforts to prevent the occurrence of academic dishonesty. Academic dishonesty includes, but is not limited to, obtaining or giving aid on an examination, having unauthorized prior knowledge of an examination, doing work for another student, and plagiarism of all types.

Plagiarism is the intentional or unintentional presentation of another person’s idea or product as ones own. Plagiarism includes, but is not limited to, the following: copying verbatim all or part of another’s written work; using phrases, charts, figures, illustrations, or mathematical or scientific solutions without citing the source; paraphrasing ideas, conclusions, or research without citing the source; and using all or part of a literary plot, poem, film, musical score, or other artistic product without attributing the work to its creator. Students can avoid unintentional plagiarism by following carefully accepted scholarly practices. Notes taken for papers and research projects should accurately record sources to material to be cited, quoted, paraphrased, or summarized, and papers should acknowledge these sources. The penalties for plagiarism include a zero or a grade of F on the work in question, a grade of F in the course, suspension with a file letter, suspension with a transcript notation, or expulsion.

COURSE EVALUATIONS:

Feedback on each graduate course and instructor is important to the university, your professor, and to all students. Towson has the responsibility to assess the effectiveness of classroom instruction, and each student has the responsibility to provide accurate and timely feedback through completion of the course evaluation form. This is a shared obligation for us all. It is therefore important that you complete the evaluation form for each course. This should be viewed as an additional course and program requirement.

Course Schedule