Professor Randall K Nichols

Course Description

Ways of investigating the management of the risk and security of data and data systems are presented as a function of design through recovery and protection. Issues of risk and security, as they relate to specific industries and government, are major topics in the course.

Prerequisites

• AIT 600 / AIT 610

Course Objectives

Core concepts and techniques of information security and risk analysis are introduced. This course emphasizes current information risk management needs, techniques, and challenges from Homeland security, government, business and technical perspectives through active discussion, individual project research, assigned homework, case studies, current bullets and team projects. Asymmetric thinking principles are stressed to engage better security solutions.

Module Objectives

This course is presented in six instruction modules with two pedagogical objectives: 1) to explore (through lecture and case study analysis) theoretical, practical and best practices of risk assessment, mediation and management in the critical risk assessment processes; and 2) to apply / report / evaluate (in team format) practical risk management and countermeasures to a serious simulated terrorist scenario.

Planning, Prevention, and Risk management topics include:

• Identification and application of information risk management models
• Tracing the life cycle of information systems security planning, evaluation, risk assessment, security architectures, incident detection, and responses to vulnerabilities and threats.
• Reviewing legal, ethical, and business issues that motivate and constrain the definition and implementation of information security management systems.
• Addressing software system vulnerabilities, software security (including trusted software), alternative countermeasures, policy, cryptography, and attack trends.
• Researching techniques for measuring risk in delivered computer secure systems.

Skills Introduced

Upon completion of this course, the student will be able to:

1. Identify and critically assess issues and concepts related to the protection of information and information systems.
2. Analyze and evaluate risk in proposed or applied information security policies, practices and procedures in order to assess potential advantages and disadvantages that might flow from implementing them.
3. Use risk management principles to assess threats, vulnerabilities, countermeasures and impact contributions to risk in information systems and national critical infrastructures.
4. Perform a risk analysis for a critical infrastructure sector (CIS) sector, terrorist incident or business environment.

Text Books and Instructional Resources

TEXTBOOKS (REQUIRED)

Gordon, L. A. & Loeb, M. P. (2006) Managing Cyber- Security Resources: A Cost Benefit Analysis. New York: McGraw Hill.

Peltier, T. R. (2006). Information Security Risk Analysis. 2nd ed. Boca Raton, FL: Auerbach.

OPTIONAL (Good Material & Case Studies)

Borodzicz, E. (2005) Risk, Crisis and Security Management. London: Wiley.

REFERENCES (Additional course material may be drawn from these optional readings. They will be available via email from instructor, on Blackboard common area, or placed on 3-day reserve at Towson University Albert S. Cook Library)

Bidgoli, H. Ed., (2005) Handbook of Information Security, in 3-Volumes. New York: Wiley.

Curts, R.J. & Campbell, D.E. (2003). Building a Global Information Assurance Program. New York: Auerbach.

Roper, C.A. (1999). Risk Management for Security Professionals, New York: Butterworth Heinemann.

Peltier, T. R. (2006). Information Security Risk Analysis.2nd ed. Boca Raton, FL: Auerbach.

Pipkin, D. L. (2000). Information Security: Protecting the Global Enterprise. Upper Saddle River, NJ: HP Professional Books.

Pritchard, C. (2001) Risk Management: Concepts and Guidance. E S I Intl: New York.

White, J. R. (2004). Defending the Homeland: Domestic Intelligence, Law Enforcement, and Security, New York: Thomson –Wadsworth.

Whitman, M.E, & Mattord, H.J. (2004). Management of Information Security, New York: Thomson Course Technology.

Course Deliverables

Exams. There will be no formal midterm or final exams.

Module Reports. Three (3) three-page papers (maximum) and corresponding PowerPoint presentations will be due (one team paper / presentation) covering each teaching module. A minimum of 15 PowerPoint slides is required. Papers are to be single spaced and scholarly referenced.

Asymmetric Thinking Risk Assessment (RA) Project. A special team Asymmetric Risk Assessment project will be assigned at the beginning of the semester and due at the end of week seven. No paper is required. A minimum of 45 PowerPoint slides is required.

Collaborative Team Research Papers / PowerPoint Presentations. A semester-long team research paper/ PowerPoint presentation covering an assigned hypothetical “New Years Eve Party” A/D (Attack/Defense with After-Action Reporting) scenario will be required to demonstrate collaborative skills and asymmetric risk management responses to a national crisis. The group project paper is 25 core pages (minimum) and 50 PowerPoint slides (minimum).

Participation. Students are expected to prepare for each class meeting and participate in the homework discussion conferences. Questions based on the weekly lecturette and assigned text readings require students to contribute regularly. A rubric for participation is available as a benchmark.
Bullets. Students will prepare short, relevant, current bullets (30 - 60 second oral summaries) pertaining to this course: risk assessment, risk management, risk mitigation, crisis management, legal trials of national interest, national crises, terror incidents, accidents, natural disasters, maritime incidents or piracy, political or infrastructure news, LEO actions, civil / criminal actions, health issues, open intelligence, BW/CW rulings, CIS sector news, Patriot Act, NSA, CIA, WH, laws or rulings of interest; URLS, security events, interesting IT/ INFOSEC finds, agency news or actions, or webliography items. Virus bullets (and AV product news) do not count. Duplicate bullets do not count.

Case Studies. Four written / PowerPoint case studies will be prepared by teams. They should demonstrate understanding of key facts, issues, practices, conclusions and recommendations for improved security posture by reducing risks. Case Studies reports are limited to 5 pages and presentations at 15 PowerPoint’s.

PGP Assignment. Students individually will download / install a copy of Version 6.5.8 PGP freeware but not a newer version which generally have fewer capabilities and are not free (or secure same from instructor) and perform a robust cryptographic exercise.

Grading

Course Content and Pedagogy

This course will span 13 weeks with one (or part of one) module being taught each session. The course will be broken up into two blocks of instruction. The former will concentrate on theoretical and practical risk assessment /management in a Critical Infrastructure Sector (CIS) environment. The latter block will focus on practical countermeasures for risk mitigation and management in a Critical Infrastructure Sector environment. Teams will engage in risk assessment and presentation of appropriate countermeasures to respond to an alert for a hypothetical terrorist simulated scenario called “New Years Eve Party.” Teams will prepare a group research paper/ PowerPoint presentation for the class covering their solution to the assigned A/D (Attack/Defense scenario with After-Action Reporting) to demonstrate collaborative skills and asymmetric risk management responses to a national crisis.

Here is a projected breakdown of the teaching modules:

Module 1 Introduction to Risk Assessment and Management –What is it and how can we use it to make our lives, critical assets and information systems safer?

Risk management is both an art and science. We first look at its purview.

1) Introduction, administrative messages, and “daily bullets”

2) The language of risk assessment: management, assessment, mitigation,
threat levels, vulnerabilities, impact, countermeasures, probabilities, events
cost–effective responses and risk avoidance,

3) INFOSEC: confidentiality, integrity, availability, protect, detect, correct,
access, authentication, cryptography, non-repudiation, extended terms,

4) Basic premises, the conventional risk management cycle (five phases), key
personnel roles, system characterization,

5) The conventional risk management model and risk assessment equation.

Module 2 Improving Conventional Wisdom: Security Needs Definition Matrix, Countermeasures, Systems System’s Approach – 30 Elements and Life Cycle

Conventional strategies to reduce / manage risk, de-emphasize INFOSEC and random
relationship to countermeasures. Module 2 incorporates threats and
vulnerabilities of computer systems into the risk model and emphasizes affects
/ costs of countermeasures chosen.

1) A better risk management equation (Ryan model)

2) The risk management process and dynamic model of risk.

3) Exploration of Information Security aspects and systems engineering

4) Holistic view of the risk management /mitigation process in terms of
policy, training awareness, research and development, vulnerability analysis, security response teams, acquisition, systems operations, PDC, CIA and impact.

5) The 12- block framework for IT organization and security management

Module 3 Mitigating Risk /Threat of Terrorism and other Risks

The development of strategies to reduce risk /threat of terrorism, or other
threats, involves a process in which the cost to mitigate is measured against
savings in risk reduction:

1) Thinking sensibly about security in an uncertain world – Schneier model

2) How systems fail

3) Knowing the attacker

4) Technology creates security imbalances

5) Security and risk assessment is a weakest link problem

6) Brittleness makes bad security and increases risk

7) People!

8) Detection works where prevention fails, but is useless without response

9) Identification, authentication and authorization

10) All countermeasures have value but no one countermeasure is perfect

Module 4 Down in the mud: A walk through of the risk management process and work flow

Theory and practice meet the same road in this module. The Parker analysis for enhanced CIA /PDC and the Roper model for risk management information
flow are presented.

1) The Parker Analysis: preserving availability, utility, integrity, authenticity,
availability, possession to meet a standard of due care, avoid loss, reduce loss, eliminate loss

2) The Roper Risk model +1 (Nichols): 5 steps

3) Asset Identification and loss impacts

4) Threat identification and characterization (site specific)

5) Vulnerability identification and assessment

6) Assess risk and determine priorities for asset protection

7) Perform cost- benefit analysis based on understanding the technology and countermeasures available

Module 5 Cryptography – the prime countermeasure?

Cryptography is a maturing science that has global-ranging applications in
business and Government. Every commercial or government establishment
that either markets its products internationally or uses computer networks for
global communications and customer services must be concerned with
protecting its information assets from a variety of attacks. All students will download freeware PGP version 6.5.8 (not the newer versions which have reduced capability), or obtain copy of same from instructor to perform a robust cryptographic exercise.

1) How cryptography works and lessons from classical cryptography,

2) Key management, key size, entropy and crypto-strength

3) Modern cryptography, confidentiality, data integrity, authentication, non-repudiation, digital signatures and certificate authorities.

4) Cryptanalysis, traffic analysis, and pattern analysis, brute force

5) Biometric encryption and steganography – terrorist cryptograms

6) Wireless security –encryption features and increased risk

7) INFOSEC / INFOWAR = due diligence / terror measures, the risk is exponentially different

8) “Trust me its encrypted” – fallacies of cryptography as a countermeasure

Module 6: Defending The Homeland: Domestic Intelligence, Law Enforcement and
Security

Risk assessment takes on a special meanings and problems when reviewed in
the context of Homeland Security. There are so many critical issues at stake,
such as civil liberties, domestic intelligence gathering, privacy rights, police
Organization and structure, the relationship of federal and local law enforcement.

Module 6 will encompass more questions than answers for risk related issues:

1) Terrorism, patriotism and dilemmas of law enforcement

2) Intelligence gathering and civil liberties

3) Bureaucracy and interpretations or risk

4) Clauswitz, Sun Tsu and Asymmetry

5) Building intelligence systems based on risk identification

6) Defensive infrastructure and risk management

7) Terrorism and the future – CONPLAN (PDD39 & PDD 62)

8) How Al Qaeda sees risk

9) Asymmetric warfare is more than crime, less than all out war and very different in the commitment / fervor and planning of the terrorist participants

10) Review GOVSEC 2006 presentation on protecting Critical Infrastructure : Data Security.

Module 7/8 Practicum: “2006: New Years Eve Party”

Teams will be assigned a serious simulated terrorist attack (cyber, physical, psychological, diversions, and other) against a soft target of significant symbolic interest. Teams will identify critical assets that can be protected, evaluate technologies in place, security definition matrix, prepare / present the Risk Management / Assessment Policy for this scenario. Focus must include full-range of personnel, physical, cyber, cryptographic and INFOSEC technologies, countermeasures, and risk mitigation steps with their implementation and effectiveness for defense. An After-Action report will be prepared for and evaluated by the class.

Course Schedule

Course Policies and Procedures

Grading According to Graduate School grading policy, the following symbols are used: A = excellent; B = good; C = passing; and F = failure.

The grade of B represents the benchmark for the Graduate School. It indicates that the student has demonstrated competency in the subject matter of the course, e.g., has fulfilled all course requirements on time, has a clear grasp of the full range of course materials and concepts, and is able to present and apply these materials and concepts in clear, well-reasoned, well-organized, and grammatically correct responses, whether written or oral.

Only students who fully meet this standard and, in addition, demonstrate exceptional comprehension and application of the course subject matter earn a grade of A.

Students who do not meet the benchmark standard of competency fall within the C range or lower. They, in effect, have not met graduate level standards. Where this failure is substantial, they can earn an F.

Writing Standards Effective managers, leaders, and teachers are also effective communicators. Written communication is an important element of the total communication process. The Graduate School recognizes and expects exemplary writing to be the norm for course work. To this end, all papers, individual and group, must demonstrate graduate level writing and comply with the format requirements of the Publication Manual of the American Psychological Association, (5th Edition). Careful attention should be given to spelling, punctuation, source citations, references, and the presentation of tables and figures.

Timeliness It is expected that all course work will be presented on time and error free. Work submitted online should follow standard procedures for formatting and citations.

Academic Integrity and Plagiarism Academic integrity is central to the learning and teaching process. Students are expected to conduct themselves in a manner that will contribute to the maintenance of academic integrity by making all reasonable efforts to prevent the occurrence of academic dishonesty. Academic dishonesty includes, but is not limited to, obtaining or giving aid on an examination, having unauthorized prior knowledge of an examination, doing work for another student, and plagiarism of all types.

Plagiarism is the intentional or unintentional presentation of another person’s idea or product as ones own. Plagiarism includes, but is not limited to, the following: copying verbatim all or part of another’s written work; using phrases, charts, figures, illustrations, or mathematical or scientific solutions without citing the source; paraphrasing ideas, conclusions, or research without citing the source; and using all or part of a literary plot, poem, film, musical score, or other artistic product without attributing the work to its creator. Students can avoid unintentional plagiarism by following carefully accepted scholarly practices. Notes taken for papers and research projects should accurately record sources to material to be cited, quoted, paraphrased, or summarized, and papers should acknowledge these sources. The penalties for plagiarism include a zero or a grade of F on the work in question, a grade of F in the course, suspension with a file letter, suspension with a transcript notation, or expulsion. Students may learn more about Towson University’s formal policies at: https://inside.towson.edu/generalcampus/tupolicies/index.cfm

Disabilities Any student who needs an accommodation due to a disability should make an appointment to discuss the accommodation. A memo from Disability Support Services authorizing the accommodation is required.

Course Evaluations Feedback on each graduate course and instructor is important to the university, your professor, and to all students. Towson University has the responsibility to assess the effectiveness of classroom instruction, and each student has the responsibility to provide accurate and timely feedback through completion of the course evaluation form. This is a shared obligation for us all. It is therefore important that you complete the evaluation form for each course. This should be viewed as an additional course and program requirement.

F. Bibliography

Acquista, A. (2003). The Survival Guide: what to do in a Biological, Chemical or Nuclear Emergency. New York: Random House.

Adams, J. (1998). The Next World War, New York: Simon & Schuster.

Anonymous. (April 2001). Electronic Crime Needs Assessment for State and Local Law Enforcement, National Institute of Justice: Washington, DC.

Barnett, T.P.M. (2004). The Pentagon’s new map: War and peace in the twenty-first century. New York: Penguin Group.

Bergen, P.L. (2001). Holy War Inc: Inside the Secret World of Osama bin Laden. Denver: Free Press.

Berkoswitz, B. (2003). the New Face of War, New York: Free Press.

Bidgoli H., Editor-in-Chief. (2006) Volume 1: Handbook of Information Security: Key Concepts, Infrastructure, Standards, and Protocols. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 2: Handbook of Information Security: Information Warfare; Social, Legal and International Issues; and Security Foundations. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 3: Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management. Hoboken, New Jersey: Wiley.

Borodzicz, E. (2005). Risk, Crisis and Security Management. London: Wiley.
Campen, A.D., et. al. (1996). Cyberwar: Security, Strategy and Conflict in the Information Age, AFCEA.

Cherkasky, M. with Alex Prud’ Homme. (2003). Forewarned: Why the government is failing to protect us – and what we must do to protect ourselves. New York: Ballantine.

Cordesman, A.H. (2002). Cyber-Threats, Information Warfare, and Critical Infrastructure Protection: Defending the U.S. Homeland. Westport Connecticut: CSIS publications.

Culp, C. L. (2001). Risk Management Process: Business Strategy and Tactics. New
York: Wiley.

Curts, R.J. & Campbell, D.E. (2003). Building a Global Information Assurance Program. New York: Auerbach.

Dacey, R. F. (April 8, 2003.) Information Security: Progress Made, But Challenges Remain to Protect Federal Systems and the Nation's Critical Infrastructures, GAO Testimony Before the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Committee on Government Reform, House of Representatives, Statement of Robert F Dacey, Director, Information Security Issues.

Diamond, J. (2005). Collapse: How societies choose to fail or succeed. New York: Viking.

Doherty, N. (2001). Integrated Risk Management: Techniques and Strategies
for Managing Corporate Risk. New York: McGraw-Hill.

Dorothy, D. (1999). Defending the Nation: Information Warfare and Security. (Boston: ACM Press.

Gordon, L. A. & Loeb, M. P. (2006). Managing Cyber- Security Resources: A Cost
Benefit Analysis. New York: McGraw Hill.

Harris, S. (2005). The End of Faith: Religion, Terror, and the future of reason. New York: Norton.

Hall, W. M. (2003). Stray Voltage: War in the information age. Annapolis, MD: Naval Institute Press.

Henderson, H. (2003). Global Terrorism: The Complete Reference Guide, Checkmark Books, 2003.

Johnson, L. K. (2000). Bombs, Bugs, Drugs and Thugs: Intelligence and America’s quest for security. New York: New York University Press.

Jones, A. & Ashenden, D. (2005). Risk Management for Computer Security:
Protecting Your Network and Information Assets. London: Butterworth-Heinemann.

Kroeger, T. (2003). Information Warfare: More than meets the eye, GSEC version 1.4b, San Francisco: SANS Institute.

Laqueur, W. (Ed.). (2004). Voices of terror: Manifestos, writings and manuals of Al Qaeda, Hamas, and other terrorists from around the world and throughout the ages. New York: Reed Press.

Larson, E.V. & J. E. Peters, (June 2001). Preparing the U.S. Army for Homeland Security: Concepts, Issues, and Options: Santa Monica, CA: Rand Corporation.

Leone, R.C. & Anrig, G. Jr. (2003). the War on Our Freedoms: Civil Liberties in an Age of Terrorism. New York: Century Foundation.

Lesser, I.O, Hoffman, B., Arquilla, J., Ronfeldt, D. & Jenkins, M. (1999). Countering the New Terrorism, Boston: Rand Press.

Libicki, M. (1997) What is Information Warfare? National Defense University, NDU Press Book.

Lewis, J.A. (December, 2002) Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats. Center for Strategic and International Studies, Washington, DC.

Molander, R.C., Wilson, P.A. & Anderson, R.H. (1998) United States Vulnerabilities: Threats Against Society, Santa Monica, Calif.: RAND, MR-1016, OSD.

National Research Council, (2002). Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, Washington: National Academy Press, Washington.

Nichols R. K, Ryan, D. J., & Ryan, JCH. (2002) Defending your Digital Assets, Against Hackers, Crackers, Spies and Thieves, McGraw-Hill.

Nichols, R.K. & Lekkas, P. C. (2002). Wireless Security: Models, Threats, Solutions. New York, NY: McGraw Hill.

O'Hanlon, M. E., et. al, (2002). Protecting the American Homeland: One Year On, Brookings, Harrisonburg, VA: Brookings.

Parker, T., et. al. (2004). Cyber Adversary Characterization. Rockland, MD: Syngress.

Peltier, T. R. (2006). Information Security Risk Analysis.2nd ed. Boca Raton, FL:
Auerbach.

Pipkin, D. L. (2000). Information Security: Protecting the Global Enterprise. Upper
Saddle River, NJ: HP Professional Books.

Pritchard, C. (2001). Risk Management: Concepts and Guidance. E S I Intl:
New York.

Pynchon, J.H. & Burke, T. (2001). Terrorism: Today's Biggest Threat to Freedom, New York: Pinnacle.

Rattray, G. J. (2001). Strategic warfare in cyberspace. London: MIT Press.

Roper, C.A. (1999). Risk Management for Security Professionals, New York:
Butterworth Heinemann.

Schneier, B. (2003). Beyond Fear: Thinking Sensibly about Security in an Uncertain World. New York: Copernicus.

Schwartau, W. (1996). Information Warfare: CyberTerrorism: Protecting Your Personal Security in the Electronic Age. New York: Thunder's Mouth Press.

Vatis, M.A. (September 16, 2001). Combating Terrorism: A Compendium of Recent CounterTerrorism Recommendations from Authoritative Commissions and Subject Matter Experts, Director, Institute for Security Technology Studies, Dartmouth College.

Vatis, M.A. (September 22, 2001). Cyber Attacks During the War on Terrorism: A Predictive Analysis. Director, Institute for Security Technology Studies, Dartmouth College.

Verton, D. (2004). Black Ice: The Invisible Threat of Cyber-Terrorism, (ICE) San Francisco: Osborne.

White, J. R. (2004). Defending the Homeland: Domestic Intelligence, Law
Enforcement, and Security, New York: Thomson –Wadsworth.

Whitman, M.E, & Mattord, H.J. (2004). Management of Information Security,
New York: Thomson Course Technology.

Williams, P. L. (2004). Osama’s Revenge: The Next 9/11: What the media and the Government Haven't Told You. New York: Prometheus.

Yourdon, E. (2002). Byte wars: The impact of September 11 on information technology. Upper Saddle River, NJ: Prentice Hall.