3 Credit Hours

Prerequisites: CRJ 107, Proficiency with MS Word & PowerPoint, APA-style citation, and have a WebCT account.

Instructor: Associate Professor, Randall K Nichols
Office: Hubbard B-4
Email: rnichols@utica.edu
Phone: 315-223-2501
Office Hours: 0930– 1700 M-F and by appointment

B. Course Description

This course presents a systems engineering approach to implementing and managing effective information security in contemporary highly networked enterprises. It provides an overview of the security challenges faced by individuals and organizations in the information age and introduces the complex and dynamic state of information assurance and risk assessment under uncertain conditions in cyberspace.

Ways of investigating the management of the risk and security of data and data systems are presented as a function of design through recovery and protection. Issues of risk and security, as they relate to specific industries and government, are major topics in the course. Students will be exposed to a spectrum of Security activities, methods, methodologies, and best practices.

C. Objectives / Learning Outcomes

Core concepts and techniques of information security and risk analysis are introduced. This course emphasizes current information risk management needs, techniques, and challenges from Homeland security, government, business and technical perspectives through active discussion, individual project research, assigned homework, case studies, current bullets and team projects. Asymmetric thinking principles are stressed to engage better security solutions. Coverage will include inspection and protection of information assets, detection of and reaction to threats to information assets, risk assessment applied to information assets, and examination of pre- and post- incident procedures, technical and management responses and an overview of information security planning functions.

Module Objectives

This course is presented in six instruction modules with two pedagogical objectives: 1) to explore (through lecture and case study analysis) theoretical, practical and best practices of information security, information risk assessment, mediation and management in critical information processes; and 2) to apply / report / evaluate (in team format) information security needs, risks, and countermeasures recommended to address a serious simulated terrorist scenario.

Information Security management topics include:

• Identification and application of information risk management models,
• Tracing the life cycle of information systems security planning, evaluation, risk assessment, security architectures, incident detection, and responses to vulnerabilities and threats.
• Reviewing legal, ethical, and business issues that motivate and constrain the definition and implementation of information security management systems.
• Addressing software system vulnerabilities, software security (including trusted software), alternative countermeasures, policy, cryptography, and attack trends.

Skills Introduced

Upon completion of this course, the student will be able to:

1. Identify and critically assess issues and concepts related to the protection of information and information systems.
2. Analyze and evaluate risk in proposed or applied information security policies, practices and procedures in order to assess potential advantages and disadvantages that might flow from implementing them.
3. Use risk management principles to assess threats, vulnerabilities, countermeasures and impact contributions to risk in information systems and national critical infrastructures.
4. Identify and prioritize threats to information assets.
5. Understand the basic security technologies and Security Definitions Matrix.
6. Describe the legal and public relations implications of security and privacy issues.
7. Present a disaster recovery plan for recovery of information assets after an incident.

TEXTBOOKS (REQUIRED)

1. Whitman, M.E. & Mattord, H.J. (2005) Principles of Information Security, 2nd ed. Boston: Thomson Course Technology. [PIS]
2. Whitman, M.E. & Mattord, H.J. (2006) Readings and Cases in the Management of Information Security. Boston: Thomson Course Technology. [RCMIS]
3. Evers, D. H., Glover, T. J., Glover, T.M. & Miller, M.E. (2006) Pocket Partner, 4th
   ed. Littleton, CO: Sequoia Publishing.

OPTIONAL (Good Material & Case Studies)

1. Schneier, B. (2003). Beyond Fear: Thinking Sensibly about Security in an Uncertain World. New York: Copernicus.
2. Whitman, M.E, & Mattord, H.J. (2004). Management of Information Security,
   Boston: Thomson Course Technology.

Web Site

A wealth of supplementary information for our course is available at www.infosec-technologies.com. Material downloaded must be appropriately attributed to contributors in all team / individual papers.

Course Deliverables

1. Exams. There will be no formal in-class midterm or final exams. They have been
   replaced by two collaborative team projects. There is one in-class CIA Security
   Needs Matrix / Technologies assignment.
2. Asymmetric Thinking Information Security / Risk Assessment (IS/RA) Project. A special team Asymmetric Thinking Information Security / Risk Assessment project will be assigned at the beginning of the semester and due at the end of week seven. No paper is required. Teams will prepare a minimum of 45 PowerPoint slides to present in class.
3. Collaborative Team Research Papers / PowerPoint Presentations. A semester-long team research paper/ PowerPoint presentation covering an assigned hypothetical “New Years Eve Party” A/D (Attack/Defense with After-Action Reporting) scenario will be required to demonstrate collaborative skills and asymmetric Information / Security / Risk Assessment responses to a national crisis. The group project paper is 25 core pages (minimum) and 45 PowerPoint slides (minimum) to be presented in class.
4. Participation. Students are expected to prepare for each class meeting and participate in the homework discussion conferences. Questions based on the weekly lecturette / PowerPoint presentation and assigned text readings require students to contribute regularly. A rubric for participation is available as a benchmark.
5. Bullets. Students will prepare short, relevant, current ( within 7 days of class) bullets (30 - 60 second oral summaries) for each class, pertaining to this course: information security technologies, risk assessment, risk management, risk mitigation, crisis management, legal trials of national interest, national crises, terror incidents, accidents, natural disasters, maritime incidents or piracy, political or infrastructure news, LEO actions, civil / criminal actions, health issues, open intelligence, BW/CW rulings, CIS sector news, Patriot Act, NSA, CIA, WH, laws or rulings of interest; URLS, security events, interesting IT/ INFOSEC finds, agency news or actions, or webliography items. Virus bullets (and AV product news) do not count. Duplicate bullets do not count. Students will be chosen randomly for presentation of their bullet(s).
6. Case Studies. Four written / PowerPoint case studies will be prepared by teams. They should demonstrate understanding of key facts, issues, practices, conclusions and recommendations for improved security posture by reducing risks. Case Studies reports are limited to 5 pages and presentations at 15 PowerPoint’s. Case studies will be presented using the FIRC method of briefing:
   • Facts
   • Issues
   • Relationships or Rules
   • Conclusions (and Recommendations)

Where: Issues revolve around Information Security core problems /Risk, Threats, Vulnerability, Impact and Countermeasures applied.

Where: Rules or Relationships may be best information security practices, standards or legal codes. This is the glue that holds addressed information security issues together logically.

Where: Conclusions (and Recommendations) are the team's applications of the practices, rules or relationships to the information security issues claimed based on the facts of the case.

7. PGP Assignment. Students individually will download / install a copy of Version 6.5.8 PGP freeware but not a newer version which generally have fewer capabilities and is not free (or secure same from instructor) and perform a robust cryptographic exercise.

Grading

The final course grade will be determined as follows:

• Asymmetric Information Security Project (Team) -- 25%
• Research Paper and PowerPoint Presentation (Team) -- 30%
• PGP Crypto Assignment (Individual) --- 10%
• Case Studies (Team) -- 20% [due one week after assignment]
• Bullets (Individual grading) -- regular submissions of "Bullets" or webliography -- 10%
  [1-3 each class, students presenting chosen randomly]
• In-class CIA / SDM / Security Technologies Assignment (Team) – 5%

ALL PowerPoint Presentations, papers and case studies must be available to the instructor in electronic form on a memory stick, CDROM or floppy disk. It is helpful for teams to pass out a 2-page After-Action Report (AAR) to the class for the team research papers /presentations.
Note, in my classes, there is a significant emphasis on teamwork. Choose your teammates and team leader carefully. Information security challenges are handled better through teamwork and joint knowledge.

D. Course Content and Pedagogy

This course will span approximately 16 weeks with one (or part of one) module being taught each class session. The course will be broken up into two blocks of instruction. The former will concentrate on theoretical and practical information security / risk assessment / management issues in our society. The latter block will focus on practical countermeasures needed for robust information security for risk mitigation and management in a Critical Infrastructure Sector environment. Teams will engage in determining information security needs, security technologies, evaluating risks and presentation of appropriate countermeasures to respond to an alert for a hypothetical terrorist simulated scenario called “New Years Eve Party.” Teams will prepare a group research paper/ PowerPoint presentation for the class covering their solution to the assigned A/D (Attack/Defense scenario with After-Action Reporting) to demonstrate collaborative skills and asymmetric information security / risk assessment responses to a national crisis.

Here is a projected breakdown of the teaching modules:

Module 1 Introduction to Information Security, Risk Assessment and IS Management –What is it and how can we use it to make our lives, critical assets and information systems safer?

Information Security is both an art and science. We first look at its purview.

1. History, NSTISSC Security Model, IS evolution, Security Needs Definition Matrix,
2. The language of Information Security: management, assessment, mitigation,
   threat levels, vulnerabilities, impact, countermeasures, probabilities, events
   cost–effective responses and risk avoidance,
3. INFOSEC: confidentiality, integrity, availability, protect, detect, correct,
   access, authentication, cryptography, non-repudiation, extended terms,
4. Basic premises, the conventional IS / risk management cycle (five phases), key
   personnel roles, system characterization,
5. IS trade-offs, SDLC, communities of interest,
6. Attacks and threats, IC3 list,
7. Legal, ethical and professional issues in IS

Module 2 Improving Conventional Wisdom: Security Needs Definition Matrix, Countermeasures, Systems System’s Approach – 30 Elements and Life Cycle

Conventional strategies to reduce / manage risk, de-emphasize INFOSEC and random
relationship to countermeasures. Module 2 incorporates threats and
vulnerabilities of computer systems into the risk model and emphasizes affects
/ costs of countermeasures chosen.

1. A better risk management equation (Ryan model),
2. The risk management process and dynamic model of risk,
3. Exploration of 30 Information Security aspects and systems engineering,
4. Holistic view of the risk management /mitigation process in terms of
   policy, training awareness, research and development, vulnerability analysis, security response teams, acquisition, systems operations, PDC, CIA and impact,
5. Planning for IS and the IS blueprints.

Module 3 Security Technologies

The development of IS technologies and strategies to reduce risk and improve information security:

1. Firewall, content filters, SPAM filters, proxy host, SSH, SSL, VPN’s,
2. Intrusion Detection Systems (IDS)
3. Traps and Honeypots
4. Port scanning and network traffic analysis tools
5. Access control devices
6. Biometric devices

Module 4 Cryptography – the prime countermeasure?

Cryptography is a maturing science that has global-ranging applications in
business and Government. Every commercial or government establishment
that either markets its products internationally or uses computer networks for
global communications and customer services must be concerned with
protecting its information assets from a variety of attacks. All students will download freeware PGP version 6.5.8 (not the newer versions which have reduced capability and not free), or obtain copy of same from instructor to perform a robust cryptographic exercise.

1. How cryptography works and lessons from classical cryptography,
2. Key management, key size, entropy and crypto-strength, attacks,
3. Modern cryptography, confidentiality, data integrity, authentication, non-repudiation, digital signatures and certificate authorities,
4. Cryptanalysis, traffic analysis, and pattern analysis, brute force,
5. Biometric encryption and steganography – terrorist cryptograms,
6. Wireless security –encryption features and increased risk,
7. INFOSEC / INFOWAR = due diligence / terror measures, the risk is exponentially different,
8. “Trust me its encrypted” – fallacies of cryptography as a countermeasure

Module 5 IS Management

Information security has additional dimensions that support the CyberSecurity elements:

1. Physical security, access controls, supporting utilities, incident detection
2. Mobile and portable systems protection,
3. Project management considerations, Bulls-Eye model, culture of IS
4. IS personnel and staffing issues, salaries!, professional certifications and their value,
5. Classified information and government work, security clearances,
6. IS system maintenance and planning for IS success.

Module 6 Practicum: “2006: New Years Eve Party”

Teams will be assigned a serious simulated terrorist attack (cyber, physical, psychological, diversions, and other) against a soft target of significant symbolic interest. Teams will identify critical assets that can be protected, evaluate IS technologies in place, develop security definition CIA matrix, prepare / present the Risk Assessment and Security Policy for this scenario. Focus must include full-range of personnel, physical, cyber, cryptographic and INFOSEC technologies, countermeasures, and risk mitigation steps with their implementation and effectiveness for defense. An After-Action report will be prepared for and evaluated by the class.

Course Schedule

Course Policies and Procedures

Grading: According to Utica College standard grading scale and policy: A 93-100;
A- 90-92.9; B+ 88-89.9; B 83-87.9; C+ 78-79.9; C 73-77.9; C- 70-72.9; D+ 68-69.9; D 63-67.9; D- 60-62.9; and F 0-59.

The grade range of B represents the benchmark for this class. It indicates that the student (or team) has demonstrated competency in the subject matter of the course, e.g., has fulfilled all course requirements on time, has a clear grasp of the full range of course materials and concepts, and is able to present and apply these materials and concepts in clear, well-reasoned, well-organized, and grammatically correct responses, whether written or oral.

Writing Standards Effective managers, leaders, and teachers are also effective communicators. Written communication is an important element of the total communication process. Utica College recognizes and expects exemplary writing to be the norm for course work. To this end, all papers, individual and group, must demonstrate graduate level writing and comply with the format requirements of the Publication Manual of the American Psychological Association, (5th Edition) or www.apastyle.org. Careful attention should be given to spelling, punctuation, source citations, references, and the presentation of tables and figures. Other resources are: The Elements of Style (Strunk and White), 100 Ways to Improve Your Writing (Provost) and the Utica College Writing Center at Hubbard Hall, Room 216.

Timeliness It is expected that all course work will be presented on time and error free. Work submitted online should follow standard procedures for formatting and citations. Since most of our class work is performed in team format, students have a responsibility to their team and this class. They must make arrangements with the team leader for missed participation. Except for military service, verifiable medical leave or bereavement leave, there will not be any late grading.

Students should respect the learning atmosphere of others by not coming in late or leaving early.

Academic Integrity and Plagiarism Academic integrity is central to the learning and teaching process. Students are expected to conduct themselves in a manner that will contribute to the maintenance of academic integrity by making all reasonable efforts to prevent the occurrence of academic dishonesty. Academic dishonesty includes, but is not limited to, obtaining or giving aid (electronically or in person) on an examination, having unauthorized prior knowledge of an examination, doing work for another student, and plagiarism of all types.

Plagiarism is the intentional or unintentional presentation of another person’s idea or product as ones own. Plagiarism includes, but is not limited to, the following: copying verbatim all or part of another’s written work; using phrases, charts, figures, illustrations, or mathematical or scientific solutions without citing the source; paraphrasing ideas, conclusions, or research without citing the source; and using all or part of a literary plot, poem, film, musical score, or other artistic product without attributing the work to its creator. Students can avoid unintentional plagiarism by following carefully accepted scholarly practices. Notes taken for papers and research projects should accurately record sources to material to be cited, quoted, paraphrased, or summarized, and papers should acknowledge these sources. The penalties for plagiarism or intentional cheating include a zero or a grade of F on the work in question, a grade of F in the course, suspension with a file letter, suspension with a transcript notation, or expulsion. Students may learn more about Utica College’s formal policies at: http://www.utica.edu/academic/catalog/academicregulations.pdf

Disabilities Any student who needs an accommodation due to a disability should make an appointment to discuss the accommodation. A memo from the Coordinator of Learning Services authorizing the accommodation is required (Kateri Henkel, khenkel@utica.edu, 315-792-3032).

Course Evaluations Feedback on each undergraduate course and instructor is important to the College, your professor, and to all students. Utica College has the responsibility to assess the effectiveness of classroom instruction, and each student has the responsibility to provide accurate and timely feedback through completion of the course evaluation form.

Email Messages Please remember to put [CRJ 333] in the Subject of every email. In my online courses, the volume of email and attachments is significant.

Attendance Class attendance will be recorded in random classes during the semester. Unexcused attendance(s) affects negatively both your individual participation grade and your team’s performance. Those involved in sports please contact your respective coaches to provide me a written schedule for practice sessions and games so that you do not get marked absent.

P2P Team Evaluations and Performance 80% of our course is Team-Based. Further, the mid-term and final projects are very asymmetric. There is no book or reference or “quick-guide” or URL that has the specific answers. The goal is to present a reasonable and logical team-solution to a difficult (even unusual) assignment based on best information security practices and technologies gleaned from your research and our class materials. Your grade is determined by how well your team accomplishes this goal working collaboratively. We think, learn, evaluate, problem-solve, generate ideas and possibilities and write better as a team. Research confirms that teams consistently out-perform the “star” individualist. This is real world. Information assurance issues in organizations are rarely assigned to one person – regardless of how strong or technically adept that he/she is. They solve the big problems in real time, team format, with collaborative working sessions.

Over my career, I have found that teams work effectively – most of the time. In general, all team-members receive the same grade on exams and projects. This policy is subject to the P2P (peer-to-peer) team evaluation process. When a team does not interact well as a team or one member intentionally does not participate effectively, or when the team leader is at terrible odds with the team itself and refuses to be flexible or improve the “lens of understanding,” we have the P2P policy to fall back on. P2P’s may optionally submitted (for the semester) by any team or team member within one week after the final project/exam. P2P’s are strictly confidential and I maintain these records for many years. Students are subject to an individual grade penalty of up to 20% of their grade if their overall performance is found deficient by a majority of their team-members. The team keeps the score-card on itself. As a practical matter, I discourage the formal P2P process and encourage teams and team leaders to solve their own problems “in-house.” I will be glad to help and encourage positive results in our teams in every way I can before using the P2P disincentive. Students receiving a reduction of grade based on the P2P process will be notified by me in writing.

Cell / Picture Phones, Palm pilots and Pagers Turn off all your electronics before entering our class. These devices are enormously disturbing and rude to your fellow students and me. Frankly, We are more important! Use of these devices during class or especially during an exam, may earn you an F for the class session or on your test. Further, you will need to show cause why you should remain in my class for the balance of the semester.

Food The Golden Rule applies. Strive to leave the classroom in better shape than when you entered it. “Pay it forward”, it works!

Class Discussions We bring differing points of view to this class. Participation is not only encouraged but many times I will put a fire under the class to analyze issues with variety of perspectives. Be prepared to take the side of a brisk discussion (not argument or personal attacks) that is in conflict with your own. Challenge yourselves – especially when solving asymmetric team problems. Respect and professionalism are the operative guidelines for our discussions.

Extra Credit Work The punishment for good work is more work and respect. Extra credit assignments (limit one per student per semester) are available for students who enjoy individual achievement, want to learn more and are excited by the material as a possible vocation or sense that they need a few more points to improve their grade. I believe in the “pay it forward” principle. Extra credit assignments (worth up to one grade level) are designed to help my current and future students by developing accurate, current resource materials. Extra credit assignments must be completed on time to be valued. They do not replace any of the normal exams, asymmetric team work, assignments or case studies. “Extra” is the operative word.

Death March Team (DMT) Eligibility Students who maintain an A level average in this class may be invited to join the DMT. This is quite an honor. DMT represents a network of over 85 of my active working Graduate students from George Washington University, Towson University, University of Maryland University College, Tulane University, Capitol College, US Army, US Navy, USCG, USJCS, White House, DOD, DHS, FBI National Academy, NSA and major security organizations (SAIC, BAH, ASFT, Anteon, Credant Technologies) that collaboratively work on some fascinating short-term challenges. They evaluate new “beta” technologies, prepare presentations as a team to national conferences, provide speakers for local events, and critique each others papers. It is a network that helps each other find work in senior positions. We always attribute our work professionally; maintain a code of professional ethics and work to improve our profession. We are committed to each other’s professional success. Respect is our currency.

Disclaimers This course examines inter alia ethical and legal dimensions of on-line behavior. It is not intended to turn information technology professionals into lawyers. Many of the topics to be discussed will be concerned with the law and legal implications of certain behavior. Every effort is made to provide accurate and complete information. However, at no time during this course will legal advice be offered. Any student requiring legal advice, should seek services of a lawyer authorized to practice in the appropriate jurisdiction.

This class will explore technology and management issues related to elements of holistic information security. Specific technologies and techniques used by hackers, crackers, spies and thieves to obtain access to sensitive, private information are discussed and explored. Students are reminded that it is a violation of Federal and some state’s laws to attempt to gain unauthorized access to information assets or systems belonging to others, or to exceed authorized on systems to which they have been granted access. At no time in this class should any student violate either laws or confidences.

This class is not about pushing the envelope or hacking, and any violation of legal boundaries in the course of this class will be considered a violation of the class trust and will be subject to sanctions in grading.

F. References: (Additional course material may be drawn from these optional readings. They will be available via email or hand-outs from instructor, on WebCT common area, or placed on 3-day reserve at Frank E. Gannett Memorial Library)

9/11 Commission Report, Final Report of the National Commission on Terrorist Attacks Upon The United States. (2004) New York: Barnes & Noble.

Bidgoli H., Editor-in-Chief. (2006) Volume 1: Handbook of Information Security: Key Concepts, Infrastructure, Standards, and Protocols. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 2: Handbook of Information Security: Information Warfare; Social, Legal and International Issues; and Security Foundations. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 3: Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management. Hoboken, New Jersey: Wiley.

Borodzicz, E. (2005). Risk, Crisis and Security Management. London: Wiley.

Campen, A.D., et. al. (1996). Cyberwar: Security, Strategy and Conflict in the Information Age, AFCEA.

Cordesman, A.H. (2002). Cyber-Threats, Information Warfare, and Critical Infrastructure Protection: Defending the U.S. Homeland. Westport Connecticut: CSIS publications.

Culp, C. L. (2001). Risk Management Process: Business Strategy and Tactics. New
York: Wiley.

Curts, R.J. & Campbell, D.E. (2003). Building a Global Information Assurance Program. New York: Auerbach.

Doherty, N. (2001). Integrated Risk Management: Techniques and Strategies
for Managing Corporate Risk. New York: McGraw-Hill.

Dorothy, D. (1999). Defending the Nation: Information Warfare and Security. (Boston: ACM Press.

Erbschloe, M. (2003) Guide to Disaster Recovery. Boston: Thomson Course
Technology.

Evers, D. H., Glover, T. J., Glover, T.M. & Miller, M.E. (2006) Pocket Partner, 4th
ed. Littleton, CO: Sequoia Publishing.

Gordon, L. A. & Loeb, M. P. (2006). Managing Cyber- Security Resources: A Cost
Benefit Analysis. New York: McGraw Hill.

Hall, W. M. (2003). Stray Voltage: War in the information age. Annapolis, MD: Naval Institute Press.

Jones, A. & Ashenden, D. (2005). Risk Management for Computer Security:
Protecting Your Network and Information Assets. London: Butterworth-Heinemann.

Lewis, J.A. (December, 2002) Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats. Center for Strategic and International Studies, Washington, DC.

National Science and Technology Council. (April, 2006) Federal Plan for Cybersecurity and Information Assurance Research and Development, Report by the Interagency Working Group. Arlington, VA: NCO/NITRD. Available from www.nitrrd.gov

Nichols R. K, Ryan, D. J., & Ryan, J.C.H. (2002) Defending your Digital Assets, Against Hackers, Crackers, Spies and Thieves, McGraw-Hill.

Nichols, R.K. & Lekkas, P. C. (2002). Wireless Security: Models, Threats, Solutions. New York, NY: McGraw Hill.

Parker, T., et. al. (2004). Cyber Adversary Characterization. Rockland, MD: Syngress.

Peltier, T. R. (2006). Information Security Risk Analysis.2nd ed. Boca Raton, FL:
Auerbach.

Pipkin, D. L. (2000). Information Security: Protecting the Global Enterprise. Upper
Saddle River, NJ: HP Professional Books.

Pritchard, C. (2001). Risk Management: Concepts and Guidance. E S I Intl:
New York.

Rattray, G. J. (2001). Strategic warfare in cyberspace. London: MIT Press.

Roper, C.A. (1999). Risk Management for Security Professionals, New York:
Butterworth Heinemann.

Schneier, B. (2003). Beyond Fear: Thinking Sensibly about Security in an Uncertain World. New York: Copernicus.

Schwartau, W. (1996). Information Warfare: CyberTerrorism: Protecting Your Personal Security in the Electronic Age. New York: Thunder's Mouth Press.

Verton, D. (2004). Black Ice: The Invisible Threat of Cyber-Terrorism, (ICE) San Francisco: Osborne.

White, J. R. (2004). Defending the Homeland: Domestic Intelligence, Law Enforcement, and Security, New York: Thomson –Wadsworth.

Whitman, M.E, & Mattord, H.J. (2004). Management of Information Security, Boston: Thomson Course Technology.

Whitman, M.E. & Mattord, H.J. (2005) Principles of Information Security, 2nd ed. Boston: Thomson Course Technology.

Whitman, M.E. & Mattord, H.J. (2006) Readings and Cases in the Management of Information Security. Boston: Thomson Course Technology.

Yourdon, E. (2002). Byte wars: The impact of September 11 on information technology. Upper Saddle River, NJ: Prentice Hall.