Information Security Policy & Management
Description: You have probably heard many times that information security is not just about technology. This course will complement your technical understanding with some key economics, policy and managerial frameworks that explain key challenges in security and privacy for individuals, firms and the nation. For example, we will examine questions like: should a firm be allowed to collect customer information? Would it invest enough in protecting the security and accuracy of this data? Should users and firms be allowed to buy and sell vulnerabilities? Should firms share cyber incident information with government and how? We will analyze these questions within specific economic and policy principles and examine why individuals, firms and governments do not do the “right” thing. Though various practical examples, the course will highlight how interdependencies between different stakeholders, externalities (how one’s actions affects the other stakeholder) and market structure (whether the firm has market power or not) can lead to market failure within the context of information security and privacy. We will then debate how various policy and economic tools can be applied to mitigate some of these problems. In particular, we will examine product liability (with a focus on software products) laws, cyber-insurance, data breach notification laws, and regulating minimum security requirements. By the end of the course, students are expected to know key managerial and policy issues surrounding information security and privacy provision, the role of policy and economics tools in engendering desired outcomes, and the limitations and challenges of such interventions.