Information Security Policy & Management


Units: 6


The goal of this course is to provide an overview of security marketplace an understanding of decision making when multiple parties are involved and the role of policy making in the context of information security.    Policy is treated broadly and need not be necessarily government laws and regulations. Policy can be intra-organization. For example it is an organization policy to disconnect an unpatched computer from its network. We will discuss the role of market and competition on security provision and then some of the key causes of market failure namely externalities. We will then analyze how various policy tools can be applied to mitigate market failure. We will also discuss some key laws and regulation on product liability and security standards.    The course also aims to provide an overview of security industry (that is key trends technologies and various strategies by vendors and users) as well. By the end of the course the students are expected to know key managerial and policy issues surrounding information security provision and when and how policy intervention is needed.    There is no text book and all the reading material is provided on the first day of class. Some understanding of economics is expected. Students are expected to have read the relevant reading material before class and come prepared for discussion. All reading material can be downloaded from blackboard. Case material will be distributed in class.    *This course uses a course packet or case studies.  Students will be charged a fee for the course materials.  The fee for these materials will be charged to the student's account.

Learning Outcomes

Students who complete this course successfully will be able to do the following:
- Learn the role of markets and competing organizations in providing security and privacy.
- Learn about how externalities are a major cause of market failure for security.
- Learn about the deployment of security technologies and information sharing.
- Learn what policy tools can be employed to overcome externalities and efficacies of the tools under a variety
of scenarios. Examples of these tools may include subsidies, taxes, mandated standards, regulations, and
- Learn about specific security and privacy policies and their impacts.
- Learn about how security related risks may be mitigated through the use of insurance.
- Learn about related laws regarding product liability and their impact on software security.
- Learn about vulnerability disclosure, key stakeholders, and issues surrounding disclosure.