Course Number: 95-757

Information Security Risk Policy & Management

Units: 6

The goal of this course is to provide an overview of security marketplace, an understanding of decision making when multiple parties are involved and the role of policy making in the context of information security.

Policy is treated broadly and need not be necessarily government laws and regulations. Policy can be intra-organization. For example, it is an organization policy to disconnect an unpatched computer from its network. We will discuss the role of market and competition on security provision and then some of the key causes of market failure, namely externalities. We will then analyze how various policy tools can be applied to mitigate market failure. We will also discuss some key laws and regulation on product liability, and security standards.

The course also aims to provide an overview of security industry (that is key trends, technologies and various strategies by vendors and users) as well. By the end of the course, the students are expected to know key managerial and policy issues surrounding information security provision and when and how policy intervention is needed.

There is no text book and all the reading material is provided on the first day of class. Some understanding of economics is expected. Students are expected to have read the relevant reading material before class and come prepared for discussion. All reading material can be downloaded from blackboard. Case material will be distributed in class.

Faculty:
Rahul Telang