| |||||||||||

## INF 740: Information Security Risk AssessmentDownload Spring 2007 syllabus: inf740syllabus.pdf ## Instructor Information
## CLASS INFORMATION
## ResourcesCourse Website: The course website is located at: http://ecourses.purdue.edu. You must click on "West Lafayette Open Campus" to access the proper site. Click on "Log In" and sign in using the User name and Password assigned to you via email.
## COURSE OVERVIEWThis course provides students with an introduction to the field of information security risk assessment. Initially, the students will be introduced to basic definitions and nomenclature in the area of security assessment. Thereafter they will be taught different approaches for assessment of risk. The course will incorporate cases in risk analysis derived from state and law enforcement agencies. Students will learn how to use a risk analysis matrix for performing both quantitative and qualitative risk analysis. As a part of the course, students learn of the different threats that they need to incorporate in their risk analysis matrices.## COURSE FORMATThis course is being offered as an online course through the help of CERIAS and Purdue University. However, the intent of the course is to provide students with an interactive learning environment through instructor audio, discussion groups, and interactive quizzes. The purpose of the course is to train students in the practice of risk analysis by elucidating the concepts through examples and case studies. Students are expected to use critical thinking skills as they go through the material rather than accepting facts at face value. Even though the course is spread over 2 weeks, it is important that students stay on schedule so that they can participate with other students in discussions.The class should require approximately 40 hours of work. This should work out to roughly 15 hours of video and lecture material, 2 hour worth of quizzes, 4 hours for discussion postings, 12 hours for the final project, and 7 hours of readings. ## COURSE PREREQUISITESIt is assumed that students will come in with varied backgrounds in information systems so the class will start with a general background of computer security. It would be helpful if students have some knowledge of the following topics:- Computer Networks
- Computer Architecture
- Software Design
- Statistical and Probabilistic Analysis
## LEARNING OBJECTIVESStudents should be able to:- Understand the basic nomenclature and definitions of risk analysis
- Develop a work plan for executing a risk analysis in the organization
- Understand the various threats to information assets in the organization
- Identify and valuate assets
- Determine exploitable vulnerabilities
- Determine threats to an organizational system
- Recommend controls to mitigate risk
- Aggregate the data qualitatively and quantitatively to perform risk analysis
## GRADING
- Asset & Vulnerabilities
- Vulnerabilities & Threats
- Threats & Controls
Use the methodology in the lecture notes (and recommended readings) to cascade the values from one matrix to the other to compute the relative impact of different vulnerabilities, threats, and controls. You may choose any scale that you like (e.g. 0, 1, 3, 9) to reflect the associations between different parameters. Finally, compute the costs of the controls and perform a cost-benefit analysis. After performing the qualitative risk analysis, perform a quantitative analysis by filling in the matrices with the appropriate numeric data. It is not expected that you will necessarily get the most accurate data, however, make the best estimates possible based on other data (references should be listed). Compute and cascade the values from one matrix to the other. Then compute the cost of the controls and optimize the final security posture. |
|||||||||||

Copyright © 2013, Sanjay Goel. All Rights Reserved. |