Examination arrangement

Course content

1. Introduction- Corporate and IT Governance - Transparency, Ownership and Control in Information and Cybersecurity - Security Governance and Investment Management
2. Measuring and Assessing - Maturity Models - Measurement Systems- Compliance - Exercises on these topics
3. Case Study on Metrics Maturity Assessment (in collaboration with Center for Cyber and Information Security partner)
4. Standards and Best Practices- COBIT 5 for Information Security- ISO 27001 (ISMS) / ISO 27002 (Controls) / ISO 27004 (Measurement) / ISO 27014 (Governance), NIST 800-55
5. Simulation models and metrics application

Learning outcome

Security Management Metrics do not exist "per se", but are based on IT and operational risk management methods, definition and measurement of security governance, and the subsequent design, implementation and operation of an appropriate level of organizational and technical measurement system. This course provides an overview of IT and Security Governance, Security Metrics and Measurements, Standards and Measurement System and their dependencies in general, and the information security standards Cobit 5 for Information Security, NIST 800-55 and ISO 27001 / ISO 27002 in particular. After attending the course, candidates should possess the following knowledge: -security management as an important input to IT and corporate governance and as a continuous improvement process as well as investment area -the basic concepts of Cobit 5, NIST 800-55 and the ISO 270xx standards -a basic understanding of design, implementation and evaluation of maturity models for security After attending the course, candidates should possess the following skills: -master the principles for designing, implementing and auditing Information security measurement system (ISMS), using strategic, tactical and technical building blocks -be able to design an appropriate level of Security Governance and Information Security for a given organisational context and express this in terms of an appropriate maturity model After attending the course, candidates should possess the following general competence: -main principles, functions and dependencies of IT governance, metrics on strategic, tactical and operational level, security reporting, measurement techniques, and international standards.

Learning methods and activities

• Lectures
• Assignments
• Project work

Additional information:

• The course will be made accessible for both campus and remote students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be mostly given on campus (Gjøvik/Trondheim) and are open for both categories of students. All the lectures will also be available on Internet through NTNU's learning management system (Blackboard).
• Lectures, exercises and homework in between lecture blocks.

Compulsory requirements:

• The course requires active participation in projects - both in class and outside class.

The course is also available to Master in digital Building processes / "Bygg- og miljøteknikk" track "digitale byggeprosesser", and to students in the Master of Industrial Innovation and Digital Security (MIIDS).

Further on evaluation

Re-sit: The next time the course is running.

Forms of assessment:

• Portfolio based on 2 multiple choice examinations (total 40 %) and paper writing (total 60%).
• Both elements (2 MC and paper) need to be passed.
• In specific circumstances, the course responsible can slightly adjust the limits in the conversion table to enforce compatibility with the qualitative descriptions on the A-F scale.

Specific conditions

Recommended previous knowledge

Security Management Metrics encompass requirements of IT and Security Governance, its measuring and assessment as well supportive Standards and Best Practices. Calder and Watkins define IT Governance as 'the framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensures that the organization's information systems support and enable the achievement of its strategies and objectives'. Security Management Metrics are of crucial importance for any organization's ability to safe- guarding critical information in the context of growing threats, as well as increasing requirements from national and international regulations. For Information Security Governance best practice outcomes defined by the Information Systems Audit and Control Association ISACA include: -Strategic alignment of security with business strategy and organizational objectives -Reduction of risk and potential business impacts to an acceptable level -Value delivery through the optimization of security investments with organizational objectives -Efficient utilization of security investments supporting organization objectives -Performance measurement and monitoring to ensure that objectives are met.

As other information security management courses, an additional focus of this course is to contribute to 'cost effective information security'. In particular, it addresses the following UN Sustainability Development Goals:

Goal 8, target 8.2: Achieve higher levels of economic productivity through diversification, technological upgrading and innovation, including through a focus on high-value added and labour-intensive sectors.

Goal 12: Sustainable consumption and production is about doing more and better with less. It is also about decoupling economic growth from environmental degradation, increasing resource efficiency and promoting sustainable lifestyles.

Thus, having completed this course, the student will be able to contribute to employer performance with respect to both goal 8, target 8.2 and goal 12.

Required previous knowledge

None

Course materials

Books/standards, conference/journal papers and web resources, such as: -Alan Calder & Steve Watkins. IT Governance : IT Governance: A Manager's Guide to Data Security and ISO 27001 / ISO 27002. Fourth Edition. Kogan Page. 2008. -Control Objectives for Information and Related Technology (CObIT) 5 for Information Security, Professional Guides: information security (2012) and assurance (2013), ITGI. -Peter L. Bernstein, "Against the Gods - the Remarkable Story of Risk", John Wiley & Sons, ISBN 0-471-29563-9, Paperback, 1998 -Douglas Hubbard (2016): How to Measure Anything in Cybersecurity Risk http://www.howtomeasureanything.com/ -Brotby & Hinson (2013): PRAGMATIC Security Metrics, CRC Press, ISBN:978-1-4398-8152-1 -Andrew Jaquith (2007): Security Metrics (http://www.securitymetrics.org/) -International Organization of Standardization (2020), ISO 27014 – Information Security Governance -Douglas B. Laney (2018): Infonomics, Garnter.

Credit reductions