Skip to main content Skip to navigation

Module Catalogue

IB9HG-15 Cybersecurity in Business

Department
Warwick Business School
Level
Taught Postgraduate Level
Module leader
Kalina Staykova
Credit value
15
Module duration
10 weeks
Assessment
100% coursework
Study location
University of Warwick main campus, Coventry

Download as PDF

Introductory description

This module introduces cybersecurity within a broader business context. It seeks to outline how various types of organizations (e.g., start-ups, SMEs, and large multinational organizations; public and private; digital natives vs non-digital natives, etc.) design and implement cybersecurity programs in order to protect their digital technologies, data and information systems (IS), and other business assets from a myriad of cyber threats. To this end, we investigate cybersecurity issues from organizational, strategic, behavioural, technical, and regulatory perspectives. The purpose of the module is not to train students to become cyber technology experts, but to teach students, who are to perform various organizational roles (also within cybersecurity), to be aware of and know how to address various cyber security ( as well as privacy) issues in strategic IS context.

Module web page

Module aims

The module explores the role of people, processes, and technology in cybersecurity. It provides in-depth understanding of various cyber attacks, the motivations behind them, the processes through which these attacks unfold and the responses, which an organization can adopt to defend itself. The module also provides insights into how an organization can effectively build and implement a cybersecurity program, which includes aspects such as the identification of relevant cyber risks, building appropriate technology and procedural controls, and raising awareness among relevant stakeholders (employees, users, suppliers) by promoting dedicated cyber culture and providing ongoing training. We will also investigate issues related to the alignment of the cybersecurity program with an organisation's business strategy, employee compliance to an organization's cybersecurity program as well as the program's compliance to existing regulation.
The module deals with topics such as cyber attack types, attacks anatomy, (active) cyber defence (controls), incident response management, cyber organizational readiness and cyber resilience, cyber risk and threat intelligence, cyber insurance, cyber awareness and training, and cyber regulation. While this is not a technical module, we will provide sufficient understanding of important technical aspects of cybersecurity such as backup recovery, intrusion detection, system monitoring, penetration testing, the use of AI and ML in cyber defence, security-by-design, firewalls, patch management, cryptography, identity and access management, etc.
Throughout the module, we will delve into some of the most prominent cyber attack cases and work with established cybersecurity frameworks, standards, and methodologies.

Outline syllabus

This is an indicative module outline only to give an indication of the sort of topics that may be covered. Actual sessions held may differ.

Whilst the module teaching is not a technical cyber security coding course, it will cover a wide range of subject matter knowledge in this space which is essential to understand the risks and threats of technology. It will also consider social and psychological behavior techniques as well. This will exceed the general cyber security certifications available and use applied business strategy theory with cyber security knowledge in a business context.

We relate the module to leading InfoSec certifications CompTIA Security+, GSEC SANS GIAC Security Essentials, including CISSP Certified information Systems Security Professional, CEH certified ethical hacker, ECSA - EC-Council Certified Security Analyst, CISM Certified Information Security Manager, ISACA Certified Information Security Auditor CISA, (ISC)² Certified Cloud Security Professional CCSP, CRISC Certified in Risk and Information Systems Control. GCHQ Certified Training (GCT)

This module is not part of the GCHQ Degree Certification, or the NCSC certification program.

Learning outcomes

By the end of the module, students should be able to:

  • Demonstrate in-depth knowledge of and ability to critically evaluate key cybersecurity concepts (e.g., organizational and security controls, defence in depth, vulnerabilities, incident response, situational awareness, cybersecurity awareness and training), frameworks and standards (e.g., NIST, SANS) and theories (e.g., deterrence theory).
  • Demonstrate comprehensive understanding and ability to outline the role and responsibilities of the Chief Information Security Officer (CISO), the cybersecurity team and their interplay with the rest of the organization as well as with external stakeholders (regulators, partners, users, etc.).
  • Demonstrate understanding of current and emerging cyber security issues, trends and research from a business a management perspective.
  • Demonstrate critical situation analysis in businesses and organizations from a cybersecurity view
  • Demonstrate creativity in determining cyber attacks and required defences
  • Demonstrate thinking skills in anticipating moves and counter moves of enemies, and the cost and outcome risks

Indicative reading list

  1. Ioannis Agrafiotis, Jason R C Nurse, Michael Goldsmith, Sadie Creese, David Upton, A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate, Journal of Cybersecurity, Volume 4, Issue 1, 2018.
  2. Michel Benaroch, Third-party induced cyber incidents—much ado about nothing?, Journal of Cybersecurity, Volume 7, Issue 1, 2021.
  3. Craig Beaman, Ashley Barkworth, Toluwalope David Akande, Saqib Hakak, Muhammad Khurram Khan, Ransomware: Recent advances, analysis, challenges and future research directions, Computers & Security,Volume 111, 2021,102490, ISSN 0167-4048.
  4. Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered Information Security: Managing a Strategic Balance between Prevention and Response. Information & Management, 51(1), 138-151.
  5. Ahmad, A., Maynard, S.B., Desouza, K.C., Kotsias, J., Whitty, M., & Baskerville, R.L., (2021). How can Organizations Develop Situation Awareness for Incident Response? A Case Study of Management Practice. Computers & Security. Vol 101. (pp. 1-15).
  6. Information security management principles by Andy Taylor; David Alexander; Amanda Finch; David Sutton, 2020
  7. How Organizations Can Ramp Up Their Cybersecurity Efforts Right Now in Harvard business review. Article by Brenda R. Sharton, May 2020
  8. Companies Need to Rethink What Cybersecurity Leadership Is in Harvard business review. Article by Matthew Doan, November 2019
  9. Why cybersecurity isn’t only a tech problem. Podcast: https://hbr.org/podcast/2019/12/why-cybersecurity-isnt-only-a-tech-problem
  10. National Cyber Security Center (2021) Annual Review Report - https://www.ncsc.gov.uk/files/NCSC%20Annual%20Review%202021.pdf
  11. UK National Cyber Security Strategy 2022 - https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022
  12. NIST, Computer Security Incident Handling Guide. Can be found at: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
  13. Azmi, R., Tibben, W. and Win, K.T., 2018. Review of cybersecurity frameworks: context and shared concepts. Journal of cyber policy, 3(2), pp.258-283.
  14. He, W. and Zhang, Z., 2019. Enterprise cybersecurity training and awareness programs: Recommendations for success. Journal of Organizational Computing and Electronic Commerce, 29(4), pp.249-257.
  15. Ahmad, A., Desouza, K. C., Maynard, S. B., Naseer, H., & Baskerville, R. L. (2020). How integration of cyber security management and incident response enables organizational learning. Journal of the Association for Information Science and Technology, 71(8), 939-953.
  16. Li, L., He, W., Xu, L., Ash, I., Anwar, M. and Yuan, X., 2019. Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, pp.13-24.
  17. Trang, S. and Brendel, B., 2019. A meta-analysis of deterrence theory in information security policy compliance research. Information Systems Frontiers, 21(6), pp.1265-1284.
  18. Cram, W.A., D'arcy, J. and Proudfoot, J.G., 2019. Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MIS Quarterly, 43(2), pp.525-554.
  19. Donalds, C. and Osei-Bryson, K.M., 2020. Cybersecurity compliance behavior: Exploring the influences of individual decision style and other antecedents. International Journal of Information Management, 51, p.102056.
  20. Sasha Romanosky, Lillian Ablon, Andreas Kuehn, Therese Jones, Content analysis of cyber insurance policies: how do carriers price cyber risk?, Journal of Cybersecurity, Volume 5, Issue 1, 2019.
  21. Kabanov, Ilya and Madnick, Stuart (2021) "Applying the Lessons from the Equifax Cybersecurity Incident to Build a Better Defense," MIS Quarterly Executive: Vol. 20 : Iss. 2 , Article 4. Available at: https://aisel.aisnet.org/misqe/vol20/iss2/4
  22. Jenkins, Jeffrey; Durcikova, Alexandra; and Nunamaker, Jr., Jay F. (2021) "Mitigating the Security Intention-Behavior Gap: The Moderating Role of Required Effort on the Intention-Behavior Relationship," Journal of the Association for Information Systems, 22(1). DOI: 10.17705/1jais.00660 Available at: https://aisel.aisnet.org/jais/vol22/iss1/1
  23. Sizing Up Your Cyberrisks. Parenty, Thomas J.;Domet, Jack J., Periodical | Harvard Business Review. Nov/Dec2019, Vol. 97 Issue 6.

Interdisciplinary

The module explores cyber security and attacks from different perspectives of hackers, criminal, political, industrial and regulatory perspectives.

Subject specific skills

Design, implement and asses a comprehensive cybersecurity program for an organization (including incident response plan, business continuity plan).

Design and evaluate organizational and security controls.

Exhibit ability to perform key analyses (e.g., threat and risk assessments; identify mid-term and long-term impacts of cyber-attacks on organizations and strategies for mitigating these impacts; apply key cybersecurity frameworks and principles) and critically evaluate findings.

Transferable skills

Written skills.

Teamwork.

Study time

Type Required
Other activity 30 hours (20%)
Private study 48 hours (32%)
Assessment 72 hours (48%)
Total 150 hours

Private study description

Self study to include pre-reading for lectures

Other activity description

This module will be split as two hours face-to-face workshops and one online lecture hour per week. The lecture hour may be live, or may be prerecorded, or as asynchronous tasks with either online or face-to-face support

Costs

No further costs have been identified for this module.

You do not need to pass all assessment components to pass the module.

Assessment group A3
Weighting Study time Eligible for self-certification
Assessment component
Group Presentation Slides 20% 14 hours No

16 slides maximum
Reassessment component
Individual assignment Yes (extension)
Assessment component
Individual assignment 80% 58 hours Yes (extension)
Reassessment component is the same
Feedback on assessment

Feedback via My.WBS

Courses

This module is Optional for:

  • Year 1 of TIBS-G5N4 Postgraduate Taught Management of Information Systems and Digital Innovation