Study Guide

Materials

Materials used in the course:

1. ISO27005 standardi
2. Sutton, David (2021): Information security risk management : a practitioner's guide: https://ebookcentral.proquest.com/lib/turkuamk-ebooks/detail.action?docID=6733537
3. Ilmonen, I. & al. (2022): Johda riskejä: käytännön opas yrityksen riskienhallintaan: https://turkuamk.finna.fi/Record/turkuamk.995697291505970?sid=3091696371
4. https://www.enisa.europa.eu/publications/interoperable-eu-risk-management-framework
5. Enisa Threat Landscape 2023 https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023

And potentially other relevant materials

Teaching methods

Theoretical part through lectures and independent study. Guidance through remote meetings as needed. Practical risk assessment work requires acquiring the target company and maintaining communication with the responsible party. On site meetings for guidance, peer support, sharing experiences, project presentations, and evaluations in the upcoming days

International connections

Active project-based learning and problem-solving

Completion alternatives

-

Student workload

Review of the theory section of the information security risk management course and an extensive risk management project

Content scheduling

Information and Cybersecurity are critical areas in modern organizations, and the importance of risk management has been further emphasized. This practical project-based course in risk management provides students with an opportunity to apply the principles and methods of information and cybersecurity risk management in practice. The course aims to develop students' skills in risk identification, assessment, and management, preparing them for future careers in the field of information and cybersecurity.

Course Content:

Prerequisite for this course is a course in information security risk management, covering the ISO 27005 standard risk management process. Students should have a good understanding of the stages of the information and cybersecurity risk management process, including risk identification, assessment, management, and monitoring. The process and stages are reviewed at the beginning of this course.

The student acquires a small or medium-sized organization for which they will conduct a risk assessment. The student is responsible for contacting the organization's representatives. The work can be done individually or in pairs

Students will apply the ISO 27005 standard, along with other risk management frameworks and best practices, to their selected target organization. They will perform the risk assessment and document the results. At the end of the course, students will compile a final report, including the risk assessment findings and recommendations for the target organization. They will present their findings to the class and possibly to representatives from the chosen organization.

Requirements:

Participation in this course requires prior knowledge of information and cybersecurity risk management. Students must also select a target organization for the risk assessment.

This course offers students a unique opportunity to apply their knowledge of risk management to a real-world project and prepares them for careers in the field of information and cybersecurity.

Timeframe:
Spring 2024. Bi-weekly in-person meetings and bi-weekly online meetings based on separate reservations

Evaluation scale

H-5

Assessment methods and criteria

Review task for the theory section 10%
Implementation, documentation, and feedback from the organization for the risk assessment 90%

Assessment criteria, fail (0)

No risk assessment has been conducted

Assessment criteria, satisfactory (1-2)

A brief risk assessment and satisfactory feedback from the organization.

Assessment criteria, good (3-4)

A fairly comprehensive risk assessment and positive feedback from the organization

Assessment criteria, excellent (5)

A comprehensive risk assessment and excellent feedback from the organization