Security Management
7CCSMSEM
Dr Jose Such
jose.such@kcl.ac.uk
1
Who am I
• Reader in Security and Privacy
• Principal Investigator funded by: EPSRC, Google, InnovateUK, UK Government
• Dr Jose M. Such
• Director of KCL Cyber Security Centre • Security
• AI
• AI for Security and Privacy
• Security, Privacy, Trust, Fairness and Transparency guarantees in AI
• Automated Decision Making, Autonomous Systems , Personal Assistants
• Privacy
• Usable and user-centric
Privacy
• Privacy-enhancing Technologies
• Personal Data Protection
• Privacy policies
• Security controls • Ethical hacking • Security Testing
• Cyber Risk Assessment and Management
KCL Cybersecurity Centre • Academic Centre of Excellence in Cyber Security Research
– Recognised by EPSRC and the UK’s National Cyber Security Centre (part of GCHQ) • £10M+ in projects and 40 academics (+ postdocs & phd students)
– Informatics, War Studies, Defence Studies, Digital Humanities, Policy Institute • AI cybersecurity
– AI for cyber security
• data-driven techniques (Machine Learning) & knowledge-based techniques (Argumentation,
Normative Systems, Computational Trust) – the cyber security of AI
• security, trust, privacy and transparency • Formal cybersecurity
– theoretical approaches for verification and testing to provide assurance and correctness • security protocols, cryptocurrencies, mobile and web applications, CPS, IoT.
• Strategic cybersecurity
• cyber risks, cyber threats, cyber intelligence, cyber policy and cyber defence, and their relationship to risk assessment, management and governance.
Who are you
• MScinCyberSecurity
• OtherMScprogrammesinInformatics
4
About this module: What it is NOT • Cryptography(6CCS3CIS/7CCSMCI).BUT:
– Some security controls make use of cryptography.
• NetworkSecurity(7CCSMNSE).BUT
– Network attacks are threats and defenses are security controls.
• SecurityEngineering(7CCSMSEN).BUT: – Includes a bit on security principles
• ForensicsandCybercrime(7CCSMCFC).BUT: – Includes regulatory aspects of cyber security
• SecurityTesting(7CCSMSCT).BUT:
– Includes intro to vulnerability assessment and how to link with risk management
5
About this module: What it is Makes very few assumptions about previous
knowledge
• Goals:
– To develop an understanding of fundamental security concepts and standards, security vulnerabilities and risks.
– To develop an understanding of the social, physical, technical, and regulatory nature of cyber security and its management.
– To enable students to assess security risks in information systems and to manage them.
6
Beyond just technical security
7
Beyond just technical security
8
Beyond just technical security
9
Risk Management
• Is there a system that is 100% secure??
• Do we have infinite resources to protect an organisation from cyber attacks??
• We need to make strategic cyber security investments and manage cyber security risks
10
Syllabus
• Security concepts and fundamentals
security policies; physical, technical and social security controls; usable security; security standards and certifications, governance and compliance, roles and responsibilities, culture and awareness raising, and professionalism
• Risk Assessment
threat, vulnerability and risk concepts; asset valuation and management; risk analysis methodologies
• Types of threats
threat agents and motivations, adversarial thinking, insider threat, common human and technical attacks, malicious code, situational awareness, threat trends and landscape, CERTs
• Risk Management
handling risk and selecting countermeasures/controls to mitigate risk; understanding impacts and consequences; third party management; risk communication; and security economics
• Auditing, and Continuity planning and
management including backup and disaster recovery
11
Specific Topics
• Topic 1 – Module Intro (structure, functioning, assessment).
• Topic 2 – Security concepts and fundamentals
• Topic 3 – Threat Assessment
• Topic 4 – Vulnerability Assessment
• Topic 5 – Risk Assessment
• Topic 6 – Risk Management
• Topic 7 – Standards (ISO27000-series) & Certifications
• Topic 8 – Security Policies and Organisation
• Topic 9 – Security Controls (physical, technical and social)
• Topic 10 – Auditing (internal and external processes), governance and compliance.
• Topic 11 – Continuity planning and management
• Topic 12 – Security Economics
• Topic 13 – Human Factors in Security (usable security, psychology of security, insider threat)
12
How to learn in this module
13
Textbooks and Reading
• No textbooks mandatory. • General:
– AndyTaylor(ed.),DavidAlexander,AmandaFinchandDavidSutton, Information Security Management Principles, 2nd edition, BCS, 2013.
– StevePurser,APracticalGuidetoManagingInformationSecurity, Artech House, 2004.
• Specific:
– Jones&Ashenden.RiskManagementforComputerSecurity.2005.
ISBN: 9780080491554
– Anderson. Security Engineering. 2008. Chapter on Security
Economics. Available online:
http://www.cl.cam.ac.uk/~rja14/book.html
– Garfinkel & Richter Lipford. Usable Security: History, Themes, and
Challenges. 2014.
– Lorrie Faith Cranor, Simson Garfinkel. Security and Usability. 2005.
O’Reilly Media. ISBN: 9780596553852
• Available online from the reading list for the module.
14
Structure of the Module • Lectures (2h)
– Theory, concepts, ideas
• Tutorials (1h)
– Exercises, examples, applications
15
Assessment • Exam and Coursework
• 80% Exam and 20% Coursework
16
Exam
• Evaluation (January):
80% weight on Written Examination (2h)
• Pass Mark: Standard Double Marking Model, with usual % for level 7
• Module was new last year
– Part of an upgrade of the MSc to equip students with core cyber security management skills needed in industry.
– No Past exams
– We will prepare you for exam with tutorials, revision lecture etc.
17
Coursework
• Given a case for risk communication and cyber
security adoption.
• An SME enterprise and whether to implement the Cyber Essentials controls.
• Convince the board of directors. – Innovative presentation.
• Start in week 4 – deadline week 8 (in-class presentation).
18
Feedback • How is feedback provided?
– Detailed by me during lecturers/tutorial sessions (ask plenty of questions).
– Also, I will mark your coursework work and provide feedback on your progress.
– This is the best chance to clarify anything you don’t understand or to ask for more feedback.
19
Lecture capture
• We provide lecture capture for most modules.
• It is important to use lecture capture wisely:
– Lecture recordings are a study and revision aid.
– Watching lectures online is NOT a replacement for attending lectures.
– Statistically, there is a clear and direct link between attendance and attainment: Students who do not attend lectures do less well in exams.
• Attending a lecture is more than watching it online — if you do not attend, you miss out!
20
What we expect from you
• Integrity(noplagiarism,nofakingresults)andeffort
(active learning) and:
– come to lectures (it helps!)
– get the textbooks (available online) and use them effectively
– take notes (evidence hand written are better!)
– read around the subject
– ask us questions in lectures
– take notes (again, because the slides are not enough when you try to revise, really…!)
– plan your time carefully (especially for the coursework!)
21
What we expect from you (Cont.) • Self-directed learning:
– 15 credit module, expecting 150-learning hours:
• Lectures: teach concepts, processes, techniques, and show
examples (20hrs).
• Tutorials: teach skills and expose you to examples (10hrs).
• Coursework (assessed): assesses your competence in these skills (30hrs).
• Self-directed learning: *90hrs*.
– So … do as much learning on your own as you can, but know that sometimes they have to ask for a little extra help.
22
What you can expect from me
• I’ll do my best to:
– to make all the lecture notes available in KEATS – to give references to follow-up
– to arrange for extra support if you have already used the normal routes.
23
How do I get help?
Try the following, in order:
1. Ask a question in lectures and tutorials
2. Consult the suggested bibliography (books are your friends!) 3. Ask a question on KEATS
4. Visit me during my office hours:
• Bush House N7.17 Tuesdays 1pm-3pm
5. Only when all else fails: ask us a question by email. We aim to
answer all reasonable queries within 3 working days. Be realistic about how fast a turnaround and how much detail you can expect from email:
Contacting me outside office hours
3 working days
Contacting me in the holiday
1 week
Responding to emails in the evening
N/A
Responding to emails over the weekend
N/A
24
Expectations of behaviour
Staff and students are expected to behave respectfully to one another – during lectures, outside of lectures and when communicating online or through email.
We won’t tolerate inappropriate or demeaning comments related to gender, gender identity and expression, sexual orientation, disability, physical appearance, race, religion, age, or any other personal characteristic.
If you witness or experience any behaviour you are concerned about, please speak to someone about it. This could be one of your lecturers, your personal tutor, a programme administrator, the diversity & inclusion co-chairs (Alfie Abdul-Rahman & Petr Slovak) at informatics-diversity@kcl.ac.uk, a trained harassment advisor, or any member of staff you feel comfortable talking about it to. More info at https://www.kcl.ac.uk/hr/diversity/dignity-at-kings