Module Outline Template v6
Module Outline: COMP3357 Managing Cyber Risk 2016-17
Contents / PageThings you need to know at the beginning / 1
Assignment 1 and 2 / 3, 10
Assessment1grading matrix / 8
If you have problems with assessments / 6, 13
Module Content / 18
Things you need to know at the beginning
Occurrence A / Monday 1315-1415; 1615-1815 / Rooms: CH2006; CH1007Occurrence B / Thursday 1315-1415; 1415-1615
Except weeks 25, 27 (Thurs 1715-1915) / Rooms: CH2008; CH1007
CH1001
Teaching team / Richard Henson, , CH1004
/ Richard Henson FBCS MSc ARCS CITP CEng is a Senior Lecturer in Computing at the University of Worcester, specializing in Information Security. He is also a member the government’s IAAC (Information Assurance Advisory Committee), through its Academic Liaison Panel. His research leans towards knowledge transfer, although he is also helping to develop a body of knowledge informing thinking on information security in smaller businesses. He has written and co-written published papers over a number of years covering aspects of information security, particularly in relation to small to medium enterprises (SMEs) and the supply chain.
How this module fits into your course / It develops information systems knowledge and skills relating to systems and business analysis to cover information risk management issues for organisations wishing to secure digital data over local systems and the full expanse of the Internet
How this module engages with the external environment / It covers business and human aspects of cyber security, and covers the basic IT knowledge required to secure a network against attack to defined requirements of the organisation’s information security policy, as well as looking at important related matters such as IT law, cyber insurance, business continuity, and information assurance certification
How this module will enhance your employability / Application of Relevant Knowledge: This module will provide you with theskills and knowledge to address potential and actual security issues relating to organisation digital data, including relevant principles relating to securing digital data both on the move and at rest.
Research and Problem-solving: This module will provide you with the skills and knowledge needed to provide a risk-based assessment of security issues relating to organisation digital data
Critical Analysis:This module requires scrutiny of data from organisational scenarios, and suggest possible solutions
Communication: In addition to reports for verbal communication, this module requires you to do a presentation relating to a strategic level view of security policy
All these skills are highly sought after in the IT industry, as can be readily confirmed through the website
What you need to know before you start this module / Basics of information systems and data flow diagrams will certainly be helpful, but no prior technical knowledge is assumed.
You are recommended to at least look at the freely available course on Cyber Security which also covers some technical aspects of cyber security:
You should also take a look at the recommended reading list: see how it relates to each taught and practical session.
If you have further questions about reading materials please contact Stephanie Allen the Academic Liaison Librarian for the Business School or go toBusiness LibGuide or ComputingLibGuide
Your responsibility / This module will provide all the background information you need as a basis for completing the assessments to a high standard in advance of the class throughPowerPointpresentations. There is usuallyno soundtrack, however, and you must attend all sessions and undertake required pre-reading, since failure to do so will affect your performance. If you cannot attend for any reason you must notify the module by email as soon as possible.
It is your responsibility to actively and positively engagewith the 2 hour practical sessions - for example asking questionsif stuck -and take responsibility for your learning. This way you’ll get the most out of the sessions.
If there is anything which is unclear or you do not understand ask me… askme… either in person or at the email address above
What help is there if you have a disability or a particular learning need? / The University of Worcester is committed to ensuring diversity and equality within its teaching practice. If you have a registered disability or particular learning need and you wish this to be taken into account please speak to your Personal Academic Tutor or let the module leader know. You will find additional useful information on the Disability and Dyslexia webpages at
Assessment(s) / Two
Assessment 1 / Report/Individual Presentation
Word Limit or equivalent (e.g. time) / Report: 1,350 words, Presentation: 150 word-equivalent
Weighting / 50%
Learning Outcomes Assessed /
- Identify strategic, financial and operational benefits and issues of cyber-risk management
- Review current and future trends of the technical and non-technical risks and aspects of information risk management and security, including laws, regulations, and human factors
Submission date / 30th March 2017
Feedback date / 29th April 2017
Module Leader / Richard Henson
Verified by / Dr Joanne Kuzma
If anything about either assignment is not clear to you, please contact the module leader.
You are expected to plan your time and work to manage your overall assessment workload.
What you need to do / Scenario:Moor-4-U is a microbusiness selling a variety of baby goods and consumables online. They have grown rapidly in recent years through good promotion using search engine optimisation, offering goods at a competitive price, and providing a good service. There are recent signs, however, that their systems are not as reliable as they used to be (when they had fewer customers…) and existing customers are beginning to show concern.
The Directors of Moor-4-U have informally approached you because they have been listening to the recent media stories about hacking and are worried about their organisation’s security. They are worried in particular about outsourcing of IT, BYOD, and the new employees with average data management skills but a high propensity to use Facebook. They wondered if they and are too trusting of their business partners and employees butthe CEO was told not to worry by other businesses in her network… she was told that hackers are only interested in larger organisations and Government computers.
The Directors weren’t so sure about this and ask you to produce a report highlighting potential concerns for information risk. You request to spend some time inside the organisation, watching data flows in association with the various stages of production of their finely machined parts for the automotive industry. You want to find the current state of play within the organisation and decide to start with the company information security policy. This is a very short document, which states:
“All employees are responsible for the careful use of data in accordance within the principles of the Data Protection Act. Those using computers need to make sure they enter data accurately and those connected to the Internet need to be vigilant against phishing emails.
Anyone infringing this policy can expect considerable financial penalties and a repeat performance will result in suspension.”
There is currently no email policy, no passwords policy, and no policy covering business partners and their data, and no easily visible privacy policy on the website
Your tasks.
Write a management report (1350 words) for Moor-4-U to…
- Explain why the policy as it stands is totally ineffective and this can have operational and financial implications (350words)
- List typical personal and “business sensitive” data that might be held by the organisation, and explain why it needs special treatment (350 words)
- Summarise the evolving Computer Misuse Act and explain how the likelihood of cyber criminals committing offences can be reduced by appropriate protective measures within the network and at its boundary (350 words)
- Identify all the critical data flows to the running of the business, and describe an enhanced information security policy so that takes these into account(300 words on report;150 word equivalent presentation)
Assessment briefing
This document provides details of the assessment. There will also be an oral briefing conducted during week 3.
There is also an assessment Q&A Page on Blackboard.
Assessment criteria
In addition to assessment according to the general learning objectivesfor computing, as outlined in the Course Handbook, the following specific criteria will be used for this work:
- Explanation of why the policy is ineffective, why it could have operational and/or financial consequences, and what needs to be done
- Correctness and appropriateness of lists and why these types of data should be considered to be so important
- Explanation of Computer Misuse Act and its implications for organisations
- Identification of critical information flows in a business and explanation as to how good organisational policy can help protect them
- Referencing, using the Harvard system (see the link to ‘Referencing’ from for more information.)
Feedback is provided in an ongoing basis over the course of the module (see “Types of Feedback on my Module” slides on Blackboard and Assessment & Feedback section in the Module Outline).
Formative Feedback opportunity
Your opportunity to receive written feedback will be until Monday 20th March 2017 before 3pm via Blackboard. You can submit up to 20% of your Word document via email with your student number. You will receive written feedback on the document itself in the form of comments also via email by Monday 27th March, or sooner. Seek out as much feedback as you can, it is your responsibility to initiate it and helps you get at issues that need attention early on. Students who do this tend to achieve higher marks than those who don’t fully participate in the process because they have continued to improve their work.
Handing in and return
Work must be word-processed/typed and should clearly show your student number.You are required to keep a copy of work handed in. You should submit your work electronically via SOLE by the 3pm deadline onThursday, 30/3/17.The return date for this assignment is electronically via SOLE byThursday, 29/4/17
See the University’s guide to uploading and submitting assessment items at the University of Worcester via SOLE in under 60 seconds on You Tube
If for any reason the systems are down, email your work to before the deadline just to be on the safe side. You may also email your tutor before the deadline. Providing that the documents emailed are the final copy, these emails will be treated as on time submission. You can then submit to the required system when it is working again. With technology sometimes, things can go wrong; these are back-up safeguards.
Turnitin
For this assignment, please put your work through Turnitin to generate an originality report. You should include a print screen of the part of the Turnitin report showing the overall similarity percentage at the front of your assignment file and submit it with your work. In the event of problems with Turnitin, you should submit your work on time as normal but without the Turnitin report/screen dump, and then e-mail the Turnitin report to your module tutor as soon as possible when Turnitin is back working properly. Use the website turnitinuk.com. You will need a class id and password. Included below:
Class ID: 3397397
Password: computer
Technical support is available by emailing
How you should present your work
Report Template / As a structured report. Embedded diagrams are encouraged but they must be referred to from the text and labelled
On the title page list the following
Module name and code
Student number
Submission date
Assignment Number/Title
Include also:
Grading Matrix
Table of Contents
Introduction
Body
Conclusion
References (use the University Harvard referencing system, support is available through the library
How we’ll give you guidance
/ You can submit up to 20% of the assignment as a “sample”. This will be marked and returned to you in good time before the assignment deadline.If you want to check whether your work will fall foul of plagiarism (copying someone else’s work without an appropriate attribution) check out this library guide which deals with how to use Turnitin
How and when to hand the assessment in / Work must be word-processed/typed and should clearly show your student number.You are required to keep a copy of work handed in. You should submit your work by the 3pm deadline on30th March. You should submit your work to SOLE, which is available via your student portal.
See the University’s guide to uploading and submitting assessment items at the University of Worcester via SOLE in under 60 seconds on You Tube
If you have issues uploading your assessment to sole you will need to contact , if you have issues with Blackboard, Turnitin or PebblePad you will need to contact
How the assessment will be marked
/ Specific criteria are in the Grading Matrix for this assignment, which can be found on page 8 of this documentHow you will get feedback / Submitted work for formative feedback should be submitted at least one week before assignment hand-in date, and feedback will usually be available within 72 hours.
If you have problems submitting work or submitting work on time: / Firstly, contact someone, your Module Leader or personal Academic Tutor.
It is essential that you submit your work, in order to be able to pass the module. Work which is submitted late will be subject to grade penalties as below.
- Students who submit course work late but within 5 days of the due date will have work marked, but the grade will be capped at the minimum pass grade unless an application for mitigating circumstances is accepted.
- Students who submit work later than 5 days but within 14 days of the due date will not have work marked unless they have submitted a valid claim of mitigating circumstances.
If you are ill or have personal problems / The University has a system for applying for mitigating circumstances where things happen, beyond your control, which affect your assessments. Don’t suffer in silence. Speak to your Module Leader, your Personal Academic Tutor or a Programme Advisor.
Full details of Procedures for Dealing with Exceptional Mitigating Circumstances are available at
If you engage in academic misconduct (cheating)
/ Do not use material from sources without acknowledging them using a recognised referencing system. Do not copy another student’s work. If you do you will be referred to the School’s Academic Integrity Tutor and may face further penalties. Details in your Course Handbook accessible via SOLE and atIf you don’t pass at the first attempt / DON’T PANIC. In the event you are required to take reassessment you will receive formal notification of this via a letter from Registry Services posted on the SOLE page after the meeting of the Board of Examiners. The letter will normally include a copy of the reassessment task(s). Deadlines for re-assessment can be found in the University Calendar at
1
Module Outline Template v6
Student Number: / Academic Year and Semester: / Learning Outcomes:- Identify strategic, financial and operational benefits and issues of cyber-risk management
- Review current and future trends of the technical and non-technical risks and aspects of information risk management and security, including laws, regulations, and human factors
Module Code/Title:COMP3357 / Assignment No/Weighting: 1 (50%)
Occurrence: / Assessment Title:Report/Individual Presentation
Assessment Criteria
GRADE / Explanation of why the policy is ineffective, operational/financial consequences, what needs to be done / Correctness and appropriateness of lists, why these types of data so important / Explanation of Computer Misuse Act and its implications for organisations / Identify critical data flows to the running of the business, describe an enhanced information security policy / Content, Pace, Delivery of Presentation and Appropriateness of Slides
A / Very detailed, in-depth critique of existing information security policy, appropriate and appropriately explained consequences, and a detailed, workable solution to the problem suggested / Extensive list of types of typical company data categorised appropriately with suitable examples given for each type. Detailed explanation of reasons why each data type might need to be protected and consequences if lost or stolen / Excellent discussion of origin and evolution of Computer Misuse Act and detailed discussion about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders / Excellent context diagram and level one DFD, showing high risk data. Excellent explanation of ways information security policy could be changed to ensure these data flows are protected / Excellent
B / Fairly detailed critique of existing information security policy, clear indication of potential consequences, and a workable solution to the problem suggested / Appropriate list of types of typical company data categorised appropriately with suitable examples given for each type. Some explanation of reasons why each data type might need to be protected and consequences if lost or stolen / Good discussion of origin and evolution of Computer Misuse Act, discussion about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders / Good context diagram and level one DFD, and resource list covering information flows and data stores. Some logical attempt at prioritisation into high medium or low risk based on impact to organisation of loss of that resource / Good
C / Some valid critique of information security policy, possible consequences described, and some indication for a way forward suggested. / Appropriate list of types of typical company data categorised appropriately but with limited examples given for each type. Reasons why each data type might need to be protected given and consequences if lost or stolen provided but rather descriptive / Reasonable discussion of origin and evolution of Computer Misuse Act, but a rather descriptive account about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders / Either context diagram or level 1 DFD missing or inappropriate but resource register satisfactory, and some attempt at categorisation of the list according to impact of loss / Satisfactory
D / Critique of information security policy offered, possible consequences described, but few suggestions regarding how this problem needs to be tackled. / Limited list of categorised types of typical company data and limited range of with suitable examples. Limited description of reasons why each data type might need to be protected and consequences if lost or stolen / Some discussion of origin and evolution of Computer Misuse Act, and a highly descriptive account about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders / Either context diagram or level 1 DFD missing or inappropriate andresource register, whilst complete, fails to distinguish list items according to impact of loss / Poor
Fail (E-G) / Critique, consequences, way forward all addressed but at least one of these unconvincing. / Some data types included, but few examples, and consequences of loss only covered superficially / Limited discussion about the Computer Misuse Act itself, and the role of the organisation in preventing intrusions / Limited diagramming, list incomplete, or makes little effort at differentiation of information resources according to impact of loss / Unacceptable
General comment:
What you can do better in future assignments:
How successful completion of this assignment helps your employability:
Assignment Grade: / Marker: / Moderator*:
1