Introduction to Security and Risk Analysis

Course Composition and Objectives

• Why is Security and Risk Analysis important?
  • Define:
    • Asset, Information, Risk, Risk Analysis, Security
    • Security Tools: Technology, Education, and Policies
  • Describe one current security and risk analysis issue relating to systems, one relating to organizations, and one relating to governments
  • Describe further educational opportunities (e.g., NSA certification, majors, and minors) and career opportunities related to security and risk analysis
• What is Risk Management? 
  • Define risk management
  • Describe risk analysis (ID assets, value assets, identify threat—vulnerability pairs, recommend controls), risk assessment, and risk communication processes
  • Apply one analytic technique (e.g., diagnostic techniques, contrarian techniques, imaginative thinking techniques) for risk identification
  • Describe risk control strategies (mitigation, acceptance, avoidance, transference), maintenance and cost benefit analyses (i.e., security economics)
• What are security issues at the system level?
  • Define the 6 elements of an information system (software, hardware, databases, networks, people, and processes) and identify at least 3 threats related to 1 or more elements
  • Describe the SDLC phases and 2 associated risks related to those phases
  • Describe the risks from packet-switched networking, and two related vulnerabilities and controls
• What are security issues at the enterprise level?
  • Define:
    • Enterprise, and Enterprise Risk Management
    • Risks: Legal, Regulatory, Operational, and IT Development
  • Describe at least 3 enterprise security threats (e.g., white collar crime, among others), and at least 2 related vulnerabilities
  • Describe 3 continuity management strategies and 3 related tools, methods, or strategies to more effectively manage enterprise risk (i.e., for-profits remain competitive; non-profits remain socially responsible)
  • Analyze the alignment of system requirements, business strategies and public policies, in order to help IT professionals (system level), business leaders (organization level) and policy makers (national level) best serve the enterprise
• What are security issues at the national/international level?
  • Define intelligence analysis
  • Describe at least 2 security concerns at the national/international level (e.g., natural disaster, terrorism, organized crime) and the role that cyber tools or cyber strategies may play
  • Describe at least 2 types of tools for analyzing national/international risks (e.g., scenario planning, geospatial intelligence, modeling)
• Instructors Choice: Instructors may choose topics and learning objectives that meet the spirit of the course as defined here. Instructors may choose to devote more time to the learning objectives listed above or to add additional, complementary objectives. Supplementary material and objectives should not overlap with the defined content of other courses in the curriculum.

Course Description

SRA 111 is a broad, introductory course that serves three purposes:

• Fulfills a General Education requirement (for Social and Behavioral Sciences) for any Penn State student
• Fulfills an SRA major and minor requirement
• Functions as a marketing tool to bring students into the major.

Students without prior experience should have the opportunity to be successful, while more experienced-students should also learn something new. Those who choose to major in SRA should begin to build a broad, introductory knowledge base, to be expanded in the foundational, follow-on courses at the 200-level.

The anchoring concern of the course is:

How to manage the growing threats to individual, organizational, and national security.

Regardless of profession, security, risk, and risk analysis issues have become even more critical in the 21st Century. This course relates security from the context of individual, organizational, and national perspectives, to the option of study in our SRA major: Information and Cyber Security, Intelligence Analysis and Modeling. In addition to storage, access and connectivity risks, this course also addresses legal and ethical issues, criminal and terrorist exploitation, and global information warfare and intelligence threats.

Students will learn that all risks can be managed through the judicious application of three controls, or “tools”:

• Programs (e.g., security education, training, and awareness)
• Policies (e.g., laws)
• Technology (e.g., firewalls, intrusion detection systems, etc.)

Thus, students are exposed to a full spectrum of security activities, methods, methodologies, and procedures.

The stakes are high. For example, recent exponential growth in information has paralleled individual, organizational and government dependence on information. “Security” (i.e., “freedom from harm or danger”) must include all people (managers/policy makers, end-users/citizens, and related stakeholders), information, and other assets that individuals, organizations, and nations deem valuable.