Course syllabus
Informatics, Setting Requirements for Information Security, Second Cycle, 7.5 credits
| Course code: | IK406A | Credits: | 7.5 |
|---|---|---|---|
| Main field of study: | Informatics | Progression: | A1N |
| Last revised: | 12/09/2019 | ||
| Education cycle: | Second cycle | Approved by: | Head of school |
| Established: | 17/11/2017 | Reading list approved: | 12/09/2019 |
| Valid from: | Spring semester 2020 | Revision: | 1 |
Aims and objectives
General aims for second cycle education
Second-cycle courses and study programmes shall involve the acquisition of specialist knowledge, competence and skills in relation to first-cycle courses and study programmes, and in addition to the requirements for first-cycle courses and study programmes shall
- further develop the ability of students to integrate and make autonomous use of their knowledge
- develop the students' ability to deal with complex phenomena, issues and situations, and
- develop the students' potential for professional activities that demand considerable autonomy, or for research and development work.
(Higher Education Act, Chapter 1, Section 9)
Course objectives
1. Based on requirement engineering techniques have the ability to communicate information security requirements with relevant actors in an organisation (e.g., system developers, senior management teams, stakeholders)
2. Have the ability to analyze when and where it is appropriate to define information security requirements in the process of purchasing information systems
3. Have the ability to analyze when and where it is appropriate to define information security requirements based on an understanding of the system development life cycle
4. Have skills in creating strategies for the evaluation and testing of information security requirements based on knowledge of recognized techniques,
5. Have the ability to present strategies for evaluation and testing of information security requirements in speech
6. Based on theories understand information security requirements and other requirements of an information system, and how do they influence each other.
Main content of the course
The course contents consist of the following modules:
1. Introduction to the concepts of requirement and information security requirement
2. Methods for information security requirement engineering (Addressing goal 1)
3. An overview of how policies, standards and risk assessments are used for information security requirements analysis (Addressing goals 2, 3, 6)
4. The role of information security requirement engineering in both the system development process and information system procurement process (Addressing goal 2, 3)
5. Methods for the evaluation and testing of information security requirements (Addressing goals 4, 5)
6. An overview of different types of requirements (e.g., information security requirements and general requirements) of information system. (Addressing goal 6)
Teaching methods
The employed teaching methods are anchored in flipped classroom and case-based learning. Flipped classroom means focusing on exploring topics in greater depth and creating meaningful learning opportunities in class time, while content delivery is made outside of the classroom. Case-based learning means that scenarios from real-world examples are used to as a point of departure for in class activities and assignments.
In this course these teaching methods are implemented through online lectures, individual readings, in-class activities based on cases, and group assignments based on cases.
Students who have been admitted to and registered on a course have the right to receive tuition and/or supervision for the duration of the time period specified for the particular course to which they were accepted (see, the university's admission regulations (in Swedish)). After that, the right to receive tuition and/or supervision expires.
Examination methods
Written Group Report, 1.5 credits (Code: A001)
Setting information security requirements from a given case, examined through a group written report. (Assesses Goals 1 and 3)
Oral Group Presentation, 1.5 credits (Code: A002)
Developing a strategy for evaluation and testing information security requirements of a given case. Is examined through a group oral presentation. (Assesses goals 4 and 5)
Individual Written Take-Home Examination, 4.5 credits (Code: A003)
Is examined through an individual written report. (Assesses goals 1, 2, 3 and 6)
For students with a documented disability, the university may approve applications for adapted or other forms of examinations.
For further information, see the university's local examination regulations (in Swedish).
Grades
According to the Higher Education Ordinance, Chapter 6, Section 18, a grade is to be awarded on the completion of a course, unless otherwise prescribed by the university. The university may prescribe which grading system shall apply. The grade is to be determined by a teacher specifically appointed by the university (an examiner).
According to regulations on grading systems for first- and second-cycle education (vice-chancellor's decision 2019-01-15, ORU 2019/00107), one of the following grades is to be used: fail, pass, or pass with distinction. The vice-chancellor or a person appointed by the vice-chancellor may decide on exceptions from this provision for a specific course, if there are special reasons.
Grades used on course are Fail (U), Pass (G) or Pass with Distinction (VG).
Written Group Report
Grades used are Fail (U) or Pass (G).
Oral Group Presentation
Grades used are Fail (U) or Pass (G).
Individual Written Take-Home Examination
Grades used are Fail (U), Pass (G) or Pass with Distinction (VG).
For further information, see the university's local examination regulations (in Swedish).
Comments on grades
The final grade will be translated into the ECTS grading scale.
In order to receive the grade Pass, the student must be awarded Pass in all examination parts. In order to receive the grade Pass with Distinction, the student must be awarded Pass with Distinction in Individual Written Take-Home Examination and the grade Pass in all other examination parts.
Specific entry requirements
Informatics, Basic Course 30 Credits, 30 Credits at intermediate course level within Informatics and successful completion of at least 15 Credits at advanced course level within Informatics. Alternatively Business Administration, Basic Course, 30 Credits, Business Administration, Intermediate Course, 30 Credits and successful completion of at least 15 Credits at advanced course level within Business Administration. Alternatively 30 Credits within G1N in Computer Science and 45 Credits within G1F in Computer Science. The applicant must also have qualifications corresponding to the course "English 6" or "English B" from the Swedish Upper Secondary School.
For further information, see the university's admission regulations (in Swedish).
Transfer of credits for previous studies
Students who have previously completed higher education or other activities are, in accordance with the Higher Education Ordinance, entitled to have these credited towards the current programme, providing that the previous studies or activities meet certain criteria.
For further information, see the university's local credit transfer regulations (in Swedish).
Other provisions
Remaining tasks should be completed as soon as possible according to the teacher's instructions.
The course is offered in English and therefore all examinations will be conducted in English.
Reading list and other teaching materials
Required Reading
Asnar Y, Massacci F. (2011)
A Method for Security Governance, Risk, and Compliance (GRC): A Goal-Process Approach
In: Aldini A, Gorrieri R, editors. Foundations of Security Analysis and Design VI. Berlin: Springer; 2011. p. 152-84 [Journal Article]
Gürses, Seda, Magali Seguran, and Nicola Zannone (2013)
Requirements engineering within a large-scale security-oriented research project: lessons learned
Requirements Engineering 18.1 (2013): 43-66 [Journal Article]
Hope P, McGraw G, Antón AI. (2004)
Misuse and Abuse Cases: Getting Past the Positive
IEEE Secuirty & Privacy2004; May/June:32-4. [Journal Article]
Lillian R. (2006)
An extended misuse case notation: Including vulnerabilities and the insider threat
12th International Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ'2006); 5 June, 2006; Luxembourg, Luxembourg2006. p. 33-43 [Journal Article]
Massacci F, Mylopoulos J, Zannone N. (2010)
Security requirements engineering: The si*modeling language and the Secure Tropos methodology
In: Ras ZW, Tsay L, editors. Advances in Intelligent Information Systems. Berlin: Springer; 2010. p. 147-74 [Journal Article]
Moe, Carl Erik & Tero Päivärinta (2013)
Challenges in information systems procurement in the public sector
Electronic Journal of e-Government 11.1 [Journal Article]
Poon P-L, Yu YT (2010)
Investigating ERP systems procurement practice: Hong Kong and Australian experiences
Information and Software Technology 2010; 52(10):1011-22 [Journal Article]
Sindre G, Opdahl AL (2005)
Eliciting security requirements with misuse cases
Requirements Engineering 2005; 10(1):34-44 [Journal Article]
Additional Reading
Pohl, Klaus (2010)
Requirements engineering: fundamentals, principles, and techniques
Springer Publishing Company