Informatics, Regulatory Aspects of Information Security, Second Cycle, 7.5 credits

Aims and objectives

General aims for second cycle education

Second-cycle courses and study programmes shall involve the acquisition of specialist knowledge, competence and skills in relation to first-cycle courses and study programmes, and in addition to the requirements for first-cycle courses and study programmes shall

• further develop the ability of students to integrate and make autonomous use of their knowledge
• develop the students' ability to deal with complex phenomena, issues and situations, and
• develop the students' potential for professional activities that demand considerable autonomy, or for research and development work.

(Higher Education Act, Chapter 1, Section 9)

Course objectives

After completion of the course the students shall
1. Based on literature and case descriptions understand the importance of the regulatory aspects of information security related to threats, risks, and incidents
2. Based on literature and case descriptions be able to describe legal areas central for the management of information security
3. Based on a specific case be able to describe information security standards for specific fields of society
4. Have the ability to analyse and assess information security policies based on relevant literature
5. Develop an information security policy for a selected organisational context based on relevant standards, laws and regulations and theories for policy development within the area of information security.
6. Based on ethical theory literature be able to make ethical assessment relevant for the management of information security.

Main content of the course

1) The regulative aspects of information security and how regulations aim to counteract threats, risks and incidents
2) Laws and other national regulations as well as relevant EU regulations for the management of information security related to different societal goals. The focus will be on laws for general data protection and legal aspects of traditional crimes in the cyber world.
3) Standards relevant for information security management
4) Different types of policies relevant for information security management
5) To evaluate and develop an information security policy
6) To understand the importance of professional ethics, some basic ethics theory and be able to perform an ethical analysis related to information security management.

Teaching methods

The employed teaching methods are mainy anchored in flipped classroom and case-based learning. The flipped classroom means focusing on exploring topics in greater depth and creating meaningful learning opportunities in class time, while content delivery is made outside of the classroom. Case-based learning means that scenarios from real-world examples are used as a point of departure for in-class activities and assignments.

Students who have been admitted to and registered on a course have the right to receive tuition and/or supervision for the duration of the time period specified for the particular course to which they were accepted (see, the university's admission regulations (in Swedish)). After that, the right to receive tuition and/or supervision expires.

Examination methods

Written Individual Examination, 2 credits (Code: A001)
Seminar where the students, based on literature and case descriptions, present relevant regulative aspects of information security (laws, regulations, standards, policies) (examination of goals 1, 2, and 3).

Written Group Assessment, 4 credits (Code: A002)
Written group assessment and peer review of developed information security policies. Seminar where a group of students evaluate another student group's information security policy based on theory (examination of goals 4 and 5).

Written Individual Examination, 1.5 credits (Code: A003)
Seminars where ethics is discussed and valued in relation to the management of information security (examination of goal 6).

For students with a documented disability, the university may approve applications for adapted or other forms of examinations.

For further information, see the university's local examination regulations (in Swedish).

Grades

According to the Higher Education Ordinance, Chapter 6, Section 18, a grade is to be awarded on the completion of a course, unless otherwise prescribed by the university. The university may prescribe which grading system shall apply. The grade is to be determined by a teacher specifically appointed by the university (an examiner).

In accordance with university regulations regarding grading systems for first and second-cycle courses (Vice-Chancellor’s decision ORU 2018/00929), one of the following grades shall be used: Fail (U), Pass (G) or Pass with Distinction (VG). For courses that are included in an international Master’s programme (60 or 120 credits) or offered to the university’s incoming exchange students, the grading scale of A-F shall be used. The vice-chancellor, or a person appointed by the vice-chancellor, may decide on exceptions from this provision for a specific course, if there are special grounds.

Grades used on course are Fail (F), Sufficient (E), Satisfactory (D), Good (C), Very Good (B) or Excellent (A).

Written Individual Examination
Grades used are Fail (U) or Pass (G).

Written Group Assessment
Grades used are Fail (F), Sufficient (E), Satisfactory (D), Good (C), Very Good (B) or Excellent (A).

Written Individual Examination
Grades used are Fail (U) or Pass (G).

For further information, see the university's local examination regulations (in Swedish).

Comments on grades

For an approved final grade on the course, an approved result is required for all examinations. The letter grades A-E are weighted into a final grade based on the examinations of the entire course. Detailed information on the requirements for each of the grade levels are given in the outlines at the start of the course.

Specific entry requirements

Informatics, Basic Course 30 Credits, 30 Credits at intermediate course level within Informatics and successful completion of at least 15 Credits at advanced course level within Informatics. Alternatively Business Administration, Basic Course, 30 Credits, Business Administration, Intermediate Course, 30 Credits and successful completion of at least 15 Credits at advanced course level within Business Administration. Alternatively 30 Credits within G1N in Computer Science and 45 Credits within G1F in Computer Science. The applicant must also have qualifications corresponding to the course "English B" or "English 6" from the Swedish Upper Secondary School.

For further information, see the university's admission regulations (in Swedish).

Transfer of credits for previous studies

Students who have previously completed higher education or other activities are, in accordance with the Higher Education Ordinance, entitled to have these credited towards the current programme, providing that the previous studies or activities meet certain criteria.

For further information, see the university's local credit transfer regulations (in Swedish).

Other provisions

Remaining tasks should be completed as soon as possible according to the teacher's instructions.

Reading list and other teaching materials

Required Reading

Dhillon, Gurpreet (2018)
Information Security: Text & Cases
Prospect Press, 413 pages

Karlsson, Fredrik, Hedström, Karin, Goldkuhl, Göran (2017)
Practice-based discourse analysis of information security policies. Computers & Security
Vol 67, pp. 267-279 [Tidskriftsartikel]

Peltier, Thomas R. (2004)
Information Security Policies and Procedures: A Practitioner's Reference
Auerbach, 384 pages

Reynolds, George W. (2015)
Ethics in Information Technology
Cengage Learning, Boston, MA, USA

Stahl, Carsten Bernd, Doherty, Neil F, Shaw, Mark (2012)
Information security policies in the UK healthcare sector: a critical evaluation Information Systems Journal
Vol. 22, pp. 77-94 [Tidskriftsartikel]

Additions and Comments

Additional research papers and course material will be made available by the department, maximum 200 pages.