Course syllabus
Informatics, Setting Requirements for Information Security, Second Cycle, 7.5 credits
| Course code: | IK436A | Credits: | 7.5 |
|---|---|---|---|
| Main field of study: | Informatics | Progression: | A1N |
| Last revised: | 13/09/2023 | ||
| Education cycle: | Second cycle | Approved by: | Head of school |
| Established: | 01/11/2019 | Reading list approved: | 13/09/2023 |
| Valid from: | Spring semester 2024 | Revision: | 2 |
Learning outcomes
1. Based on requirement engineering techniques have the ability to communicate information security requirements with relevant actors in an organisation (e.g., system developers, senior management teams, stakeholders)
2. Have the ability to analyze when and where it is appropriate to define information security requirements in the process of purchasing information systems
3. Have the ability to analyze when and where it is appropriate to define information security requirements based on an understanding of the system development life cycle
4. Have skills in creating strategies for the evaluation and testing of information security requirements based on knowledge of recognized techniques,
5. Have the ability to present strategies for evaluation and testing of information security requirements in speech
6. Based on theories understand information security requirements and other requirements of an information system, and how do they influence each other.
Content
The course contents consist of the following modules:
1. Introduction to the concepts of requirement and information security requirement
2. Methods for information security requirement engineering (Addressing goal 1)
3. An overview of how policies, standards and risk assessments are used for information security requirements analysis (Addressing goals 2, 3, 6)
4. The role of information security requirement engineering in both the system development process and information system procurement process (Addressing goal 2, 3)
5. Methods for the evaluation and testing of information security requirements (Addressing goals 4, 5)
6. An overview of different types of requirements (e.g., information security requirements and general requirements) of information system. (Addressing goal 6)
Examinations and grades
Written Group Report, 1.5 credits (Code: A001)
Grades used are Fail (U) or Pass (G).
Oral Group Presentation, 1.5 credits (Code: A002)
Grades used are Fail (U) or Pass (G).
Individual Written Take-Home Examination, 4.5 credits (Code: A003)
Grades used are Fail (F), Sufficient (E), Satisfactory (D), Good (C), Very Good (B) or Excellent (A).
According to the Higher Education Ordinance, Chapter 6, Section 18, a grade is to be awarded on the completion of a course, unless otherwise prescribed by the university. The university may determine which grading system is to be used. The grade must be determined by a teacher specifically nominated by the university (the examiner).
In accordance with university regulations on grading systems for first and second-cycle courses and study programmes (Vice-Chancellor’s decision ORU 2018/00929), one of the following grades is to be used: fail (U), pass (G) or pass with distinction (VG). For courses included in an international master’s programme (60 or 120 credits) or offered to the university’s incoming exchange students, the A to F grading scale is to be used. The vice-chancellor, or a person appointed by them, may decide on exceptions from this provision for a specific course, if there are special grounds for doing so.
The grades used on this course are Fail (F), Sufficient (E), Satisfactory (D), Good (C), Very Good (B) or Excellent (A).
Comments on grades
For an approved final grade on the course, an approved result is required for all examinations. The letter grades A-E are weighted into a final grade based on the examinations of the entire course.
Modes of assessment
Written Group Report, 1.5 credits (Code: A001)
Setting information security requirements from a given case, examined through a group written report. (Assesses Goals 1 and 3)
Oral Group Presentation, 1.5 credits (Code: A002)
Developing a strategy for evaluation and testing information security requirements of a given case. Is examined through a group oral presentation. (Assesses goals 4 and 5)
Individual Written Take-Home Examination, 4.5 credits (Code: A003)
Is examined through an individual written report. (Assesses goals 1, 2, 3 and 6)
For students with a documented disability, the university may approve applications for adapted or other modes of assessment.
For further information, see the university's local examination regulations.
Specific entry requirements
Informatics, Basic Course 30 Credits, 30 Credits at intermediate course level within Informatics and successful completion of at least 15 Credits at advanced course level within Informatics. Alternatively Business Administration, Basic Course, 30 Credits, Business Administration, Intermediate Course, 30 Credits and successful completion of at least 15 Credits at advanced course level within Business Administration. Alternatively 30 Credits within G1N in Computer Science and 45 Credits within G1F in Computer Science. The applicant must also have qualifications corresponding to the course "English 6" or "English B" from the Swedish Upper Secondary School.
For further information, see the university's admission regulations.
Other provisions
The course is offered in English and therefore all examinations will be conducted in English.
Students who have been admitted to and registered on a course have the right to receive tuition and/or supervision for the duration of the time period specified for the particular course to which they were accepted (see, the university's admission regulations (in Swedish)). After that, the right to receive tuition and/or supervision expires.
Reading list and other learning resources
Required Reading
Asnar Y, Massacci F. (2011)
A Method for Security Governance, Risk, and Compliance (GRC): A Goal-Process Approach
In: Aldini A, Gorrieri R, editors. Foundations of Security Analysis and Design VI. Berlin: Springer; 2011. p. 152-84 [Journal Article]
Gürses, Seda, Magali Seguran, and Nicola Zannone (2013)
Requirements engineering within a large-scale security-oriented research project: lessons learned
Requirements Engineering 18.1 (2013): 43-66 [Journal Article]
Hope P, McGraw G, Antón AI. (2004)
Misuse and Abuse Cases: Getting Past the Positive
IEEE Secuirty & Privacy2004; May/June:32-4. [Journal Article]
Lillian R. (2006)
An extended misuse case notation: Including vulnerabilities and the insider threat
12th International Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ'2006); 5 June, 2006; Luxembourg, Luxembourg2006. p. 33-43 [Journal Article]
Massacci F, Mylopoulos J, Zannone N. (2010)
Security requirements engineering: The si*modeling language and the Secure Tropos methodology
In: Ras ZW, Tsay L, editors. Advances in Intelligent Information Systems. Berlin: Springer; 2010. p. 147-74 [Journal Article]
Moe, Carl Erik & Tero Päivärinta (2013)
Challenges in information systems procurement in the public sector
Electronic Journal of e-Government 11.1 [Journal Article]
Poon P-L, Yu YT (2010)
Investigating ERP systems procurement practice: Hong Kong and Australian experiences
Information and Software Technology 2010; 52(10):1011-22 [Journal Article]
Sindre G, Opdahl AL (2005)
Eliciting security requirements with misuse cases
Requirements Engineering 2005; 10(1):34-44 [Journal Article]
Additional Reading
Pohl, Klaus (2010)
Requirements engineering: fundamentals, principles, and techniques
Springer Publishing Company