Risk Management

From WebScience

Jump to: navigation, search

Fact Box
Module Web Trust and Security
Randolf Skerka
Credits 3
Term Term 3, Term 4
Course is not required
Current course page Winter 2017
Active Yes

The Big Idea

Every institution is confronted with numerous risks its information assets are exposed to. This particularly is true for institutions connected to the web. Web connectivity regularly is implemented by processing information on networked systems and transporting information across internal and external network connections. The discipline of Information Security typically addresses this challenge with security assessments and detailed risk analysis leading to security concepts consisting of security measures which are designed to reduce the risks to an individual level acceptable for the particular institution.

This classic and detailed approach is only applicable to strictly limited business processes, strictly limited technical subsystems or small companies. Real world business processes in enterprises are strongly interconnected and are based on a complex flow of information within and between these processes. The quantity of information processed and stored exceeds the possibilities of performing a detailed analysis. In classic risk analysis, this high degree of complexity would, in case of an in-depth analysis, lead to enormous expenditures regarding time and money. Additionally, the resulting security concept would be outdated before its completion.

This time-based view on information security highlights another problem: Assets, threats and risks change. Certain information assets (i.e. data) are not needed any more, new information assets are stored and processed, attackers figure out new attacking methods, science and suppliers invent new defense technologies. Due to these ongoing changes, security concepts need periodic updates to keep the risks on an acceptable level.

IT-Security- and Risk-Management addresses these problem areas by defining a structured and periodic top-down approach. The international norm ISO 27001 [1] gives an internationally accepted but not always practical definition of a so called Information Security Management System (ISMS). Another drawback of this document is the its price and its unavailability as a free web resource. Due to these problems we make one single exception from good scientific practice and use the ISO/IEC 27001:2005 ISMS Wikipedia entry [2] for an overview on ISMS. A more concrete definition can be found in a german ISO/IEC 27001:2005 compliant ISMS-Standard [3]: “. . . a management system encompasses all the provisions as regards supervision and management so that the institution can achieve its objectives. An information security management system therefore specifies the instruments and methods that the administration/management level of an institution should use to comprehensibly manage the tasks and activities aimed at achieving information security. “

Intended Learning Outcomes

Students will become familiar with the organisational and technical aspects of IT-Security- and Risk-Management. After passing the course students will be able to

  • understand the causal relations of IT-Security
  • analyze and understand the meaning of security policies
  • check the completeness of a security policy
  • figure out non-adequate, especially non-abstract contents in security policies
  • perform the steps of a structural analysis for an enterprise
  • determine protection requirements according to [4]
  • select adequate security measures for standard IT scenarios
  • set up the security management process for an exemplary company
  • take on a responsible role in a security management process.

Structure of the Course

The course is divided into three major parts. The first and introductory part addresses the Basics of Security and Risk Management by defining the terminology and describing the general approach of Security Management. The second and third part takes a closer view on concrete methods for implementing a Security Management Process.

Introduction: Basics of IT-Security- and IT-Risk-Management

The approach of IT-Security- and Risk-Management (ITSRM) is to establish and maintain a periodic process which identifies and copes with the IT-Risks of an institution. This process is implemented within an ISMS also comprising the organizational structures for ITSRM as well as a set of documents describing the institutions way of dealing with security. The first part defines terminology and gives a short introduction to the basic elements of an ISMS.

Security Policy

An institutions way of dealing with security is documented in a set of documents. This set typically is structured across at least three abstraction levels reaching from one very general document to more technically oriented documents. The top-level document usually is called IT-Security Policy or IT-Security Guideline. After several years different notions on the structure of a security policy converged with the introduction of the international norm ISO/IEC 27001.

Concrete ISMS and Practical Methodology

Defining a security policy is a first step towards setting up an ISMS. Next step is to perform an IT risk assessment for the institution to initiate the periodic security management process. ISO/IEC 27001 describes the requirements on the security management process. One possible concretization is to use [5], which fulfil the requirements of ISO/IEC 27001 and which are available in English language. The standards offer a straight-forward approach to implementing an ISMS.

Didactic Concept, Schedule and Assignments

The learning concept combines on-site lessons, online workshops and home working. An introductory on-site workshop provides basic knowledge and serves as a starting point for discussions during later online workshops. The online workshops are structured in a highly interactive manner, case studies provide practical experience in setting up an ISMS, and open questions are discussed within the learning group.

Three online workshops are organized on three evenings as synchronous events with a duration of three hours each. Preliminary asynchronous work is performed through discussions and clarifications via E-mail, discussion forums and other tools in the learning platform. The referenced resources build up the foundation for professional discourse during the online sessions. Depending on the number of participants 1 to 5 students each form a learning group to prepare the required readings and to evaluate the findings of the online sessions afterwards.

Introductory On Site Session

Initially the first on site session starts with organizational course details and a lecture introducing the basic terms and definitions of Basics of IT-Security- and IT-Risk-Management. In a first brief step the general concepts of security objective, vulnerability, threat and risk are introduced. Additionally general management processes represented by Demings PDCA circle are explained. The security management process is deduced from this general management concept. Furthermore security role models and security documentation is introduced. Especially the importance of a security policy is explained. The on site sessions ends with the assignment of readings and tasks to perform based on the readings. The presented slides are provided as online documents.

1st Online Workshop

The 1st Online Workshop starts with a wrap up of the basics introduced in the On Site Session. Prerequisite for the 1st Online Workshop are the contents of the introductory slides and selected passages of document [3]. For the on line workshop each group of students prepare one of two eligible assignments:

  1. Find a solution for exercise 1a. Provide a detailed slide based presentation on your findings.
  2. Find a solution for exercise 1b. Prepare a slide based presentation on the contents.

The results are reviewed and discussed within the course under assistance of the lecturer. The last hour of the session is reserved for initial information on a case study extending across the 2nd and 3rd Online Workshop. The case study is described in more detail in the following section.

2nd Online Workshop

The 2nd Online Workshop deals with the starting phase of a fictional company introduced within the 1st Online Workshop. The methodology for this risk assignment is prepared by the students by reading [3] and [4]. The session starts with an interview of the Chief Information Officer (CIO) of the fictional company represented by the lecturer. The students represent IT-Security professionals with the task to set up the security management process. The students organize the information collected throughout the interview in the way described in [4] and draw first conclusions according to [4]. The first intermediate result is the so called structure analysis and a classification of the Objects regarding their security requirements. Selected questions, assumptions and hypotheses will be discussed and clarified.

3rd Online Workshop

The third workshop is used to elaborate security measures for the case study according to [3]. The results are presented in the second half of the online session. Selected questions, assumptions and hypotheses will be discussed and clarified.

Wrap-up session on site

This on site workshop is dedicated to summarizing the students impressions and findings of the course.


There will be no written examination for the module but all homeworks must be finished.


  1. "Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC DIS 27001:2013),". http://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/. Retrieved January 31, 2014. 
  2. "Wikipedia entry on ISO/IEC 27001:2005 ,". http://en.wikipedia.org/wiki/ISO/IEC_27001:2005. Retrieved January 31, 2014. 
  3. 3.0 3.1 3.2 3.3 "BSI Standard 100-1 Information Security Management Systems (ISMS),". https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100-1_e_pdf.pdf?__blob=publicationFile. Retrieved January 31, 2014. 
  4. 4.0 4.1 4.2 4.3 "BSI-Standard 100-2: IT-Grundschutz Methodology ,". https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100-2_e_pdf.pdf?__blob=publicationFile. Retrieved January 31, 2014. 
  5. "BSI-Standards ,". https://www.bsi.bund.de/EN/Publications/BSIStandards/BSIStandards_node.html. Retrieved January 31, 2014. 

Current Course Page

Past Course Pages