Course 2024-2025 a.y.

20654 - STRATEGY AND GOVERNANCE FOR CYBER RISK

Department of Management and Technology

Course taught in English

Class timetable
Exam timetable
Go to class group/s: 25
CYBER (8 credits - II sem. - OB  |  3 credits SECS-P/07  |  5 credits SECS-P/08)
Course Director:
GIANLUCA SALVIOTTI

Classes: 25 (II sem.)
Instructors:
Class 25: GIANLUCA SALVIOTTI


Mission & Content Summary

MISSION

Cybersecurity is emerging as one of the most impacting area of technology and operational risk for modern organizations. Although executives and managers can count on various frameworks and collections of best practices for setting cyber risk governance, a "one-size-fits-all" approach is not recommended. To effectively govern cyber risk, each organization needs to design and execute a cyber strategy connected to current and perspective business models, priorities, constraints and business relationships. The mission of this course is to provide students with the capability to design a framework for cyber risk governance and strategy aligned with the overall digital transformation strategy of an organization, in order to properly prioritize the activities and maximize the returns of cyber risk investments.

CONTENT SUMMARY

Part 1| Understanding the context for cyber risk governance and strategy.  

  • Cyber Risk Governance (CRG) as a new field. CRG, Corporate Governance, Enterprise Risk Management, IT Risk Management, IT Governance.
  • Business Strategy in the era of Digital Transformation: how to derive business drivers for Cyber Risk Governance and Strategy. Identifying the crown jewels in transforming organizations: the Real Madrid Case Study.
  • Identifying the crown jewels in transforming organizations: the GE Case Study.
  • Linking Business Strategy to Cyber Risk Strategy: the SOI case study.
  • From strategy to execution: the role of international frameworks. The NIST cybersecurity Framework.
  • The NIST cybersecurity framework in action.
  • Simulation: Design and execute the Cyber Strategy @ Morpheus Pharma.

 

Part 2 | Cyber risk governance processes, frameworks and tools. 

  • Introduction to Corporate Governance and Board Responsibilities.
  • Simulation: Build a Cybersecurity Toolkit for Your Board
  • Cyber Risk Governance: from Board Responsibilities to other Leadership Structures, Processes, and Mechanisms.
  • Removing vulnerabilities through people and culture.
  • CISO Metrics & Reporting. Cyber Risk Governance Indicators: KPI and KRI.
  • Simulation: Your first 90 days as CISO

 

Part 3 | Governance and Strategy for Cyber Incidents. How to deal with a Cyber Crisis.

In Part 3 students will have the chance to understand how  apply strategy and governanceto approaches and tools to effectively manage a Cyber Incident  

 

  • Current Challenges in Cyber and Information security.
  • Current Challenges in Cyber and Information security: the CISO's perspective.
  • An overview of the NIST SP800-61. Incident response and Security Operations.
  • The NIST SP800-61 in action: build your own Incident Response Plan.
  • Managing a Cyber Crisis: theory.
  • Managing a Cyber Crisis: theory: practice. Tales from the real world.
  • Simulation: Your first Cyber Crisis.

 


Intended Learning Outcomes (ILO)

KNOWLEDGE AND UNDERSTANDING

At the end of the course student will be able to...
  • Interpret the main links between Corporate Governance, Enterprise Risk Management, IT Governance, IT Risk Management and Cyber Risk Governance.

  • Align Digitalization and Digital Transformation strategies to Cyber Risk Governance and strategy.

  • Engage Board Members and Executives according to their responsibilities on Cyber Risk Governance and Strategy.

  • Promote a culture of Cyber Risk within the organization.

  • Master the main frameworks and tools for Cyber Risk Governance.

  • Manage a Cyber Incident.

APPLYING KNOWLEDGE AND UNDERSTANDING

At the end of the course student will be able to...
  • Design a Cyber Risk Governance process aligned with the organization’s Corporate Governance, Enterprise Risk Management IT Governance and IT Risk Management.

  • Derive, from the key frameworks and tools for Cyber Risk Governance, a specific approach to protect the organization.

  • Implement a Cyber Risk Governance and a Cyber Risk Strategy with an open, collaborative and tech-savvy approach.

  • Build a measurement system for Cyber Risk.

  • Build a Cyber Risk Roadmap with budget constraints.

  • Design, implement and test an Incident Response Plan.


Teaching methods

  • Face-to-face lectures
  • Online lectures
  • Guest speaker's talks (in class or in distance)
  • Case studies /Incidents (traditional, online)
  • Group assignments
  • Interactive class activities on campus/online (role playing, business game, simulation, online forum, instant polls)

DETAILS

  • Guest speaker's talks (in class or in distance). Students have the chance to interact with experienced managers and executives dealing with Cyber Risk in order to discuss the main issues and trends in the field
  • Online Lectures. Asynchronous and synchronous Online Lectures to introduce concpets that will be applied throuh case studies, assignments and simulations.
  • Case studies /Incidents. Discussions around relevant case studies build a common understanding of the topics introduced by the instructor.
  • Group assignments. A final group assignment give students the opportunity to discuss among peers and collaborate in the development of a Cyber Risk Governance plan for a company.
  • Interactive class activities (role playing, business game, simulation, online forum, instant polls). 

Assessment methods

  Continuous assessment Partial exams General exam
  • Written individual exam (traditional/online)
  x x
  • Group assignment (report, exercise, presentation, project work etc.)
x x  
  • Active class participation (virtual, attendance)
x    

ATTENDING STUDENTS

With the purpose of measuring the Course expected learning outcomes, attending students will be evaluated according to their capability to translate the key concepts and tool into actions. The Course will be taught in a very pragmatic way, this is why Attending Students will be asked to work on the following practice-oriented outputs.

1. An individual assessment on the first part of the course, aimed at assessing the capability to align Digitalization and Digital Transformation strategies to the Cyber Risk Governance and strategy;

2. A group simulation at the end of the second part of the course, aimed at assessing the capability to properly apply the main frameworks and tools for Cyber Risk Governance in the shoes if a CISO in his firt 90 days in a Company.

3. A group simiulation at the end of part 3, aimed at applying the approaches and metholodogies to deal with a Cyber Crisis.

4. An individual essay assignment at the end of the third part of the course, aimed at measuring the ability to design and implement and Incident Response Plan.


NOT ATTENDING STUDENTS

The assessment for not attending students is based on an open essay question aimed at testing:

  • The overall understanding of the key concepst and principles related to Cyber Risk Governance and Strategy;
  • The capacity to critically read the Corporate and Digital Strategy of a Company and to desgin a consistent Cyber Risk Strategy;
  • The ability to effectively apply the tools and methods for the onboarding of Executives and Board Members in Cyber Risk Governance.   

Teaching materials


ATTENDING STUDENTS

Cases, readings, slides, and other material available through Bboard.


NOT ATTENDING STUDENTS

Parenty T.J., Domet J.J., A Leader's Guide to Cybersecurity: Why Boards Need to Lead--and How to Do It, Harvard Business School Publishing, 2019 (Full Book)

Last change // :