CS 52300: Social, Economic, And Legal Aspects Of Security

Course Description:

This course focuses on social, legal, and economic aspects of information security and privacy, also including ethics, policies, and human behavioral issues.  The course covers the interactions between non-technological aspects of information security as well as relevant technological aspects. It focusses on how non-technological facets can inform and guide technological choices, and how technological choices can enhance or detract from the broader organizational and societal goals.

Week 1

Overview of course.

Cyber crime

• Identity theft and identity fraud
• organized crime and terrorism
• Underground hacking economy
• law enforcement and prosecution

Week 2

Personnel security and insider threat

• Data theft; information traceability
• Sabotage
• Personnel security issues: vetting, training, certifications, clearances, conflict of interests, monitoring
• detection, mitigation, and prevention

Week 3

Computer forensics

• Procedures: search and seizure, handling of evidence
• Admissibility in court and jurisdiction
• Standards and key organizations: American Society of Crime Laboratory Directors (ASCLAD), etc.

Week 4

Incident responses

• Data collection, handling, analysis, validity
• Damage assessment; pre-incident preparation; monitoring, detection, reaction
• Standards and key organizations: CERT/CC, FIRST, etc.

Week 5

Economics of information security

• Quantifying business value of security, and of investments therein
• Quantifying value of privacy and data
• Role of incentives in attack and defense;
• Role of uncertainty and risk aversion
• Role of insurance in cyber security

Week 6

Security management

• Analysis and planning; organization; supervision
• Evaluation and evolution as circumstances change
• Organizational security/privacy policies and their enforcement
• Standards and key organizations: NIST’s Security Content Automation Protocol, COBIT framework, etc.

Week 7

Behavioral and usability issues in security and privacy

• Human factors in security; attitudes towards privacy, security
• Measurement (online surveys, monitoring); social engineering attacks
• Motivations of attackers; effects of monitoring and traceability on behavior
• Designing for ease of use

Week 8

Privacy: social, ethical and legal considerations

• General vs domain-specific; monitoring for compliance; enforcement
• International issues: US versus other countries such as EU
• Relationships between technical and legal notions of privacy
• Related laws: HIPPA, GLBA, COPPA, FERPA
• Midterm exam

Week 9

Regulations and compliance

• Electronic commerce; privacy; monitoring for compliance; enforcement
• Contract issues, copyright, trademark, trade secret
• Digital Rights Management (DRM)
• Digital Millennium Copyright Act and the European Union's Copyright Directive
• Related laws: Electronic Communications Privacy Act(ECPA), Computer Fraud and Abuse Act (CFAA), etc.

Week 10

Liability and its limits for intermediaries (mere conduit, caching, hosting)

• Software liability and impact of software security
• Data breach liability
• Intermediary liability issues

Week 11

Cyber warfare and international issues

• Cyber weapons
• Cyber espionage
• International laws and treaties

 Week 12

Risk management

• Quantitative and qualitative risk assessment.
• Exposure factors; controlling risk
• Metrics and quantification and their limitations; risk reviews

Week 13

Ethical aspects of information security

• Design for accessibility
• Protection from harmful, inaccurate, or misleading content
• Balance need for monitoring and surveillance and respect of personal privacy

Week 14

Emerging topics

Week 15

Reviews and case studies carried out by students.