This mixed undergraduate- and graduate-level course takes a multi-disciplinary approach to the study of information security – a current topic of intensive research, system implementation, standards development, and public policy debate. The course is primarily lecture-based, with Socratic discussion of assigned readings, as well as active student participation via lively discussions and debates. Class sessions often include small-group, in-class activities to ensure hands-on experience in apply the concepts presented during lectures. There are no pre-requisites for this course, and students from varied backgrounds are welcome in the course. This course features a collaboration with an Atlanta-based company where students will analyze real-world security events along with their coursework to develop security policies that will bring students closer to being practicing security professionals. The course also features semester-long attention to security issues in the development of augmented reality systems, as an example of cutting-edge information security issues. The professors draw on their extensive experience in information technology, as well as the business, government, and legal aspects of current cyber-security debates.

Objectives

This course will enable students to understand how and why information security strategies and policy are developed and managed. Specific objectives include:

• Understanding the legal and policy issues surrounding technologies that protect intellectual property, sensitive information, and other organizational information assets;
• Understanding the role of technical standards to supplement legal and regulatory requirements;
• Analyzing data breaches and related events to design and implement organizational strategies to address such risks;
• Understanding the tensions between information security and usability;
• Understanding the tensions between information security and privacy;
• Developing the multidisciplinary skills needed to analyze, manage, and resolve the challenges associated with information security law and policy;
• Gaining a basic grounding for future technical and other research in security policy via the examination of current research issues and problems; and
• Gaining experience handling real-world security policy challenges through analysis of software and business artifacts using written and oral communication.

Basic Information

Instructors:

Prof. Peter Swire

Office: Scheller Room 4163
Phone: 240-994-4142
Email: Peter.Swire@scheller.gatech.edu
Office Hours:  Monday 3:00 to 4:00 and by appointment.

Prof. Blair MacIntyre

Office: TSRB Room 232
Phone: 404-894-5224
Email: blair@cc.gatech.edu
Office Hours: TBA.

Class time: 1:35 to 2:55 p.m., Monday and Wednesday

Location: Scheller College of Business, Room 224.

Course website: All course materials are available via T-Square and this website.

Class text: All required materials for this course will be available online through T-Square. Currently, no textbook exists for this course, but there will be an extensive amount of required reading in the form of academic papers and other readings related to information security strategies and policy.

Prerequisites: There are no prerequisites, and the multi-disciplinary nature of the course means that students from many backgrounds can benefit from and succeed in the course. Open to both undergraduate and graduate students, with somewhat greater assignments for graduate students.

Course Requirements and Grading

Projects

There will be three projects in the course, with the precise content developed close to the beginning of the semester in order to take advantage of current developments:

1. Information security law and policy paper. Students will be assigned to write a paper on a current information security law or policy issue. For this paper, the student will first argue the case for one stakeholder in the debate, and then argue for an opposing view, before concluding with a brief discussion of the student’s own view. The paper length for undergraduates will be at least 1,200 words and no more than 1,800 words. The paper length for graduate students will be at least 1,800 and no more than 2,700 words. A model paper for the format will be provided on T-Square. Due date: February 23.
2. Data breach and company strategy. Based on the presentation of an actual data breach by an Atlanta-based company, students will work in small teams to develop a company policy/strategy to address information security risks in the wake of a major data breach. Due date: March 31.
3. Augmented reality security project. Drawing on the augmented reality expertise of Professor MacIntyre, teams of students will conduct a security assessment of a technical artifact that could be incorporated into an augmented reality system in a home or business. Due date: April 20.

Project Presentation

During the last week of class, each student will give an oral presentation in which they will describe one of their projects and what they learned in the course. Length of presentations will depend upon course enrollment.

Course Calendar and Content

Detailed reading will be posted in the schedule and uploaded to the resources section of T-Square.

Week 1: Introduction to information security
Week 2: Information security laws: HIPAA, GLBA, FISMA
Week 3: MLK Day and Guest Lecture
Week 4: NIST cybersecurity framework and health IT security conference
Week 5: Augmented Reality security, and cybersecurity legislation
Week 6: Cybercrime and Cyberwar
Week 7: Open source vs. proprietary software & security
Week 8: Usable security
Week 9: Data breaches, including briefing on actual breach
Week 10: Standards, and Implementing AR & IoT security

Spring Break

Week 11: Formal approaches to cybersecurity
Week 12: Bitcoin, and de-brief on data breach project
Week 13: Cybersecurity research, ethics, and secrecy
Week 14: The future of cybersecurity
Week 15: Project presentations

Class Participation and Attendance

There is no final examination, but 20% of the course grade will be based on attendance and completion of the course reading.

Attendance is expected. We will have a sign-in sheet for each class. There are 29 class sessions (plus MLK Day). Attendance will count 5% of the course grade. You may miss up to three classes without an excuse and receive full attendance credit. After three absences, there is a penalty of one-half point per absence on the final course grade.

Excused absences must be explained in writing (email is permitted), and can be for the following reasons: (1) illness; (2) death or illness in the family; (3) jury duty; (4) military obligation; (5) documented obligations to attend Institute sponsored events (such as described in a GTAA travel letter); or (6) religious holiday.   Additional reasons only with permission of the instructor.   Students arriving 10 or more minutes after the start of a class, or leaving before the end of a class, will be considered absent (unexcused) for that class (regardless of whether the student was present when attendance was taken) unless the student receives permission from the instructor to arrive late or leave early.

A short reading review is required for each class with assigned reading. To receive credit, you must submit the review to T-Square by the beginning of class. Each reading review should include the following: (1) a list of the assigned reading for that class; and (2) a total of four or five sentences about the reading. Topics can include: (1) a discussion of how the reading fits into information security and/or the goals of the course; (2) a critique of some aspect of the reading; (3) a question or questions that arise from the reading; or (4) other writing that shows evidence that you have read and thought about the reading.

For each reading review, grading will be: (1) zero points if not submitted; (2) one point if you submit a review but the quality is clearly low, such as not showing evidence that you have done the reading; or (3) two points if the review shows evidence that you have done the reading and your comments are of reasonable quality. There are 25 classes with reading, so a maximum point total of 50. You will receive the full 15 points for reading reviews if you score 45 or better. A score of 42 will receive 14 points, and so on. Score goes down one point (such as from a 2 to a 1) if you submit it up to one week after the review is due.

Evaluation Procedures

Final grades in the course will be determined as follows:

Law and policy project	25%
Data breach project	25%
Augmented reality project	25%
Reviews of reading	15%
Class attendance	5%
Project presentation	5%

The grading scale for the final grade will be as follows:

A: at least 90
B: 80-89
C: 70-79
D: 60-69
F: below 60

Course Text

All required material for this course will be available online through the course Website. We can recommend optional texts that supplement the course for the interested student.

Academic Integrity

The course process will follow all relevant and appropriate Georgia Institute of Technology academic regulations (http://www.honor.gatech.edu) including those about academic integrity. All students are expected to maintain traditional standards of academic integrity by giving proper credit for all work. All suspected cases of academic dishonesty will be reported to the Dean of Students office and aggressively pursued. A student shall be guilty of a violation of academic integrity if he or she represents the work of others as his or her own or aid another’s misrepresentation. Any violation associated with a homework, assignment, examination or quiz will result in the penalty recommended by the Dean of Students office, which we expect to be a zero for the assignment and a failing grade for the course.  The Dean of Students Office may impose penalties beyond the grade in this course. Students are encouraged to read the ACM Code of Ethics (http://www.acm.org/constitution/code.html), particularly sections 1.3, 1.5, 1.6, 2.2 and 2.4.

Students with Disabilities

The course process will follow all relevant and appropriate Georgia Institute of Technology academic regulations including those relevant to students with disabilities. Any students requiring additional assistance due to disabilities (e.g., learning disabilities) should contact the professor during the first week of the semester. Students requiring extra time for examinations and quizzes are asked to make arrangements through the ADAPTS (http://www.adapts.gatech.edu) office on campus.

Recording

If a student wishes to record the class (such as through audio recorders or devices such as LiveScribe pens), you may do so, but the recorded material may be shared only with people in the class. Recordings may not be posted in whole or in part to social media, the Web, etc. We wish the class discussion to be conducted without fear that any particular comment could be pulled out of context and posted publicly.

Similarly, the professors’ may post their slides for student use, but those slides should not be redistributed without explicit permission from an instructor.

Late Policy

This course has a simple policy for late submission of any of the three assignments. For each day a project is late, students will lose 10% of the total value of the project, which is a full letter grade. We have scheduled the due dates for this class to ensure that students have plenty of time to complete their projects on time. However, if, for any reason, you feel that you can’t complete a project on time, please contact the instructors. We can be flexible, but only if you let us know about your concerns well in advance. Once the project is due, the late policy will take effect.