SRA 311: Risk Management: Assessment and Mitigation (Section 001) Spring 2009, Tuesday and Thursday mornings, 11:15am until 12:30pm, in 206 IST DESCRIPTION: Risk Management: Assessment and Mitigation is a junior‐level undergraduate course designed to enhance the risk literacy of aspiring security risk and intelligence professionals. To this end, the course covers the basic philosophy of risk analysis to include the definition of risk and “six questions of risk assessment and risk management;” definition of “security context” and approaches for scoping a risk assessment; scenario development (set theory); threat and vulnerability assessment (probability theory); consequence and severity assessment (utility theory); analytic confidence assessment; formulas of risk; data collection and source analysis; structured analytic techniques for sensemaking; risk treatment strategies to include risk acceptance, risk avoidance, risk transfer, and risk mitigation; risk communication and risk perception; and legal and ethical issues in security risk management. The course introduces all of these concepts through critical readings from the security risk analysis literature, in‐class group exercises, case studies, and student projects. OBJECTIVES: Students successfully completing this course can:
SRA 311 Quick Facts
Instructor
William L. McGill, PhD, PE, CRE Assistant Professor of Security Risk Analysis 307B IST Building, University Park, PA 16802 (814) 867‐0270 (office) |
[email protected] professormcgill (Skype) Ender Netizen (SL) | Ender Netizen (Home) http://www.professormcgill.com/blog/
Grader
Mr. Ryan Dewar IST Undergraduate Student
[email protected]
Teaching Intern
Mr. Nicholas Leghorn IST Undergraduate Student
[email protected]
1. Describe the role of risk analysis in decision making 2. Articulate the “six questions of risk” and thoroughly describe the terms and notions commonly associated with security risk analysis 3. Explain the different types of ignorance and uncertainty and provide security‐ oriented examples of each 4. Explain the difference between an open and closed‐world and describe the role of the residual hypothesis 5. Explain the fundamentals of set theory, probability theory, possibility vs. potential surprise, and utility theory 6. Explain analytic confidence, its expression and its role in risk analysis 7. Demonstrate the application of a variety of structured analytic techniques in a security context, to include problem restatement, hierarchical holographic modeling, divergent/convergent thinking, pre‐mortem and root‐cause analysis, analysis matrices, weighted ranking, influence and decision diagrams, and event trees and fault tees. 8. Describe the properties of different types of measurement scales and critically evaluate alternative formulas for calculating risks 9. Discuss several security risk management approaches, including the ASIS Guideline, CORAS, the McCumber Cube Model, OCTAVE, etc. 10. Develop data collection strategies for answering risk questions and apply techniques to appraise the competence and credibility of human sources 11. Describe the four alternative strategies for treating risk 12. Perform a benefit‐cost analysis (including life‐cycle costs and performance degradation) for real risk mitigation options 13. Discuss the role of risk analysis in auditing and accreditation 14. Discuss the role of risk perception in risk management and communication 15. Discuss legal issues confronting security risk analysts and the role of professional societies in standards setting and credentialing 16. Construct stories about ethical dilemmas facing security risk analysts 17. Recite and apply the Eight Elements of Thought and the Intellectual Standards to critically evaluate articles and essays on the topic of risk analysis 18. Discuss and critically evaluate the main ideas discussed in at least two widely recognized books on risk analysis, and relate these ideas to the security field 19. Design and apply a risk analysis methodology for a real risk analysis problem 1
Office Hours
Office hours are by appointment only, and may happen in‐person, via Skype, via phone, via chat, or in Second Life.
Prerequisites
• • • • •
Probability & Statistics (STAT 200) Introduction to SRA (SRA 111) Terrorism and Crime (SRA 211) Information Security (SRA 221) Decision Analysis (SRA 231)
Key Deadlines
1/15/09: 1/29/09: 2/12/09: 2/26/09: 3/19/09: 4/02/09: 4/16/09: 5/05/09: 5/07/09:
CAR #1 Due CAR #2 Due Book Review #1 Due CAR #3 Due Book Review #2 Due CAR #4 Due CAR #5 Due Final Examination Final Project Due
Grade Allocation CAR Assignments 20 pts Book Reviews 20 pts Homework / Quizzes 20 pts Final Examination 20 pts Final Project 20 pts Attendance up to ‐20 pts Extra Credit up to +10 pts
Grading Rubric
A: ≥ 95, A‐: [90,95) B+: [86.7,90], B: [83.3,86.7), B‐: [80,83.3) C+: [75,80), C: [70,75) D: [60,70), F: < 60
ASSIGNMENTS AND GRADING: Course assignments consist of critical readings of key articles on risk, critical reviews of widely recognized book on risk‐related topics, homework and in‐class exercises, a final methodology development project, and a comprehensive final exam. Each of these are described below. Letter grades will be assigned according to the rubric shown at the bottom of this page. Critical Article Reviews (20 points): Each student is responsible for submitting five (5) critical article reviews (CARs) on key security risk analysis articles at set times throughout the semester. Each CAR requires the student to provide a background on the authors, address each of the Eight Elements of Thought and Intellectual Standards in relation to the authors’ arguments, and address one or more article‐specific questions as defined by the instructor. The final CAR grade is taken as the average of the grades for CAR #4 and CAR #5 multiplied by the fraction of required CARs completed. For example, a student completing CAR #1, CAR #2, (missed CAR #3) and CARs #4 and #5 with grades 26/30 and 28/30 will have a final CAR grade of (27/30)x(4/5) = 21.6/30, or 14.4 points toward the student’s final grade. Critical Book Reviews (20 points): Each student is responsible for submitting a critical book review for each of the two following mass‐market publications:
• Bernstein, P. L. (1998). Against the Gods: The Remarkable Story of Risk. Wiley (ISBN: 0471295639). • Apgar, D. (2006). Risk Intelligence: Learning to Manage What We Don’t Know. Harvard Business School Press (ISBN: 1591399548).
Each book review is worth 10 points toward the student’s final grade. Students may work in reading or discussion groups to prepare for this assignment, but the submitted assignment must be the student’s own. Homework and Quizzes (20 points): Throughout the semester, students and groups will be assigned homework problems related to topics covered in a previous lecture. On days when homework is not due, quizzes on course‐topics will be given to gauge student learning and to offer practice for the final exam. Each homework assignment and quiz will be weighted according to difficulty and effort required, and the final H&Q grade will be determined as the weighted average across the seven highest homework grades and 12 highest quiz grades. Homework and quizzes each account for 10 points toward the student’s final course grade. Risk Analysis Project (20 points): Each student will participate in a group risk analysis study that focuses on a real‐world security risk analysis problem. The deliverables consist of a 5‐10 minute video documentary summarizing the findings of the study OR an online risk assessment tool, AND a standalone poster summarizing the details of the study to include methodology development, implementation, and critical appraisal. Topics for this study will be negotiated before the end of the second week of class. Final Examination (20 points): Each student MUST complete a comprehensive final examination that consists of two parts. The first part has the student doing an in‐class Critical Article Review on a short article on a risk‐related subject (the article will be provided a week in advance). The second part is a 25‐question multiple choice exam spanning all topics covered in the course. Any student that does not take the final will receiving a failing grade. Attendance (‐20 points): All students are required to attend all sessions of SRA 311. Attendance will always be taken in some way or another. Each student is allowed two days off (freebie days) to be used as needed. Each additional absence will take one point off from the student’s final grade for a maximum of 20 points. One bonus point will be awarded for each unused freebie day. For example, if a student misses only one class the entire semester, he will receive one bonus point on top of his final grade. In contrast, a student that missed 7 lectures will lose 5 points from his final grade. Extra Credit (up to 10 points): A variety of extra credit opportunities will be made available to students throughout the semester. To be eligible for extra credit, a student (a) must have completed ALL major assignments (CARs, book reviews, final project, final exam), and (b) complete the assignment as directed. In general, each extra credit assignment is worth 2 or 4 points toward the final course grade. No student can earn more than 10 points toward the final course grade.
*IMPORTANT NOTE: The SRA major requires that all students with SRA as their declared major achieve a grade of C or better in this course to satisfy the degree requirements. This means you need at least 70 points to pass. 2
TOPIC AGENDA: The following is the schedule of topics for the Spring 2009 semester. Due at each lecture is some “vehicle of accountability” or “deliverable,” whether it be an assignment, project, homework assignment or quiz.
NOTE: The above schedule is only preliminary, and may change depending on the needs of the class. 3
POLICIES AND PROCEDURES: This section describes how the course will run, to include the format of the lectures, attendance, late submission, etc. Session Format: Each class session will take the form of a formal lecture supplemented by in‐class discussion and occasional in‐class group activities. Each duration of each lecture is 1 hour and 15 minutes. In those circumstances where the instructor must miss class, some sort of alternative arrangement will be made (Second Life, podcast, live video stream, substitute lecturer, etc.). Course Materials: Materials for the Spring 2009 offering of SRA 311 includes three required texts (listed below), open‐ source software tools (links will be provided as needed), and online articles available publicly or via the Penn State library system. • Elder, L., and Paul, R. (2008). The Thinker’s Guide to Intellectual Standards. Foundation for Critical Thinking (ISBN: 0944583395). • Bernstein, P. L. (1998). Against the Gods: The Remarkable Story of Risk. Wiley (ISBN: 0471295639). • Apgar, D. (2006). Risk Intelligence: Learning to Manage What We Don’t Know. Harvard Business School Press (ISBN: 1591399548).
Course Website: All course communications and transactions will happen via the ANGEL course website. This includes ALL email exchanges between students and instructor, assignment submissions via ANGEL drop boxes, and so on. Lecture recaps will be made available on the instructor’s blog at http://www.professormcgill.com/blog/sra311/. Submitting Assignments: All assignments must be submitted electronically to the appropriate ANGEL drop box. All assignments are due within the 48‐hours immediately prior to class, no earlier and no later. In addition, printed copies of assignments must be turned in at the start of class on the assignment due date for the student or group to receive full credit (5% reduction) and to be credited for class attendance. Late Assignments: No late assignments will be accepted unless there is a REALLY good, documented, and verifiable reason. An example of a good reason is a severe medical illness (e.g., flu is ok, hangover is not), sudden travel for an event (e.g., death in family, NOT offsite or onsite interview). If you anticipate something that will interfere with the timely submission of an assignment, arrange with the instructor to complete the assignment early. Class Attendance: Students must attend all classes. All students are given two freebie days where they do not have to be present in class. However, the student must still submit the required assignment for that day. Unused freebie days will add bonus points to the student’s final grade. Attendance will be noted via assignment submissions and quizzes. Students with Disabilities: It is Penn State’s policy to not discriminate against qualified students with documented disabilities. If after reviewing this syllabus you find the need to modify any aspect of the course to accommodate your documented disability, please meet with the instructor to discuss your concerns and to make arrangements for any accommodations. You will be asked to present documentation from the Office of Disability Services (located in 105 Boucke Building) that describes the nature of your disability and the recommended remedy. You may refer to the Nondiscrimination Policy in the Student Guide to University Policies and Rules. In‐Class Computer Use: Students will not use classroom computers during class lectures. The only exception to this is the use of computers to assist in in‐class exercises and whenever authorized by the instructor. Student Groups: On day one, all students will break into student groups. Each group will consist of 4‐5 group members. These groups will work together on the final course project, homework assignments, and all in‐class activities. Office Hours: Office hours with the instructor are by appointment only and may occur via instant message, Second Life, Skype, in person, etc. Academic Integrity: According to the University Handbook, “academic integrity is the pursuit of scholarly activity free from fraud and deception, and is the educational objective of this institution. Academic dishonesty includes, but is not limited to, cheating, plagiarism, fabrication of information or citations, facilitating acts of academic dishonesty by others, unauthorized possession of examinations, submitting work of another person, or work previously used without informing the instructor, or tampering with the academic work of other students. Any violation of academic integrity will be thoroughly investigated, and when warranted, punitive action will be taken.” Any student for which there is reasonable and convincing evidence that suggests he or she is or has been academically dishonest will be aggressively prosecuted. 4
I received the SRA 311 course syllabus (Spring 2009) and understand its contents.
Name: PSU User ID: (e.g., WLM142)
Signature:
5