Information Systems Security Management

The course aims to provide knowledge and understanding on issues related to information security management in organizational environments. The course material and teaching aim at students' understanding of a conceptual framework for the scientific field of information systems security management. The course analyzes methods of information security risk analysis and management, with a demonstration of prominent software tools and analysis of case studies, with the aim of knowledge and acquisition of skills to apply such methods in practice. In addition, the Directive 2022/2555 on cybersecurity (NIS2) is analyzed as well as technical standards for information security management and related certifications. Recognition of the importance of information systems security management in modern organizations and the related professional roles encountered in today's market are encouraged.

Upon successful completion of the course, the student will:

• Possess knowledge of the terms and concepts related to the field of information systems security management (e.g. risk, threat, vulnerability)
• Be able to practically apply the theoretical concepts and relevant methodologies of information systems security management to a specific information system
• Possess the skills to apply methods and software tools for the analysis of information systems security risks Is able to analyze an information system and the corresponding organizational environment, with regard to its information security requirements, to prioritize these requirements, and to document protection measures
• Possess knowledge and skills to develop security policies for risk management
• Possess the ability to gather and evaluate data for the utilization of available technical information security standards
• Understand the requirements imposed by Directive (EU) 2022/2555 (NIS2) concerning measures for a high common level of cybersecurity in the European Union Knows the broader scope of information systems security management, as well as the individual research and practical challenges

The course curriculumn includes:

• Conceptual framework of information systems security management
• Methods and software tools for risk analysis (ITSRM2, IRAM2, MEHARI, OCTAVE, MONARC)
• Security governance standards. Frameworks, guidelines and certifications for information systems security management (ISO 27001, ISO 27002, NIST SP 800-30, etc.)
• The European Cybersecurity Skills Framework (ENISA European Cybersecurity Skills Framework – ECSF)
• Information systems security audit. The audit life cycle for information security management. Qualifications and skills of auditors (ISO 27006, ISO 27007).
• Security policies. Purpose, structure and contents of organizational security policies. Examples of generalized and specialized security policies.
• Security Incident Management. Planning for security incident management, steps to deal with security incidents.
• Business continuity and disaster recovery plan. Business continuity planning and strategies for information infrastructure disaster recovery.
• Security awareness. The role of humans in information systems security management. Designing security awareness programs in organizations.
• Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity across the Union (Directive NIS2)
• Information security measurement. Designing metrics to measure the effectiveness of processes and techniques for protecting information security.

• Sokr. Katsikas, (2014), Information Security Management, Pedio Publications, ISBN 978-960-546-415-8
• Stef. Gritzalis, Sokr. Katsikas (2021), Information and Systems Security in Cyberspace, New Technologies Publications, ISBN 9789605780647

Related scientific journals:

• Computers & Security, Elsevier
• Information and Computer Security, Emerald
• Journal of Information Privacy and Security, Taylor & Francis
• International Journal of Information Security, Springer
• Computer Law & Security Review, Elsevier
• Information Security Journal: A Global Perspective, Taylor & Francis

Teaching is carried out through:

• Theoretical lectures
• Laboratory lectures and exercises
• Seminars and tutorials

The Department's online services and applications are used for the organization of educational material and teaching support (opencourses).

Email services are used for communication with teachers and students.

Specialized software applications for information security risk assessment are demonstrated and taught, including, SimpleRisk, VERINICE, RM Studio, CORAS, PTA.

The assessment is carried out in the Greek language.

Written exams: 60%

Written assignments: 40%