PUBP-6725 - Information Security Policies
| ISP |
Toggle to Select Spcific Semesters
Reviews
Overall this is a solid class. Content was interesting, but the class kind of lacked substance. The instructor would talk about cybersecurity at a superficial level and never really dove deep. The lecture videos were short as a result. The content, as fluffy as it may be, I felt was pretty interesting. The instructor is a career academic and it shows; some of the content doesn’t apply in the real world very well or is esoteric. On the whole it was interesting. The quizzes were open book/note no time limit – they were more challenging than I expected – most questions could be CTRL+F’d, but a few required at least some mastery of the topic. Several times for the life of me I could not find addressed in the lectures or readings at all. The course was so devoid of content I literally could do 3 weeks of lectures in a few hours even while taking notes. At times I forgot I was enrolled in grad school :D This class felt like it has about 4 weeks worth of content in it. The instructor and TAs would often speak about cybersecurity like politicians do. I guess thats a public policy department for you. :) That said, I was impressed by the instructors accuracy; many policy people I’ve worked with make inaccurate assertions about technology. The instructor was spot on the entire course.
Group work can suck. I had a team that varied from okay to bad and we did okay on the projects. 1 person on our team did not really contribute at all but was assertive with their opinions, the 2nd only contributed to the second project. The third person and I did 80% of the work. Nothing too abnormal with academic group work. Would have preferred working alone; the hardest part was dealing with the non-contributors.
Cons:
- Go Phish very very questionable legally. As students we agree to GaTech’s acceptable use policy but the project scope is very vaguely defined and rules of engagement are non existent. One of the first things I learned in cybersecurity is to never attack things without an explicit ROE with scope clearly defined; without it in place you are in questionable ethical and legal territory at best. Any cybersecurity instructor who tells you otherwise should probably find another line of work. Its really ironic for a cyber security policy class to ignore this.
- Grading was all over the place. They would dock points but not tell you why. In other cases they docked points for made up requirements not specified in the rubric. Or the TA would tell you that you did great work on a section of the rubric, not mentioning any issues but dock points anyways. It felt like my grade depended on the TA I got more than the quality of the submission. In the end it all worked out and I got a solid A.
- Projects, like most Gatech work is vaguely defined. Most of the time that is fine; students get clarification in Piazza and go about their business. However questions in Piazza were frequently responded to with non-answers. The only TA I ever got useful answers from was Beau who was absolutely fantastic.
Good course! Recommended.
This was a very nice introductory class into the Cybersecurity program. The workload is pretty well balanced and the professor is very nice and holds regular office hours. The first 2 projects are by far the biggest chunk of time and effort in this class, but if you have good group members then they will both be pretty fun despite taking a little bit of time to complete. After project 2 it is smooth sailing until the end of the semester.
This course was not good, but it fulfills its purpose of being an easy class when you need a slow semester, so there’s that.
You can skip all the lectures and use the readings to find answers for the quizzes. I ended up with something closer to Cs on the quizzes because I wasn’t too worried about it, but these are points you probably want to spend a little extra time making sure you get.
The first two group projects were annoying as all group projects are, but as long as you follow the rubrics you will receive As for the projects. Both projects require maybe 10 hours of work from one person.
The two individual projects were just rehashing earlier material in the course. There was a discussion project which I think I put maybe one hour of work into and received an A for it. For the final paper, I put a couple of hours in and received a high B.
One note I’m seeing in recent reviews and also from other channels in the course is that an 89.5%+ isn’t rounded up, so really try and get the easy quiz points when you can.
Bonus points for this class being called “Information Security Policies” and hopefully not looking too out of place on a transcript (not that it really matters) as opposed to Digital Marketing or the like.
Very lumpy time commitment; from 5 to 25 hrs per week based around key deliverables below.
The exams are slightly picky, a lot of Ctrl+F as they’re open book and will require digging into the reading materials a lot.
Project #1 - Phishing [team]. You will spend more time synching comms than doing the work but was it ever different? Just build a website as that’s what 75% of the exemplary assignments do, even if paper only exercise is valid.
Project #2 - Ransomware [team]. Paper report. Crafting work modules from team members for coherence is the issue.
Project #3 - Legal debate. Too much legislation to usefully digest in the timeframe. Canvas is a horrible platform to track debate threads.
Project #4 - Diamond Model. Take a framework, apply it, write it up. Most unclear project for me - examples would help. Incident Response format or a Policy Recommendation?
I have no real idea what the expectations are for the deliverables - 2 with perfect/near perfect score and 2 with below average scores. In retrospect, I can’t identify the quality differentials myside so perhaps it’s my interpretation or TA review.
I found these to be the most helpful, knowledgeable and decent TA’s I’d experienced thus far in the program - thanks to all involved. I suspect it may be the maturity and the class size that helps.
Prof K is a decent guy who makes himself available for the office hrs which is a rare treat in OMS. Lectures are also very high quality + relevant which is another rare treat in OMS.
BTW, I am part of the 89% crew so bear that in mind.
If you get 89.5% in this course you will end up with B which means 3 out of 4. Good grading system when i work myself off all semester and got B. Ridiculous!
With the exception of the group projects, I found this course to be quite easy. Workload isn’t too bad, but the material is interesting if you have an interest in the broader implications of cybersecurity and policy. The group projects aren’t too bad, but coordinating with groups can be tough when everyone is remote.
Breakdown
- 4 Assignments (85%)
- 4 Quizzes (15%)
Assignments
- Go Phish (develop a phishing campaign against a TA, write up a presentation about it)
- Organization Policy (develop an organization policy against ransomware attacks)
- Legislative Challenge (analyze a cybersecurity bill, propose amendment in group discussion, reply to others’ amendments as supporting/rejecting, vote on the results)
- Term Paper (apply diamond model intrusion analysis to a recent cyberattack event, 2000 word paper deliverable)
First two assignments are group projects, and groups are randomly assigned. I was lucky to be in a group with agreeable and productive members. Our skillsets were complementary, and we were able to divide the workload evenly (enough) that I could spend <5 hours a week to cross the finish line. There is a peer survey element that reduces the grades of non-participant members.
Last two assignments required significant reading, research, analysis, and writing. If this is not your cup of tea, the experience could be a struggle, especially if English is not your native language.
Overwhelming majority of the grade in this course is based on nondeterministic deliverables. This is good in that given the scale of the course (100s of students) in that scrutiny on a per-assignment basis is diluted, making it less strenuous to score high marks. On the flip side, nondeterminism can be stressful, because it may not be fully clear what is expected in the deliverable.
Quizzes
Open book, unlimited time. Must finish once started. Mostly multiple choice, true/false. Based on assigned readings and lecture videos. Should be a straightforward 15%.
The first word I thought of when thinking on how to review this class was ‘bizarre’ (based on how different it was structured to other OMSCS classes) but upon reflection I think a better description would be ‘barren’. Mind that I took this course during the Summer, and even then it seemed like there was such little content to this class. There were 4 assignments (2 group, 2 individual), 4 quizzes, and that is it. It makes this the perfect class to pair with something else, but I was somewhat disheartened since I feel this class has the potential to be really interesting and rewarding with some more thought put into the assignments and a refreshed lecture format.
In terms of lecture format, it feels somewhat jarring from what I’ve been used to in CS classes, as most of it is ppt driven and not as interactive. It kind of feels like it was created around being for a professional certificate rather than a class, as at the start of every 5-10 minute lecture video the presenter welcomes you back to the course. Most modules seemed to breeze by since they were pretty short, but I did enjoy the material (but again, needs some more depth here).
In terms of work, there were 4 open book quizzes (no time limit but no retakes) around the lecture material. You can pretty much take the quizzes while watching along with the lectures, so these act more like a check to make sure you are following the course content.
The rest of the grade was split into 4 assignments, A group phishing project where you design and implement a front facing attack (think email formatting, not coding), a group project in writing a security policy, and individual assignment where the class is split into 4 groups to debate a cyber security bill, and a final individual paper. Each of these are count for 20-25% of your grade.
These assignments were very straightforward, although the security policy was a bit ambiguous at times. The group projects could probably be finished individually without much sweat, but its nice if you get a good group to bounce ideas off of.
I feel that this class will likely be going through a overhaul to heighten the difficulty and scope, one because its relatively new within OMSCS, and because at the end of the semester I (and my group mates) was kind of surprised it was already over. Compared to a class like SDP where there are constant weekly assignments, or KBAI where there is a gradual building of code, the structure of the course was flat and not really progressing towards some crescendo.
The instructor staff was friendly, responsive on piazza, and professional, but as noted in other reviews there seemed some expectation for more student discussion, which was bizarre since the assignments were so straightforward and far-few between that there was not much by default to discuss.
It is telling how few students bother to review this class. No one cares. It is an easy intro class for policy students, an easy elective for everyone else. The professor is a hack, an old-school contrarian who spends more time making inflammatory tweets on Twitter than responding to students in his course. Sure, he looks engaging because he bothers to comment on posts ever so often. But take a closer look at what he is saying, and to who, and you’ll notice there is something wrong, something insidious.
The group of TAs are hit or miss individually. Perhaps they are nice people, but they are inexperienced, impractical, and really have no business grading academic papers. A few cannot even effectively communicate. Just tune in to a weekly Office Hours (which no one does) and see how they interact. Like hipsters at a coffee shop, they try to make the mundane seem deep and insightful. I wonder if the students who praise this course were one of two who participated every single week in these events.
Also the professor said several times they were “hoping” for more interaction on the Piazza boards, or “hoping” students would do this or that. Well, this is an online course. Stop hoping, and start using the medium correctly. That means making it easier to find information, what is due and what is expected. That means giving students a reason to participate. Ungraded discussion boards are a waste of time, especially if no one is moderating. I do not care if this is a masters class. The medium isn’t. Use it right or get off the screen.
Even with that, the course curriculum is staid, outdated, and not engaging. One project had students debate legislation that died several years ago, rather than current topics. Two group projects were mishandled by the inexperienced TAs, who decided to disrupt the entire class by randomly reassigning groups between projects.
Bottom line: This course is good for a grade. It’s not interesting, and will probably not help you if you’ve paid any attention to anything in the world prior to taking the class. Final note - I did not bother with most of the readings or lectures and still passed the quizzes easily.
This class was okay. The lectures were organized well and provided a good overview of the material. The readings were hit and miss. A few of them were good and provided some good insights into the struggles of information security policies.
The group projects are probably what left a sour taste in my mouth with this class. It is really up to the luck of the draw with this.
Overall, it was an okay class. I believe it would be better if it didn’t have the group projects.
On balance, I enjoyed this class. There were 2 group projects which worked ok for me since my group was good, but this can be a dice roll.
The lectures I found enjoyable, although it is so painfully obvious Dr. Mueller is reading something; a teleprompter or something along those lines would make this much less obvious and jarring.
I can’t comment on if the subject matter was at the right level since I have no background there; I just took what I got and assumed it was all appropriate.
There were some student-led Zoom meetings which I thought was nice even before the “Pandemic of 2020” got going into full-on quarantine mode.
One of my projects was graded by Dr. Mueller, and I did see him participate in Piazza which I find at Ga Tech a rare treat. Instructors interacting with … students?
The exams were open book and un-proctored, but as a result did have a few questions here and there that got a bit into minutae, but overall I felt they covered the material in a reasonable way.
I only have a couple complaints with the course. While the TA’s were friendly and professional on the various social platforms, I think some of them were a bit too “green” to be grading. This was not a grueling class, but on our first project I think the TA completely missed one of our main points and our grade was punished for it.
In one instance, Dr. Mueller was lecturing about a subject I wanted to know more about, so I went to Wikipedia to find out more info and get more sources. To my irritation, I realized at least some of the lecture I’d just heard was word-for-word what I was reading in Wikipedia. With the fervor that the online program at Tech has about cheating and plagiarism, I expected more from the staff. (There may have been something in the lecture slides citing this use of Wikipedia or its sources, but I did not see any.)
Lastly, I’m not sure how anything I learned in the class prepared me in any way for the projects. The lecture material didn’t even quite touch on the project material, nor vice versa, so I’m not sure what the point was; it was a very curious and odd mashup. Moreso the first project than the rest.
The term paper however, (whose grades have yet to be released; days after they were due to the registrar!) does take on a lot of the subject matter, and uses techniques learned early in the class.
As an intro class, I thought it was a good overview. You’re not going to waltz into a company as a C-level with this as your background, but that isn’t the point.
Very easy, and good class. Light workload, and solid overview of security policy. Does involve group projects, so managing other people can be an extra headache and time suck to take into account. Overall a good class to take if you have the opportunity.
Excellent into course! I honestly very much enjoyed all the material and lecture. I attended some office hours and loved reading about all the research that Dr. Milton and Prof. Kuebrik was involved in. The class was easy to manage with my workload and other responsibilities and the group papers were helpful. 10/10!
As a non-Cybersecurity specialization, I took this class as an elective, and I thoroughly enjoyed it. The material was well-organized and the lectures were some of the best I’ve seen in the program. There were ~weekly open-book quizzes that helped reiterate the readings and lectures. Overall, there were 4 projects: the first 2 are group projects, and the group is assigned by the instructors (same group for both); the last 2 are individual.
The material is not difficult to grasp, but the projects will require you to be thorough with fulfilling the requirements and some creativity/thought to produce a well-polished final product. For example, these were the projects for our semester…
Project 1 Phishing campaign to an assigned TA: Your group needed to design a phishing campaign that would get pass the filters and “trick” your TA into clicking it. Some (minor) points were deducted if you can’t get past the GaTech firewall. Then, put together a powerpoint presenting the campaign.
Project 2 Cybersecurity Policy: Your group would need to do some research on the industry assigned and the network devices used in that industry. Put together a memo (1000 words) and full cybersecurity policy (2000 words) to provide a “guidance” for the industry mentioned.
Project 3 Policy Debate: Individually, you would be assessing the effectiveness (or non-effectiveness) of a current policy to be passed in congress.
Project 4 Diamond Model: Individually, you would pick a cybersecurity incident, do research on it, and analyze it per the Diamond Model (one of the first topics in the course). Paper is to be ~2000 words.
Even though I normally despise writing papers, I still enjoyed this course. I thought the material was fairly interesting and I feel like I learned a lot about cybersecurity policies. There was such an abundance of information that I never felt like I was ever severely stuck in a writer’s block to fulfill the paper requirements. In fact, I find myself needing to cut back on the writing! Overall, this was a really solid and enjoyable course.
Course Overview Both public- and private-sector organizations are increasingly treating cyber-security issues as top-level risks. Major data breaches at companies such as Target and information security leaks such as those by Edward Snowden have enormous impacts on organizations. This course examines strategies for managing information security risks, developing knowledge suitable for a range of organizational roles such as board of directors, top management, chief information security officers, and persons reporting to such actors. The course examines the challenge of constructing and complying with Federal, State, local and organizational information security policies and legislation. It also examines key public policy cyber-security issues, recognizing the need for public-private partnerships, legislation, international coordination, and other systemic approaches for managing these risks. More generally, the course seeks to develop the multi-disciplinary thinking that will take account of the technology, business strategy, policy, and law of information security.
SYLLABUS This mixed undergraduate- and graduate-level course takes a multi-disciplinary approach to the study of information security – a current topic of intensive research, system implementation, standards development, and public policy debate. The course is primarily lecture-based, with Socratic discussion of assigned readings, as well as active student participation via lively discussions and debates. Class sessions often include small-group, in-class activities to ensure hands-on experience in apply the concepts presented during lectures. There are no pre-requisites for this course, and students from varied backgrounds are welcome in the course. This course features a collaboration with an Atlanta-based company where students will analyze real-world security events along with their coursework to develop security policies that will bring students closer to being practicing security professionals. The course also features semester-long attention to security issues in the development of augmented reality systems, as an example of cutting-edge information security issues. The professors draw on their extensive experience in information technology, as well as the business, government, and legal aspects of current cyber-security debates.
Objectives This course will enable students to understand how and why information security strategies and policy are developed and managed. Specific objectives include:
Understanding the legal and policy issues surrounding technologies that protect intellectual property, sensitive information, and other organizational information assets; Understanding the role of technical standards to supplement legal and regulatory requirements; Analyzing data breaches and related events to design and implement organizational strategies to address such risks; Understanding the tensions between information security and usability; Understanding the tensions between information security and privacy; Developing the multidisciplinary skills needed to analyze, manage, and resolve the challenges associated with information security law and policy; Gaining a basic grounding for future technical and other research in security policy via the examination of current research issues and problems; and Gaining experience handling real-world security policy challenges through analysis of software and business artifacts using written and oral communication.
Projects There will be three projects in the course, with the precise content developed close to the beginning of the semester in order to take advantage of current developments:
Information security law and policy paper. Students will be assigned to write a paper on a current information security law or policy issue. For this paper, the student will first argue the case for one stakeholder in the debate, and then argue for an opposing view, before concluding with a brief discussion of the student’s own view. The paper length for undergraduates will be at least 1,200 words and no more than 1,800 words. The paper length for graduate students will be at least 1,800 and no more than 2,700 words. A model paper for the format will be provided on T-Square. Due date: February 23. Data breach and company strategy. Based on the presentation of an actual data breach by an Atlanta-based company, students will work in small teams to develop a company policy/strategy to address information security risks in the wake of a major data breach. Due date: March 31. Augmented reality security project. Drawing on the augmented reality expertise of Professor MacIntyre, teams of students will conduct a security assessment of a technical artifact that could be incorporated into an augmented reality system in a home or business. Due date: April 20.
Project Presentation During the last week of class, each student will give an oral presentation in which they will describe one of their projects and what they learned in the course. Length of presentations will depend upon course enrollment.
Evaluation Procedures Final grades in the course will be determined as follows:
Law and policy project 25% Data breach project 25% Augmented reality project 25% Reviews of reading 15% Class attendance 5% Project presentation 5%