Course coordinator
Associate Professor Dongming Xu
Course overview
- Study period
- Semester 1, 2025 (24/02/2025 - 21/06/2025)
- Study level
- Postgraduate Coursework
- Location
- St Lucia
- Attendance mode
- In Person
- Units
- 2
- Administrative campus
- St Lucia
- Coordinating unit
- Business School
Cyber Security Risk Management and Controls supports future leaders in the challenging cyber security domain in understanding their role as leaders, building relationships with the Board and high-level management, and in implementing effective cyber security controls throughout the organisation. This course is designed for experienced professionals who wish to build on their ability to lead a high performance team of professional IT staff that perform cyber operations. This course will equip these professionals with the ability to evaluate and implement strong IT governance and management practices around cyber security, and the communication skills to communicate across all levels of management. The course focusses on work-relevant assessment that focusses on student roles as leaders and provide the opportunity to engage with emerging security issues, risks and vulnerabilities.
Topics will include Cyber Leadership (Role of the Cyber Security Leader; Emerging Cyber Threats), Assessment and Mitigation of Risk (Preventive, Detective, Corrective Controls), IT Governance Mechanisms for Cyber Secure Organisations, IT Management Controls for Cyber Secure Organisations (Plan, Build, Run and Monitor).
This course is divided in 6 blocks of lectures (plus a final lecture), addressing different aspects of Cyber Security Risk Management and Cyber-Risk Controls. Topics such as the relationship between "physical" risk management and cyber risk management; risk and audit functions in cybersecurity; governance of cybersecurity risks; cyber-risk ownership in public and private sector organisations; cyber-risk communication; elements of cyber-insurance; cyber-resilience; and the future of cyber-risk controls will be explored in a highly interactive format, with classroom discussions, readings, intervention of guest speakers, videos, etc.
Each one of the 6 blocks will address one specific topic. Each block will be articulated as follows:
- Seminar-based learning (Weeks: 1, 3, 5, 7, 9, 11 and final lecture 13)
- Independent learning by students, based on materials assigned by the Lecturer (Weeks: 2, 4, 6, 8, 10, and 12)
Highly based on the practice of cyber-risk management, the course explores issues that arise in real life, rather than focusing on topics that are academically interesting but of little practical relevance. A business focus is intrinsic to this course, which does not require technical cybersecurity expertise. Similarly, no prior managerial knowledge is assumed.
Course requirements
Prerequisites
You'll need to complete the following courses before enrolling in this one:
For MCyberSec students - CYBR7001 or CYBR7003. For all other students - at least 8 units of postgraduate courses.
Course contact
Course staff
Lecturer
Mr Keith Harbottle
Timetable
The timetable for this course is available on the UQ Public Timetable.
Additional timetable information
Please note: Teaching staff do not have access to the timetabling system to help with class allocation. Therefore, should you need help with your timetable and/or allocation of classes, please ensure you email business.mytimetable@uq.edu.au from your UQ student email account with the following details:
- Full name
- Student ID
- Course Code
Aims and outcomes
Overall, this course aims at expanding the students' understanding of the dynamics that characterise activities associated with cybersecurity risk management in modern organisations, with reference to both the public and the private sector, and from a national as well as an international standpoint.
Course aims include:
- To offer the students an opportunity to discover the activities that are typically executed to identify, assess and manage risks of a cyber-nature, in modern organisations;
- To help the students differentiate between the different types of controls currently practiced to manage cyber-risks;
- To develop the students' leadership skills in the field of cybersecurity risk management and prepare them to become decision-makers in this very field;
- To expand the students' understanding on subject matters that are constantly evolving in the "cybersecurity universe", such as cyber-insurance and
Learning outcomes
After successfully completing this course you should be able to:
LO1.
Understand and act upon the different activities that characterise the management of cyber-risks in modern organisations
LO2.
Make connections between cybersecurity risk management and the broader portfolio of entreprise risk management activities
LO3.
Mobilise the appropriate (internal and external) resources and critical thinking to effectively perform cybersecurity risk management
LO4.
Acquire skills to perform evidence-based decision-making in cybersecurity risk management
LO5.
Lead organisational conversations around the importance of cybersecurity risk management and, more in general, being a champion of safe cybersecurity practices
LO6.
Produce outputs in different formats (presentations, reports, etc.) to offer evidence to support decision making in the field of cybersecurity risk management
Assessment
Assessment summary
| Category | Assessment task | Weight | Due date |
|---|---|---|---|
| Presentation | Recorded Video-Presentation | 40% |
11/04/2025 3:00 pm |
| Paper/ Report/ Annotation | Critical Analysis of Assigned Material | 20% |
23/05/2025 3:00 pm |
| Essay/ Critique, Reflection | Reflective Essay on Cybersecurity Risk Management | 40% |
13/06/2025 3:00 pm |
Assessment details
Recorded Video-Presentation
- Mode
- Product/ Artefact/ Multimedia
- Category
- Presentation
- Weight
- 40%
- Due date
11/04/2025 3:00 pm
- Learning outcomes
- L01, L02, L03, L04, L05, L06
Task description
Students will choose one of four pre-assigned topics and conduct a critical analysis on it.
Output of this assessment will be a video-presentation, recorded by the students and supported with slides.
In the presentation, students will need to demonstrate their understanding of the selected topic and its associated issues, offer their critical perspective on it, illustrate how such topic reflects in the practice of cybersecurity risk management and offer recommendations for addressing the identified open issues.
Assigned topics will be inspired by contents and materials explored during the first three blocks of the course.
The video-presentation will need to have a max duration of 15 minutes.
Students will need to submit through Blackboard:
Slide-deck utilised to support their video-presentation.
AI Statement:
Artificial Intelligence (AI) and Machine Translation (MT) are emerging tools that may support students in completing this assessment task. Students may appropriately use AI and/or MT in completing this assessment task. Students must clearly reference any use of AI or MT in each instance.
A failure to reference generative AI or MT use may constitute student misconduct under the Student Code of Conduct.
Submission guidelines
via Blackboard
Deferral or extension
You may be able to apply for an extension.
Late submission
A penalty of 10% of the maximum possible mark will be deducted per 24 hours from time submission is due for up to 7 days. After 7 days, you will receive a mark of 0.
Critical Analysis of Assigned Material
- Mode
- Written
- Category
- Paper/ Report/ Annotation
- Weight
- 20%
- Due date
23/05/2025 3:00 pm
- Learning outcomes
- L01, L02, L03, L04, L05, L06
Task description
Word Count: Maximum of 1,500 words.
The independent study sessions in this course require students to independently analyse industry reports, papers and other materials on specific topics.
This assessment requires students to select the materials required in one of the Independent Study Sessions and write a critical analysis of the same material, based on the guiding questions provided by the Lecturer.
In their analysis, students will need to demonstrate their understanding of the topics and issues discussed in the assigned material and offer their perspective on the same, making reference to their previous work experience or job positions they would want to be in, in the future.
AI Statement:
Artificial Intelligence (AI) and Machine Translation (MT) are emerging tools that may support students in completing this assessment task. Students may appropriately use AI and/or MT in completing this assessment task. Students must clearly reference any use of AI or MT in each instance.
A failure to reference generative AI or MT use may constitute student misconduct under the Student Code of Conduct.
Submission guidelines
Submission to be done through Turnitin (see Blackboard).
Deferral or extension
You may be able to apply for an extension.
Late submission
A penalty of 10% of the maximum possible mark will be deducted per 24 hours from time submission is due for up to 7 days. After 7 days, you will receive a mark of 0.
Reflective Essay on Cybersecurity Risk Management
- Mode
- Written
- Category
- Essay/ Critique, Reflection
- Weight
- 40%
- Due date
13/06/2025 3:00 pm
- Learning outcomes
- L01, L02, L03, L04, L05, L06
Task description
Wordcount: Maximum 2,500 words (Title, Abstract, Tables, Figures, Appendices and References excluded).
This assessment requires students to select 1 of the topics addressed in the classroom and write a reflective essay on it.
In the reflective essay, students will need to demonstrate their knowledge of the discussed topic, acquired through the materials explored during the course and expanded through independent research.
Students will also need to demonstrate critical thinking and ability to analyse controversial issues in cybersecurity risk management, highlighting the practical implications of the same by tapping into case studies and analysis of real-world issues.
AI Statement:
Artificial Intelligence (AI) and Machine Translation (MT) are emerging tools that may support students in completing this assessment task. Students may appropriately use AI and/or MT in completing this assessment task. Students must clearly reference any use of AI or MT in each instance.
A failure to reference generative AI or MT use may constitute student misconduct under the Student Code of Conduct.
Submission guidelines
Essay to be submitted through Turnitin (see Blackboard)
Deferral or extension
You may be able to apply for an extension.
Late submission
A penalty of 10% of the maximum possible mark will be deducted per 24 hours from time submission is due for up to 7 days. After 7 days, you will receive a mark of 0.
Course grading
Full criteria for each grade is available in the Assessment Procedure.
| Grade | Cut off Percent | Description |
|---|---|---|
| 1 (Low Fail) | 0 - 29 |
Absence of evidence of achievement of course learning outcomes. |
| 2 (Fail) | 30 - 46 |
Minimal evidence of achievement of course learning outcomes. |
| 3 (Marginal Fail) | 47 - 49 |
Demonstrated evidence of developing achievement of course learning outcomes |
| 4 (Pass) | 50 - 64 |
Demonstrated evidence of functional achievement of course learning outcomes. |
| 5 (Credit) | 65 - 74 |
Demonstrated evidence of proficient achievement of course learning outcomes. |
| 6 (Distinction) | 75 - 84 |
Demonstrated evidence of advanced achievement of course learning outcomes. |
| 7 (High Distinction) | 85 - 100 |
Demonstrated evidence of exceptional achievement of course learning outcomes. |
Additional course grading information
Grades will be allocated according to University-wide standards of criterion-based assessment.
Supplementary assessment
Supplementary assessment is available for this course.
Learning resources
You'll need the following resources to successfully complete the course. We've indicated below if you need a personal copy of the reading materials or your own item.
Library resources
Find the required and recommended resources for this course on the UQ Library website.
Learning activities
The learning activities for this course are outlined below. Learn more about the learning outcomes that apply to this course.
Filter activity type by
Please select
| Learning period | Activity type | Topic |
|---|---|---|
Week 1 |
Seminar |
Introduction to BISM7620 and Cyber Risk Management Block 1: Cybersecurity risk management fundamentals Learning outcomes: L01, L02 |
Week 2 |
General contact hours |
Introduction to BISM7620 and Cyber Risk Management Block 1: Cybersecurity risk management fundamentals (independent study session) Learning outcomes: L01, L02 |
Week 3 |
Seminar |
IT and Cybersecurity governance: focus on risks Block 2: Relationships between IT and Cybersecurity governance. Learning outcomes: L01, L02, L03, L04 |
Week 4 |
General contact hours |
IT and Cybersecurity governance: focus on risks Block 2: Relationships between IT and Cybersecurity governance. (independent study session) Learning outcomes: L01, L02, L03, L04 |
Week 5 |
Seminar |
Risk and audit function and cybersecurity roles Block 3: Risk and audit function within organisations: focus on cybersecurity risks. Learning outcomes: L02, L03, L05 |
Week 6 |
General contact hours |
Risk and audit function and cybersecurity roles Block 3: Risk and audit function within organisations: focus on cybersecurity risks (independent study session) Learning outcomes: L02, L03, L05 |
Week 7 |
Seminar |
Communicating risks across the organisation Block 4: Communicating risks across the organisation: the role of Board of Directors and Executives. Learning outcomes: L03, L04, L05, L06 |
Week 8 |
General contact hours |
Communicating risks across the organisation Block 4: Communicating risks across the organisation: the role of Board of Directors and Executives (independent study session) Good Friday Public Holiday - Friday 18 April 2025 - Check Blackboard for announcements about affected classes. Learning outcomes: L03, L04, L05, L06 |
Mid-sem break |
No student involvement (Breaks, information) |
In-Semester Break |
Week 9 |
Seminar |
Open issues in cybersecurity risk management Block 5: Open issues in cybersecurity risk management Learning outcomes: L03, L05, L06 |
Week 10 |
General contact hours |
Open issues in cybersecurity risk management Block 5: Open issues in cybersecurity risk management Learning outcomes: L03, L05, L06 |
Week 11 |
Seminar |
The future of cybersecurity risk management Block 6: The future of cybersecurity risk management. Learning outcomes: L03, L05, L06 |
Week 12 |
General contact hours |
The future of cybersecurity risk management Block 6: The future of cybersecurity risk management (independent study session) Learning outcomes: L03, L05, L06 |
Week 13 |
Seminar |
Wrap-up session Wrap-up session with students on the overall contents of the course Learning outcomes: L01, L02, L03, L04 |
Policies and procedures
University policies and procedures apply to all aspects of student life. As a UQ student, you must comply with University-wide and program-specific requirements, including the:
- Student Code of Conduct Policy
- Student Integrity and Misconduct Policy and Procedure
- Assessment Procedure
- Examinations Procedure
- Reasonable Adjustments - Students Policy and Procedure
Learn more about UQ policies on my.UQ and the Policy and Procedure Library.