Skip to menu Skip to content Skip to footer
Course profile

Cyber Security Governance, Policy, Ethics and Law (CYBR7003)

Study period
Sem 1 2025
Location
St Lucia
Attendance mode
In Person

Course overview

Study period
Semester 1, 2025 (24/02/2025 - 21/06/2025)
Study level
Postgraduate Coursework
Location
St Lucia
Attendance mode
In Person
Units
2
Administrative campus
St Lucia
Coordinating unit
Business School

This is an introductory, inter-disciplinary course providing an overview of the best practices and emerging developments in governance, ethics, legal and policy aspects of cyber security and data privacy.

This course is structured in two parts. The first part addresses cyber-security legal issues as they impact businesses and organisations. Although the focus will be on the law relevant to businesses, criminal law will be considered but through the lens of business. This part recognises that business and technology operate internationally, even though the law may be country or state based. Focus is not limited to Queensland or even Australian law. This part will consider issues such as determining which countries’ laws will apply and how to enforce laws in an international context. The legal component of the course will explore issues such as responsibility to protect and secure data, how liability is determined in complex IT supply chain, what are the legal risks if something goes wrong, and how to deal with legal issues in a cyber security incident.

The second part of this course focuses on cyber security from an organisational perspective and looks at how public and private organisations manage the security of the information they collect, store, elaborate and dispose of. In this second part, topics such as leadership in cyber security, cyber security policies and compliance, governance of cyber security and design of information security systems will provide students with an overview of the dynamics associated with managing cyber security in the workplace. Questions such as “what are the weak links in an organisation’s information security management systems?”, “how can individuals interact with technologies and create opportunities for cyber-breaches?”, or “how can companies design cyber security systems that are secure as well as user-friendly?” are example of the issues that will be analysed in the second part.

The course is intended to be practical, looking at issues that arise in real life, rather than focusing on topics that are academically interesting but of little practical relevance. The course spotlights business problems, and in doing so, looks at several relevant legal and managerial subjects. The course aims to tie these topics together. Various problems will be workshopped throughout the course. No prior managerial or legal study or knowledge is assumed.

CYBR7003 is an interactive course taught in seminar mode. At times, we will use the Socratic method of lecturing, so you may be called upon to contribute during the seminars. You will be expected to have read each key reading. You are encouraged to turn your phones off during class, and to limit use of your laptops when we are engaging in discussion.

Course requirements

Restrictions

CYBR7003 is for students enrolled in BCompSc/MCyberSec, GCCyberSec, GDipCyberSec, MCyberSec, MBus or MCom programs only.

Course contact

Lecturer

Dr Bikesh Raj Upreti

Course staff

Lecturer

Timetable

The timetable for this course is available on the UQ Public Timetable.

Additional timetable information

Please note: Teaching staff do not have access to the timetabling system to help with class allocation. Therefore, should you need help with your timetable and/or allocation of classes, please ensure you email business.mytimetable@uq.edu.au from your UQ student email account with the following details:

  • Full name
  • Student ID
  • Course Code

Aims and outcomes

The aims of the course are to provide students with understanding of the governance, policy, legal and ethical issues relating to cyber security in both an international and domestic context.

Course aims include:ᅠ

  1. To assist students in understanding the legal framework as it applies to businesses as relevant to cyber security.
  2. To give students an awareness of the legal complexities that arise when responding to a cyber security breach.
  3. To provide students with practical issue-spotting and problem-solving skills relevant to cyber security.
  4. To tie together a number of policy, legal and ethical topics in a coherent way to deal with and solve real world problems.
  5. To immerse students in an organisational context, for them to experience first-hand the dynamics that characterise cyber security in the workplace.
  6. To help students understand current governance structures and arrangements in public and private organisations, also in the light of recommendations by international best practice standards.
  7. To provide students with the managerial tools required to be champions of safe cyber security practices.
  8. To increase students' awareness on the importance of human factors in cyber security management.

Learning outcomes

After successfully completing this course you should be able to:

LO1.

Articulate, in an organisational context, the key elements of governance and policy-making on matters of cyber security.

LO2.

Design and execute strategies aimed at promoting compliance to cyber security policies and a sound cyber security culture in organisations.

LO3.

Mobilise the appropriate resources (information, skills, etc.) to ensure effective cyber risk management in an organisational context.

LO4.

Work within a team to anticipate the cyber security needs arising in various types of organisations.

LO5.

Examine, research and analyse emerging legal issues in relation to cybersecurity.

LO6.

Be an engaged participant in discussions concerning the state of the law relevant to cyber security, such as where there are gaps in the law due to rapid advancements in technology.

LO7.

Identify potential legal and commercial issues arising in an international commercial context relating to cyber security and provide potential solutions.

LO8.

Demonstrate a critical understanding of the legal complexities that arise in relation to responding to a cyber security breach.

Assessment

Assessment summary

Category Assessment task Weight Due date
Essay/ Critique Legal perspectives in cyber security 30%

8/04/2025 2:00 pm

Paper/ Report/ Annotation Organisational cyber security report 30%

20/05/2025 2:00 pm

Essay/ Critique, Presentation Application of cybersec org & legal principles
  • Team or group-based
40%

9/06/2025 2:00 pm

Assessment details

Legal perspectives in cyber security

Mode
Written
Category
Essay/ Critique
Weight
30%
Due date

8/04/2025 2:00 pm

Learning outcomes
L05, L06, L07, L08

Task description

Students will be required to prepare an essay individually in relation to a legal issue that arises in a business context in relation to cybersecurity.

The paper should identify the issue, set out the law in relation to the issue, identify any gaps or problems with the current law, and if appropriate propose possible changes to the current law.

Three example essay topics will be published during the semester. Students can select one of these three topics. Alternatively, students can propose a topic, which must be approved by teaching staff.

The word limit for the essay is a maximum of 2,200 words.

By way of clarification, this word count:

  • includes headings and subheadings;
  • does not include text in the header;
  • does not include footnotes or Appendices - however footnotes should be used for citation purposes only.  Substantive text should not be included in footnotes.

This task has been designed to be challenging, authentic and complex. Whilst students may use AI technologies, successful completion of assessment in this course will require students to critically engage in specific contexts and tasks for which artificial intelligence will provide only limited support and guidance.

AI Statement:

The use of AI is permitted for this assessment; however, it must comply with the guidelines and constraints outlined on Blackboard at the start of the course. These requirements include providing a record of the prompts used to query AI, the AI-generated responses, and evidence of critical analysis of the AI-generated text before incorporating it into the assessment. Typically, this information should be included in the assessment appendix. Additionally, any use of AI must be appropriately referenced within the submission. These measures are in place to ensure that students demonstrate a thorough understanding of their written work, independent of AI assistance, as this is a key requirement for passing the assessment.

A failure to use AI according to the guidelines above (and detailed on Blackboard at the beginning of the course) may constitute student misconduct under the Student Code of Conduct. 

Submission guidelines

Submission will be via Turnitin, within the CYBR7003 Blackboard site

Deferral or extension

You may be able to apply for an extension.

Late submission

A penalty of 10% of the maximum possible mark will be deducted per 24 hours from time submission is due for up to 7 days. After 7 days, you will receive a mark of 0.

Organisational cyber security report

Mode
Written
Category
Paper/ Report/ Annotation
Weight
30%
Due date

20/05/2025 2:00 pm

Learning outcomes
L01, L02

Task description

This individual assessment item covers Organisational Perspectives in Cyber Security (governance, policies, procedures, compliance, risk management, culture - including awareness, training and education - and ethics (Weeks 7 - 12 content).

For this assessment, you will take on the role of an information security consultant and assess an organisational cyber security scenario.

You will provide recommendations for areas to improve and on how to capture further meaningful information for your analysis.

This task has been designed to be challenging, authentic and complex. Whilst students may use AI technologies, successful completion of assessment in this course will require students to critically engage in specific contexts and tasks for which artificial intelligence will provide only limited support and guidance.

AI Statement:

The use of AI is permitted for this assessment; however, it must comply with the guidelines and constraints outlined on Blackboard at the start of the course. These requirements include providing a record of the prompts used to query AI, the AI-generated responses, and evidence of critical analysis of the AI-generated text before incorporating it into the assessment. Typically, this information should be included in the assessment appendix. Additionally, any use of AI must be appropriately referenced within the submission. These measures are in place to ensure that students demonstrate a thorough understanding of their written work, independent of AI assistance, as this is a key requirement for passing the assessment.

A failure to use AI according to the guidelines above (and detailed on Blackboard at the beginning of the course) may constitute student misconduct under the Student Code of Conduct. 

Submission guidelines

Submission will be via Turnitin, within the CYBR7003 Blackboard site

Deferral or extension

You may be able to apply for an extension.

Late submission

A penalty of 10% of the maximum possible mark will be deducted per 24 hours from time submission is due for up to 7 days. After 7 days, you will receive a mark of 0.

Application of cybersec org & legal principles

  • Team or group-based
Mode
Product/ Artefact/ Multimedia
Category
Essay/ Critique, Presentation
Weight
40%
Due date

9/06/2025 2:00 pm

Other conditions
Peer assessed.

See the conditions definitions

Learning outcomes
L01, L02, L03, L04, L05, L06, L07, L08

Task description

In this task you will work in small groups to develop and submit a video presentation (15-20 minutes) supported with slides and/or other appropriate audio-visual aids on a cyber security topic, relating that topic to the learning objectives of the whole course.

The precise scenarios and topics will be guided by teaching staff, and you will be given a clear assignment specification outlining the required components. 

As a group assignment, this piece of assessment will incorporate a peer assessment component. The results of this peer assessment may impact your final marks.

This task has been designed to be challenging, authentic and complex. Whilst students may use AI technologies, successful completion of assessment in this course will require students to critically engage in specific contexts and tasks for which artificial intelligence will provide only limited support and guidance.

AI Statement:

The use of AI is permitted for this assessment; however, it must comply with the guidelines and constraints outlined on Blackboard at the start of the course. These requirements include providing a record of the prompts used to query AI, the AI-generated responses, and evidence of critical analysis of the AI-generated text before incorporating it into the assessment. Typically, this information should be included in the assessment appendix. Additionally, any use of AI must be appropriately referenced within the submission. These measures are in place to ensure that students demonstrate a thorough understanding of their written work, independent of AI assistance, as this is a key requirement for passing the assessment.

A failure to use AI according to the guidelines above (and detailed on Blackboard at the beginning of the course) may constitute student misconduct under the Student Code of Conduct.

Submission guidelines

Video-presentation to be uploaded on Blackboard.

Deferral or extension

You may be able to apply for an extension.

Late submission

A penalty of 10% of the maximum possible mark will be deducted per 24 hours from time submission is due for up to 7 days. After 7 days, you will receive a mark of 0.

Course grading

Full criteria for each grade is available in the Assessment Procedure.

Grade Cut off Percent Description
1 (Low Fail) 0 - 29

Absence of evidence of achievement of course learning outcomes.

2 (Fail) 30 - 46

Minimal evidence of achievement of course learning outcomes.

3 (Marginal Fail) 47 - 49

Demonstrated evidence of developing achievement of course learning outcomes

4 (Pass) 50 - 64

Demonstrated evidence of functional achievement of course learning outcomes.

5 (Credit) 65 - 74

Demonstrated evidence of proficient achievement of course learning outcomes.

6 (Distinction) 75 - 84

Demonstrated evidence of advanced achievement of course learning outcomes.

7 (High Distinction) 85 - 100

Demonstrated evidence of exceptional achievement of course learning outcomes.

Additional course grading information

Grades will be allocated according to University-wide standards of criterion-based assessment.

Supplementary assessment

Supplementary assessment is available for this course.

Learning resources

You'll need the following resources to successfully complete the course. We've indicated below if you need a personal copy of the reading materials or your own item.

Library resources

Find the required and recommended resources for this course on the UQ Library website.

Learning activities

The learning activities for this course are outlined below. Learn more about the learning outcomes that apply to this course.

Filter activity type by

Please select
Clear filters
Learning period Activity type Topic
Week 1
Seminar

Introduction to CYBR7003: The Legal Framework

  • Law and lawlessness
  • Civil v. Criminal Causes of action
  • Reasonable Care or Absolute Responsibility?
  • Defences
  • Compensation
  • Ownership
  • Proof
  • The international context

Learning outcomes: L05, L06

Week 2
Seminar

Privacy, Security and Confidentiality

  • Obligations of confidence
  • Obligations of integrity
  • Relevant privacy law principles
  • Notifiable data breaches

Learning outcomes: L05, L07, L08

Week 3
Seminar

Platforms and Cloud

  • Data Ownership and Control of Data
  • Supply chain legal risks
  • Who owns data in the cloud?
  • Where is data when in the cloud?
  • Who is responsible for data in the cloud?
  • Social Media legal issues

Learning outcomes: L05, L06, L07, L08

Week 4
Seminar

The International Context

  • International issues
  • Choice of law
  • Cross Border data transfers
  • Cross Border breaches
  • Jurisdiction
  • Protecting Critical Infrastructure

Learning outcomes: L05, L06, L07, L08

Week 5
Seminar

Responding to Cybersec Incidents & Wrap-up

  • Stopping the harm
  • Determining who is legally responsible
  • Potential legal causes of action and liability risks
  • Reducing legal exposure Insurance issues
  • Evidence: collecting evidence, maintaining integrity, identifying the bad actor
  • CASE STUDIES: Optus and Medibank Private ransomware incidents in 2022 Practical steps

Learning outcomes: L05, L06, L07, L08

Week 6
Seminar

Between Management and Law: Ethics in Cyber-Secruity

  • Definitions and key-concepts
  • Guiding managerial behaviours and operational practices in organisations
  • A cybersecurity deontology?
  • From the legal domain to organisational policies

Learning outcomes: L01, L06, L07

Week 7
Seminar

Industry Panel

Meet several cyber-professionals and talk about all things cyber with them!

Learning outcomes: L02, L04

Week 8
Seminar

Organisational Cyber-Security: An Intro

  • Basic definitions
  • IT governance: historical perspective and definitions
  • Corporate governance, IT governance, infosec governance
  • Corporate governance theories in action: Agency Theory. How does it apply to infosec?

Learning outcomes: L01, L02, L03

Mid-sem break
Seminar

In-Semester Break

Week 9
Seminar

Governance in Cyber-Security: Standards and Frameworks

  • ISO27001-002; NIST; and Essential Eights
  • Standards in action in public and private organisations

Learning outcomes: L01, L03

Week 10
Seminar

Org Cybersec Policies and Procedures

  • Infosec policies: unpacking them
  • Compliance vs non-compliance: root causes and the role of human factors
  • Compliance issues to information security policies: why don't employees comply?
  • Antecedents of compliance

Learning outcomes: L01, L02, L04

Week 11
Seminar

Cyber-Security Risk Management + Intro: Culture & Training

  • Cyber-risk management: a complete overview
  • Awareness Culture and Training: an Intro
  • Cyber-risk assessment in practice

Learning outcomes: L02, L03, L04

Week 12
Seminar

Cyber-Security Awareness, Training and Education

  • CS Risk Management - wrap-up
  • Organisational awareness campaigns
  • CS training and Education

Learning outcomes: L02, L03, L04

Week 13
Seminar

Wrap-up and Assessment Lab

This session will wrap-up the course contents, answer questions students may have on their assessment, and give them time to work on assessment 3, if required

Learning outcomes: L01

Policies and procedures

University policies and procedures apply to all aspects of student life. As a UQ student, you must comply with University-wide and program-specific requirements, including the:

Learn more about UQ policies on my.UQ and the Policy and Procedure Library.