Introductory description

Routine operations management should maintain a cyber system within its operational envelope and in an optimal state to do useful work; life-cycle operations such as patches, upgrades, replacements and training are performed in a planned and orderly fashion as part of routine operations management.

With indefinite resource, that would be sufficient; the preparedness of the cyber system would always be sufficient to deal with any threat or hazard to which it is exposed. With limited resource however, it is probable that the cyber system will be exposed to some specific threat or hazard that it is not sufficiently prepared to deal with. When this happens, an incident occurs which takes the cyber system outside its intended operational envelope.

The prioritisation and timely coordination of activities is critical to minimise the harm that follows from an incident. These activities should progressively restore the cyber system, re-mediate harm, prevent recurrence, inform interested parties, and restore confidence. Having a well rehearsed incident response plan helps to do this right.

In the cyber context, situational awareness presents the human decision maker with an intuitive representation of the well-being of their cyber environment. Critically, when things go wrong, the important symptoms of this wrongness are highlighted, facilitating corrective action.

Cyber intelligence provides an organisation with the ability to assess the cyber-related threats and hazards that may damage them. It is particularly concerned with the purposeful collection of information, its processing and analysis in order to produce actionable intelligence.

This module gives students a framework to reason about cyber security in order both to anticipate incidents, and to deal with their occurrence.

Module aims

Outline syllabus

This is an indicative module outline only to give an indication of the sort of topics that may be covered. Actual sessions held may differ.

Cyber Intelligence

• Risk in the cyber context – assessment, management, hazard vs threat
• Threat actors – organisation, motivation, attention and deception
• Narratives, language and communication
• The intelligence cycle and current intelligence theory and practice, toolsets

Situational Awareness

• data collection, sensors, endpoint and channel hardening,
• prioritisation, timeliness, presentation, normal vs abnormal, information overload,

Incident response

• The incident response lifecycle
• Roles and structures
• Facilities, equipment, tools and techniques
• Internal and external communication pre-, mid- and post-incident

Learning outcomes

By the end of the module, students should be able to:

• Critically evaluate threats and hazards to which a cyber system may be exposed
• Evaluate the situational awareness of an organisation
• Develop actionable intelligence
• Synthesise key indicators of good cyber security operation plans

Indicative reading list

Roberts S, Brown R; Intelligence-Driven Incident Response; O'Reilly (2016)
Cabinet Office: National Risk Register of Civil Emergencies; UK Cabinet Office (2013); [available at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/211867/NationalRiskRegister2013_amended.pdf]
C. Avgerou, C. Ciborra and F. Land (eds) The Social Study of Information and Communication Technology : Innovation, Actors and Contexts, Oxford University Press, Oxford. 2004
C. Ciborra Digital Technologies and the Duality of Risk, CARR, LSE, 2004
M Glenny; DarkMarket: How Hackers Became the New Mafia; Vintage (2012)
UK MoD; Global Strategic Trends Out To 2045; UK MoD; (2015)
B Schneier; Liar and Outliers: Enabling the Trust that Society Needs to Thrive; Wiley (2012)

Subject specific skills

Developing cyber meaning from cyber fragments.

Transferable skills

Information literacy, ethical values, organisational awareness, communication