Information Security Policy and Management

Course Number: 14-788

Department: Information Networking Institute

Location: Pittsburgh

Units: 6

Semester Offered: Spring

The goal of this course is to provide an overview of security marketplace an understanding of decision making when multiple parties are involved and the role of policy making in the context of information security. Policy is treated broadly and need not be necessarily government laws and regulations. Policy can be intra-organization. For example, it is an organization policy to disconnect an unpatched computer from its network. We will discuss the role of market and competition on security provision and then some of the key causes of market failure namely externalities. We will then analyze how various policy tools can be applied to mitigate market failure. We will also discuss some key laws and regulation on product liability and security standards. The course also aims to provide an overview of security industry (that is key trends technologies and various strategies by vendors and users) as well. By the end of the course the students are expected to know key managerial and policy issues surrounding information security provision and when and how policy intervention is needed. 


Class format

Lecture and project-based

Home department


Target audience

Students in the Master of Information Systems Management program.

Background required

Some understanding of economics is expected. 

Learning objectives

  • Learn the role of markets and competing organizations in providing security and privacy.
  • Learn about how externalities are a major cause of market failure for security.
  • Learn about the deployment of security technologies and information sharing.
  • Learn what policy tools can be employed to overcome externalities and efficacies of the tools under a variety of scenarios. Examples of these tools may include subsidies, taxes, mandated standards, regulations, and
  • Learn about specific security and privacy policies and their impacts.
  • Learn about how security related risks may be mitigated through the use of insurance.
  • Learn about related laws regarding product liability and their impact on software security.
  • Learn about vulnerability disclosure, key stakeholders, and issues surrounding disclosure.

Faculty and instructors who have taught this course in the past

Brett Tucker, Rahul Telang