Georgia State University

Department of Computer Information Systems

Course Syllabus (under revision)


Accounting 8680 (Sections 1 -- CRN 82915 and section 2 -- 86440)

CIS 8680 (Sections 1 -- CRN 83025 and section 2 -- 86441)

Security and Privacy of Information and Information Systems


Fall 2004


This syllabus provides a general guideline for the conduct of the course; however deviations may be necessary.




Carl Stucke, PhD


906 RCB Building, 35 Broad Street

Office Hours

Tuesdays 2:45-3:45 (starting 8/24) & by appointment (email is always the best way to reach me. I’m happy to meet at other times, in person or in chat.)

Office Phone

(404) 651-3836




Meetings: Minimester I (section 1 of both Acct and CIS) and Minimester II (section 2 of both Acct and CIS): Mondays & Wednesdays 4:30 – 7 online via WebCT and vClass (The first meeting is in person in Classroom South CS305.)

Internet resources: (under ongoing update and enhancement)

Schedule Minimester I and Minimester II (containing class topics and assignments) (under ongoing revision with specific speakers not confirmed)

Prerequisites: CSP 1, 2, 3, 4, 5, 6, 7, and 8

Course Materials (used books can typically be found at several sites)

Catalog Description

This course is designed to develop knowledge and skills for security of information and information systems within organizations. It focuses on concepts and methods associated with planning, designing, implementing, managing, and auditing security at all levels and on all systems platforms, including worldwide networks. The course presents techniques for assessing risk associated with accidental and intentional breaches of security. It covers the associated issues of ethical uses of information and privacy considerations.

Course Objectives

Upon successful completion of this course, students will develop a sound understanding of  

  • The diversity of stakeholders that regard information security and privacy
  • The broad framework of information security and privacy
  • The relationship between ethics, privacy, and organizational information decisions
  • The nature of common information hazards
  • The basic operation and limitations of common information safeguards
  • The milieu of laws, codes of practice, and standards that form the context for information security and privacy
  • The organizational options for information security and privacy

  Based on this understanding, students will develop qualifications to

1.       Design organizational policies for information security and privacy

2.       Create threat scenarios of potential vulnerabilities for particular settings

3.       Specify safeguards for computer-based information assets

4.       Plan and organize the information security and privacy function within an organization

5.       Determine a planning process for analyzing information risks and choosing optimal organizational responses

The organizing principle for the course is drawn toward the attainment of these five qualifications.


General Class Policies

         Prerequisites are strictly enforced. Students failing to complete a prerequisites with a grade of “C” or higher will be administratively withdrawn from the course in which they are in violation with a loss of tuition fees. There are no exceptions.

         Students are expected to attend all classes and group meetings (whether online or in person), except when precluded by emergencies, religious holidays or bona fide extenuating circumstances.

         Students who, for non-academic reasons beyond their control, are unable to meet the full requirements of the course should notify the instructor. Incompletes may be given if a student has ONE AND ONLY ONE outstanding assignment.

         A “W” grade will be assigned if a student withdraws before mid-semester while maintaining a passing grade. Withdrawals after the mid-semester date will result in a grade of “WF”. Refer to GSU catalog or Registrar’s office for details.

         Spirited class participation is encouraged and informed discussion in class is expected. This requires completing readings and assignments before class.

         Unless specifically stated by the instructor, all exams and lab assignments are to be completed by the student alone.

         Within group collaboration is allowed on project work. Collaboration between project groups will be considered cheating unless specifically allowed by an instructor.

         Copy work from the Internet without a proper reference will be considered plagiarism and subject to disciplinary action as delineated in the Student Handbook.

         Any non-authorized collaboration will be considered cheating and the student(s) involved will have an Academic Dishonesty charge completed by the instructor and placed on file in the Dean’s office and the CIS Department. All instructors regardless of the type of assignment will apply this Academic Dishonesty policy equally to all students. See excerpt from the Student Handbook below:


Academic Honesty

(Abstracted from GSU’s Student Handbook Student Code of Conduct “Policy on Academic Honesty and Procedures for Resolving Matters of Academic Honesty” - )


As members of the academic community, students are expected to recognize and uphold standards of intellectual and academic integrity. The University assumes as a basic and minimum standard of conduct in academic matters that students be honest and that they submit for credit only the products of their own efforts. Both the ideals of scholarship and the need for fairness require that all dishonest work be rejected as a basis for academic credit. They also require that students refrain from any and all forms of dishonorable or unethical conduct related to their academic work.


Students are expected to discuss with faculty the expectations regarding course assignments and standards of conduct. Here are some examples and definitions that clarify the standards by which academic honesty and academically honorable conduct are judged at GSU.


Plagiarism. Plagiarism is presenting another person’s work as one’s own. Plagiarism includes any paraphrasing or summarizing of the works of another person without acknowledgment, including the submitting of another student’s work as one’s own. Plagiarism frequently involves a failure to acknowledge in the text, notes, or footnotes the quotation of the paragraphs, sentences, or even a few phrases written or spoken by someone else. The submission of research or completed papers or projects by someone else is plagiarism, as is the unacknowledged use of research sources gathered by someone else when that use is specifically forbidden by the faculty member. Failure to indicate the extent and nature of one’s reliance on other sources is also a form of plagiarism. Failure to indicate the extent and nature of one’s reliance on other sources is also a form of plagiarism. Any work, in whole or part, taken from the Internet or other computer based resource without properly referencing the source (for example, the URL) is considered plagiarism. A complete reference is required in order that all parties may locate and view the original source. Finally, there may be forms of plagiarism that are unique to an individual discipline or course, examples of which should be provided in advance by the faculty member. The student is responsible for understanding the legitimate use of sources, the appropriate ways of acknowledging academic, scholarly or creative indebtedness, and the consequences of violating this responsibility.


Cheating on Examinations. Cheating on examinations involves giving or receiving unauthorized help before, during, or after an examination. Examples of unauthorized help include the use of notes, texts, or “crib sheets” during an examination (unless specifically approved by the faculty member), or sharing information with another student during an examination (unless specifically approved by the faculty member). Other examples include intentionally allowing another student to view one’s own examination and collaboration before or after an examination if such collaboration is specifically forbidden by the faculty member.


Unauthorized Collaboration. Submission for academic credit of a work product, or a part thereof, represented as its being one’s own effort, which has been developed in substantial collaboration with assistance from another person or source, or computer honesty. It is also a violation of academic honesty knowingly to provide such assistance. Collaborative work specifically authorized by a faculty member is allowed.


Grading: Examinations / Assignments (note that group assigned grades account for 60% of your overall grade)

Class Participation: 20% (assigned on a group basis but adjusted by peer review scores)

Examinations: 40%

Security and Privacy Policy Project: 20%

Security issues white paper: 20%


Grade Distribution

Grade Percentage

A 90 - 100

B 80 - 89

C 70 - 79

D 60 - 69

F 0 - 59

Refer to the class schedule for the due dates and timing of examinations. Any assignments turned in late are subject to a 10% per day penalty.

Special Considerations

The course web and/or WebCT site(s) will be use as a repository for examples of course paper problems, model solutions, examples of projects, and further required course material that arises during the class. Students must arrange for their own access to the World Wide Web (Internet access is available free in the GSU labs). All student work submitted in fulfillment of course requirements is deemed to be granted in the public domain (copyright-free) for the purposes of use as instructional material or examples of student work in future courses. The course syllabus provides a general plan for the course. Deviations may be necessary.

Class Attendance Policy

Roll will not be taken on a regular basis. It is the student's responsibility to attend sessions (physical or virtual), obtain assignments, and turn in work on time. Absence from class does not relieve you of any of these responsibilities. Absences will be considered excused if they are due to an emergency, religious holidays, or some other extenuating circumstance. Please notify the instructor in advance if possible. Unless an absence is excused, students will NOT be allowed to make up missed work. All students are expected to be prepared to discuss assigned materials. Individuals may be "cold called" in order to generate discussion.


         This class is a seminar class and participation is a must.

         Visit the Internet sites before the class meets and be prepared to discuss topics in class.

         Participation grades are assigned on a meeting-by-meeting basis.


The participation grades are assigned on the basis of your GROUP’S:

         Discussing the content and issues after reading the articles assigned for the class period,

         Visiting web sites or collecting information from other sources that are relevant to class discussion and posting these within WebCT.

         Discussing important issues relevant to the topic under discussion during class.

         Identifying questions that were not answered or topics that were not covered (or not covered thoroughly or easily enough) and, then, identifying and posting sources that provide answers or more thorough or more easily understood explanations.

         Presenting your projects in class.

         Attendance and classroom / chat room presence do not count as participation.

         Participation grades are based on quality and quantity. Quality weighs more and innocuous comments such as “ it is interesting, I agree, or I believe this is correct” are not adequate for getting participation grades. You should exhibit a certain depth of understanding or stimulate discussion. Just being logged in and present does not count for participation grades. Group contributions and postings (pre, during, and post sessions) comprise the grade for participation. For individuals in a group, the individual’s participation score will be the group score multiplied by the average of the peer review scores that individual receives from the other members of that individual’s group.

         Lack of adequate participation would cause your semester letter-grade to drop. You should strive to participate actively from the first week of classes. It is not easy to make up the grades at the latter part of the course

Discovery learning through web-enabled collaboration

This course is taught as discovery learning through web-enabled collaboration. Discovery learning is learning in which learners actively seek knowledge or principles for solving problems. In discovery learning, learners recognize pertinent knowledge not because the teacher identifies it beforehand but because it enables learners to make progress solving the problem. Learning through web-enabled collaboration means that students and teacher share a common workspace in which they work together to solve problems. The learning space in this course is implemented with real-time (synchronous) discussion coupled with a web-based presentation frame for text and other objects, as supported by WebCT. Between class sessions, participants' conversations can continue--in the bulletin board.

Using synchronous discussion for class sessions fosters discovery learning by (1) promoting students' consideration of more information and more alternatives for solving problems and (2) creating a community-of-practice in the class that promotes student participation rather than passive acquisition of abstract knowledge. It is beneficial to learn to use more information more adroitly because of the increasing velocity of business environments. As information services become a larger component of the economy over the next few decades, the innovative use of information will likely become the most valued skill. If "careers…increasingly resemble networks of multiple and simultaneous commitments with a constant churn of new skills and outmoded roles" (K. Kelly, New rules for the new economy, Wired, September 1997, p. 154), then students need to practice being innovative problem solvers, which learning in synchronous discussion is intended to promote.

Session assignments

Studying source materials. To access an assignment for a specific session, click on the topic for that session in the Schedule. Scan the session's assignment to get an idea of what you are being asked to do. Then study the sources.

Getting ready for outages. As or before each class session begins, download files for that session. Downloading the files will make it possible for you to continue working during class sessions even if you can't connect. We also have backup chat facilities (WebCT and the CIS Microsoft Conferencing Server). We will also occasionally use vClass.


An 11,000-entry encyclopedia of computing definitions is available in TechEncyclopedia. At this site, enter the term for which you want a definition.

Internet access and email usage

In this course, studying source materials, preparing each day's assignment with your group members, and participating in class discussions require Internet access. If you do not already have it, you can obtain Internet access from an Internet service provider. All class sessions will be held on-line in chat through WebCT. You may join class sessions from elsewhere as soon as you are confident you have adequate Internet access. Some on-line services do not support adequate connectivity, e.g., some online services automatically log you out if you do not respond to continuation messages. It is your responsibility to ensure that the Internet access you are using for the class is sufficient. Email to you will be through the email address you provide to the instructor.

WebCT use

The course relies on WebCT use for the publication of student work, asynchronous (bulletin board) and synchronous (chat) class discussions, access to class discussion logs, and testing of performance. For directions for using WebCT, see Using WebCT. To get your WebCT ID and password, follow the instructions at

Discussion in class sessions

WebCT creates a log of class sessions. To view or save the log for a prior session, see Using WebCT.

The experience of chat in synchronous discussion. The class discussion in chat may proceed quickly, and there may be multiple conversations occurring in parallel. This means that a specific question may not be answered immediately, especially if answering or commenting on it would move the discussion away from major themes for that class session. Oftentimes, a question will be answered later in the discussion. And, if you are disconnected momentarily, that will be when it seems your question was answered. So, if you have unanswered questions after a session, scan the discussion log for that class session to see if it was answered there. If the answer to your question does not appear in the discussion log, post it on the bulletin board or ask it in the next class session.

Class Guests

For some class sessions, one or more guests will join the discussion. They will have the opportunity to introduce themselves, e.g., they could enter links to their resume and other information about their organization. These guests will be knowledgeable about Information Security and Privacy. These people can be subject matter resources for us and respond to questions from us pertaining to the class discussion.

Any persons wishing to be guests should send e-mail to indicating which class(es) interests them and their areas of expertise.

Team Assignment and Peer Appraisal

All course assignments and lab exercises will be team-executed in groups of five. These groups should function as a self-managed team and adopt the rules and practices of this organizational work structure. Participation in the course assignments/lab exercises should be relatively equal among the group members, with each member monitoring both one's own level and quality of participation and that of the other members of the group. Self-managed teams are free to make decisions about their own processes, including matters such as who will serve on the team. If the majority of the team decides, for whatever reason, to alter the membership of the group, this change will go into effect immediately. (Please inform the instructor, in writing, about this decision and include this document in the project documentation for your team). Individuals who are no longer with that team will need to join another group, and assume the consequences of being assessed accordingly by their original group, or else, for the current assignment and the current assignment only, proceed on their own.

Consonant with the concepts and principles of self-managed teams, peer appraisals will be part of the overall grading/evaluation of individual performance. In the best managed teams, consensus on the relative contributions of each of the team members will be derived through assessment of documented facts and records, evaluation of team output, and evaluation of team processes. See specific details in the peer appraisal form.

Security and Privacy Policy Study

Within this, each group will identify the security and privacy policies for two organizations (no confidential information, please). Compare these to each other and to best practices templates (SANS, etc.). You should indicate the means of implementing components of these plans (processes, hardware/software, outsourcing, etc.). As we go through the course topics in our sessions, you should be familiar with how your selected organizational policies handled the relevant areas (encryption, privacy, access, etc.). You should record the results of your comparison and analysis in a 10 - 15 page paper along with the original policies.

Deliverables: Security and privacy policy study in electronic form

Security Issues Term Paper

Choose an area of information security management, ethics, or privacy that interests you and research it through the electronic media and the library. Discuss the topic with your instructor early in the term for counsel and approval. Write about a ten page (or more), single-spaced paper on the subject. A bibliography of references must be included.

Your goal should be to address a managerially significant issue and to propose an action plan to address it. Examples of interesting topics might be: "The Viability of Encryption for Transactional Systems", “Security Aspects of Peer-to-Peer Computing”, “The Impact of Wireless on Corporate (or Home) Networks”, “Instant Messaging (Virtual Groupware, Huge Distraction from Business Work, and/or Security Vulnerability)”, “The GPS, fingerprint-reading cell phone as the universal identification device and its use in commercial products”, “Business Opportunities for and Privacy Implications of RFID”, “An accounting view of Information Security and Privacy”, “The Liberty Alliance Project( ) and Its Implications for Business”, “GRID Computing Architecture as Business Continuity Platform”.

Sample Abstract: After defining and describing cryptographic techniques in common use in commercial applications today, this paper examines the risk-cost tradeoff for businesses thinking of encrypting their transactional data. The paper estimates the costs of encrypting even a small part of large volume transactions and points out the circumstances under which it might be economically viable. An action plan for security managers includes a suggestion that client-server applications working with sensitive payroll data over public telecomm lines use RSA signature encryption.

Deliverable: 1 ten-fifteen page plus term paper in electronic form and a PowerPoint presentation to be used when you deliver your paper in session (online).

Final Exam

No final exam is needed to fulfill the learning objectives of this course. The projects cover the intellectual material of the course and the other course assignments and class participation evaluate both context and other student capabilities.

The instructor is appreciative to Dr. Ram Sriram, Dr. Detmar Straub, Dr. Richard Baskerville, and others for allowing their materials to be adapted and used in this course. Also, the instructor thanks our speakers who enrich our course with their substantial experience and knowledge.