This course provides a solid foundation of potential civil and criminal areas of liability, and certain areas in which compliance and risk management are critical. The overarching theme is detection and reduction of potential legal/cybersecurity risks. We start by exploring the legal and regulatory environment that influences and supports cyber-based activities and programs, focusing on multidisciplinary or integrated views of enterprise risk management. We will address key risk management issues from the legal and cybersecurity aspects and analyze legal/cybersecurity issues in several of the critical infrastructure sectors, such as the financial services, healthcare and public health, and transportation systems sectors. We also review legal and regulatory compliance issues to address cybersecurity risk management for systems development, acquisition, and operation. This includes material impacting the manner in which the cyber community operates, for example, FITARA (Federal Information Technology Acquisition Reform Act) Enhancement Act of 2017. We then review the authoritative guidance provided by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The Framework is voluntary for the sixteen critical information sectors and mandatory for the federal government, hence the focus on NIST. Risk management threat detection and avoidance is analyzed from an integrated legal/cybersecurity perspective, including system objectives to avert legal liability and minimize enterprise and human loss. Examples address financial services, healthcare and public health, and transportation (mobile devices and autonomous vehicles) systems, and cyber-physical systems (CPS) or Internet of Things (IoT). The overall constitutional and statutory basis within which all cyber law and policy operates is identified and reviewed.
Coursework on or experience with the legal system is recommended.
We provide a guide to assist students in building on their cybersecurity knowledge base. The guide provides key context for general cybersecurity risk management principles and standards.