A Rigorous Approach to the Definition of an International Vocational Master’s Degree in Information Security Management

A Rigorous Approach to the Definition of an International Vocational Master’s Degree in Information Security Management

Frédéric Girard (Henri Tudor Public Research Center, Luxembourg), Bertrand Meunier (Henri Tudor Public Research Center, Luxembourg), Duan Hua (Henri Tudor Public Research Center, Luxembourg) and Eric Dubois (Henri Tudor Public Research Center, Luxembourg)
DOI: 10.4018/978-1-4666-1580-9.ch018
OnDemand PDF Download:
No Current Special Offers


In Luxembourg, like in many other countries, information security has become a central issue for private companies and public organizations. Today, information is the main asset of a company for its business and, at the same time, regulations are imposing more and more rules regarding its management. As a consequence, in Luxembourg, a clear need has emerged regarding the development of new learning trajectory fulfilling the requirements of the new job profile associated with a Chief Security Officer. This need was relayed by the national professional security association which asked for the development of a new education program targeting professional people engaged in a lifelong learning trajectory. The paper reports on the rigorous and scientific participatory approach for producing the adequate learning program meeting requirements elicited from the professional association members. The authors present the skills card that has been elaborated for capturing these requirements and the program, which has been built together with the University of Luxembourg for matching these requirements. This program proposes a holistic approach to information security management by including organization, human and technical security risks within the context of regulations and norms.
Chapter Preview


During the last two decades, the impact of security concerns on the development and exploitation of Information Systems (IS) never ceased to grow, be it in public or private sectors. In this context, information security management has become paramount as demonstrated with the new ISO 2700x series (ISO/IEC 27001, 2005) dedicated to the set-up of Information Security Management System and the existence of over 200 practitioner-oriented security and risk management methods (see Dubois et al., 2010).

Information System Security Management helps companies identify and implement security requirements in a cost-effective manner. Indeed, security threats are so numerous that it is outright impossible to act on all of them, because (1) every technological security solution has a cost, and (2) companies have limited resources. Hence, companies need assurance that they adopt only solutions that will provide significant Return on Investment. This is done by comparing the cost of a solution with the risk of not using it, e.g., the cost of a business disruption due to a successful security attack. In this sense, security management plays an important role in the alignment of a company’s business strategy with its Information Technology strategy. Because of this business/IT alignment dimension, the job profile associated this responsibility requires to combine technological competences together with business oriented ones. This twofold orientation makes difficult to find adequate persons, that we will call Chief Security Officer (CSO) in the rest of this paper.

This conclusion applies in Luxembourg where there are many technologically security oriented persons but only a few with the required business and management expertise. Thus a need for a specific education dedicated to CSO was identified. First, we further develop the context regarding the identification for these needs and also the motivation for introducing a university Professional Master programme instead of a professional certification. Once this decision taken, the next question was about the content of the programme. This was evident that a multidisciplinary programme is required but its precise content has still to be designed. This is where our Tudor centre, a research public entity dealing with technology transfer and innovation, has been contacted because of its expertise in the design of training content meeting requirements for the development of new competences. For many years, Tudor centre has developed an expertise in previous projects focused on ICT related job profiles evolutions. This expertise is formalized into a rigorous and systematic method supporting the elaboration of a job profile skills card based on a set of iterative processes combining information capture methods such as interviews, focus groups, and information watch techniques. Then, we further detail this method together with its application to the elaboration of the skills card associated with the job of a CSO. Finally, before we conclude, we report on the elaboration of the programme in such a way that each lecture is meeting some of the requirements elicited in skills card and that the complete programme achieves the goal of capturing all of them.

Complete Chapter List

Search this Book: