Johns Hopkins University

Information Security Institute

Semester: Spring 2018
Course Syllabus for EN.650.653
Financial Issues in Managing a Secure Operation
Document Revision 1.353z 03272018

Course Instructor Information:

Michael D. Kociemba Sr. CISSP-ISSEP-ISSMP, C|CISO, CISA, CISM
✓ Primary Phone: 301-243-1152 (8:00 am – 4:00 pm – Please DO NOT leave a message on this number)
✓ Secondary Phone: 410-303-3806 (4:00 pm – 10:00 pm - leave message if no answer)
✓ Primary E-Mail: jhuisi.650.653.s2018@gmail.com
✓ Location: Olin 305 (1st Floor Conference Room)
✓ Office Hours: By Appointment – Instructor typically arrives 60-90 minutes before class.
✓ Class Time: Tuesday 6:00 PM – 8:30 PM

Reading and Learning Materials: There is no assigned textbook for this class. Instead, assigned reading materials are
updated each semester by the Instructor and are posted to the 650.653 Blackboard site or are hyperlinked from this
syllabus.
Blackboard Site: A Blackboard (Bb) course site is set up for this course. You are expected to check the site throughout
the semester as Blackboard will be a primary venue of outside classroom communications between the instructor and
the students. To access the course site, please log into https://blackboard.jhu.edu. If you need support for Blackboard,
please call 1-866-669-6138.
Academic Integrity: The strength of the university depends on academic and personal integrity. In this course, you must
be honest and truthful. Ethical violations include cheating on exams, plagiarism, reuse of assignments, improper use of
the Internet and electronic devices, unauthorized collaboration, alteration of graded assignments, forgery and
falsification, lying, facilitating academic dishonesty, and unfair competition.
Disability Services: Any student with a disability who may need accommodations in this class must obtain an
accommodation letter from Student Disability Services, 385 Garland, (410) 516-4720, studentdisabilityservices@jhu.edu

2016-17 Johns Hopkins University Course Catalog Description:

This course addresses the risks (financial, reputation, business, and third party), costs, ROI, and other business issues
concerned in planning and managing a secure operation. Topics include disaster recovery, outsourcing issues; service
level agreements; evaluating external security service providers; assessing security total cost of ownership; audit
procedures; financial integrity; cost/benefit analyses; back-up and recovery provisions; insurance protection;
contingency and business continuity plans; qualitative and quantitative risk analysis; monitoring the security of the
enterprise; information economics; performance reporting; automated metrics reporting; responses to threats; effects
of security policies and practices on business and customers; preparing a business case for information security
investments; and developing cost-effective solutions given constraints in money, assets, and personnel. Case studies and
exercises will be used to illustrate financial planning and evaluation of security operations.

Page | 1
Syllabus Change Log
Version Description of Change Page Changed Date
by
1.350z Initial syllabus for Spring 2018 all MDK 01/10/2018
1.351z Added essay 1 topics 7-13 MDK 02/03/2018
1.352z Removed Risk Appetite and Risk Tolerance: Critical Components of 10 MDK 02/24/2018
an Effective ERM Program from Assigned Reading (bad link).
1.352z Removed Budgeting process for information security expenditures 12 MDK 02/24/2018
2006 (Blackboard) from week 5 assigned reading.
1.352z Added ROSI -15 Things to Consider 2015 to week 5 assigned reading. 12 MDK 02/24/2018
1.352z Added Essay Topic 5.4. 13 MDK 02/24/2018
1.353z Updated Class Location from Malone 228 to Olin 305 1 MDK 03/01/2018
1.353z Updated discussion topics for weeks 4, 5, and 6. In week 4 (Feb 10-14 MDK 03/01/2018
20th) the course was scheduled to meet in Latrobe 107 instead of
Olin 305. The projector in Latrobe 107 did not work and the JHU
evening Technology Help Desk Team was not able to mitigate. The
class was reconvened in Malone 228 where the projector was non-
operational too. As a result, class was dismissed early.
1.353z Added Essay 2 Topics for weeks 9 thru 13. 15-21 MDK 03/27/2018

Confidentiality and Mandatory Reporting

As an instructor, one of my responsibilities is to help create a safe and inclusive learning environment on our campus. I
also have mandatory reporting responsibilities related to my role as a Responsible Employee under the Sexual Misconduct
Policy & Procedures (which prohibits sexual harassment, sexual assault, relationship violence and stalking), as well as the
General Anti-Harassment Policy (which prohibits all types of protected status-based discrimination and harassment). It is
my goal that you feel able to share information related to your life experiences in classroom discussions, in your written
work, and in our one-on-one meetings. I will seek to keep information you share private to the greatest extent possible.
However, I am required to share information that I learn of regarding sexual misconduct, as well as protected status-based
harassment and discrimination, with the Office of Institutional Equity (OIE). For a list of individuals/offices who can speak
with you confidentially, please see Appendix B of the JHU Sexual Misconduct Policies and Laws.

Page | 2
Course Learning Goals and Objectives:
The goal of this course is to provide students with a fundamental understanding of the economic and financial issues
involved in planning, managing, and implementing information security in organizations. The course will prepare
students to approach financial decision-making with a variety of techniques, both quantitative and qualitative in nature,
so that as working professionals, they can be successful in taking on leadership roles to plan expenditures that are most
effective in assuring the security of the organization’s operations.
Course Learning Objectives
Student Learning Objectives for this Course
1 Students should be able to research an INFOSEC-related topic and write a clear, concise, and
articulate essay.
2 Students should be able to locate, download, and modify useful sources of information security
documentation.
3 Students should be able to create an INFOSEC budget and be able to explain its details to senior
management.
4 Students should be able to discuss challenges associated with the original Federal Information
Security Management Act (FISMA) of 2002.
5 Students should be able to discuss the reforms associated with the Federal Information Security
Modernization Act (FISMA) of 2014.
6 Students should be able to discuss challenges associated with the 2017 Cybersecurity Executive
Order
7 Students should be able to discuss risk appetite and risk tolerance.
8 Students should be able to discuss the difference between Quantitative and Qualitative Risk
Assessments.
9 Students should be able to discuss the capital budgeting process as it relates to information
security.
10 Students should be able to discuss INFOSEC Portfolio Management.
11 Students should be able to discuss the challenges with ROSI.
12 Students should be able to discuss INFOSEC Total Cost of Ownership (TCO)
13 Students should be able to discuss INFOSEC Balanced Scorecard Framework
14 Students should be able to discuss INFOSEC Portfolio Management.
15 Students should be able to discuss the challenges associated with INFOSEC outsourcing.
16 Students should be able to discuss the true costs associated with Cost of Data and Security
Breaches.
17 Students should be able to discuss Cyber Workforce Management Program.
18 Students should be able to discuss the cost of Business Recovery.

Page | 3
Grade Requirements
The Instructor and Course Assistant (CA) will evaluate students on their mastery of Learning Objectives through the
following deliverables:
✓ Students are expected to prepare for and attend every scheduled class session and actively participate in class
discussions. Attendance and active participation in class discussions are an integral part of your learning
experience at JHUISI. Full attendance and active participation in class discussions are required for you to
succeed in this course. Course content is extensive and unless students indicate otherwise, they are assumed to
understand the material. Please be advised that six absences, whether excused or not, will result in a failing or
incomplete grade for the course. Class Participation is worth 150 points.
✓ Students are required to write two essays on topics assigned by the instructor. The essays are worth a
combined 35% of your grade.
✓ A take-home mid-term examination worth 250 points will be administered on March 13, 2018 on topics and
class discussions up to that point. No make-ups are offered unless arranged for prior with instructor.
✓ A take-home comprehensive final exam worth 300 points will be administered on May 15, 2018 on any topics
and class discussions we have had during the entire course. No make-ups are offered unless arranged for prior
with instructor.

Evaluation and Grading

Assignment Due Date Points

General Class Participation and Attendance Ongoing 150
Essay #1 (2,000 Words) Ongoing 150
Essay #2 (3,000 Words) Ongoing 200
Mid-Term Examination March 13, 2018 250
Final Examination (Comprehensive) May 15, 2018 250
Total 1000

Grading Scale

Percentage Grade
93+ A
90-92 A-
87-89 B+
83-86 B
80-82 B-
77-79 C+
73-76 C
70-72 C-
<70 F*

Page | 4
Important Notes about Grading Policy
✓ The grade for Good Performance (typical for graduate-level study) in this course is a B+/B.
✓ The grade of A- will only be awarded for Excellent Performance. The grade of A will be reserved for the select
few who demonstrate Extraordinarily Excellent Performance.
✓ The grades of D+, D, and D- are not awarded at the graduate level.
✓ Grade appeals will ONLY be considered in the case of a documented clerical error.
✓ Please note that YOU are responsible for keeping track of and proactively managing your point totals.
Discussions regarding your point total will not be entertained retroactively
✓ Be your own advocate.

Classroom Rules of Engagement

✓ Please show up to class sessions on time.
✓ Please come to class prepared to discuss the assigned reading.
✓ Please come to class ready to discuss the questions for the class session.
✓ Please do not text or instant message your friends or classmates during class sessions.
✓ Please do not check and/or update your social media accounts during class sessions.

Writing Assignments
ALL STUDENTS must register for and complete the “Avoiding Plagiarism at JHU” training module NO LATER THAN the
beginning of our week 3 class session – print certificate of completion and provide to Instructor.
This course surveys a wide range of information security material. The pace is quick and the coverage is not detailed
and/or in-depth on any one specific topic. Writing assignments provide the student the opportunity to research a topic
more thoroughly than the way it’s covered in the assigned reading, in class discussions, and/or on the Internet.
Each student is required to complete the TWO ESSAYS on topics assigned by the Instructor.
The purpose of these writing assignments is to provide students the opportunity to demonstrate an understanding
beyond what is covered as part of the course. Each assignment requires multiple reference citations that may consist of
reference books, current print or electronic versions of magazines and journals, the Internet, various on-line libraries,
and textbooks.
✓ Each writing assignment must comply with the Turabian or APA Style Guides.
✓ Essays must comply with word limitations (plus 500 words / minus 0 words). Footnotes are required for essays.
Bibliographies are not required for essays.
✓ Spell Check and Grammar Check your essays
✓ DO NOT use a text application to write your paper and the transfer to MS Word to hand-in.

Page | 5
Refer to Appendix A of this syllabus for the grading criteria and standards for essays and term-papers. The topics are
taken from the discussion questions in the syllabus.
✓ Both essays must be submitted via e-mail to the instructor no later than MIDNIGHT on the class date for which
the topic is assigned (you must submit all deliverables in Microsoft WORD format – NO EXCEPTIONS)
✓ Assignments submitted in pdf format are considered incomplete. Include your name in the file name and on the
cover sheet. Essays without names will be discarded.
As a graduate student at Johns Hopkins University, you are expected to write well (in this class) – to be clear, concise,
articulate, and to the point. Plagiarism will not be tolerated – cite your sources and DO NOT COPY AND PASTE. Please
be confident that, if you do plagiarize, you will be caught and the consequences are not pleasant. Direct quotations can
be no more that 10% of your paper.

Late Deliverable Penalty

All assignments are due at MIDNIGHT on their due date. Students are expected to exercise mature judgment and time
management skills appropriate to their academic rank and standing. The e-mail time stamp will establish the time the
paper was posted and will determine if the paper is on-time or is late. Late papers will be accepted and graded once
they are submitted. Five percent will be taken for every 24 hours – or part of 24 hours – an assignment is turned in late.
Thus, if a paper worth 100 points was turned in 36 hours late and would have received a 92 had it been turned in on
time, 10 points will be deducted, resulting in an 82 on the paper.

Wisdom from YouTube

 What is the Difference Between Undergraduate and Graduate Studies?
https://www.youtube.com/watch?v=v9UZ42uC8eM&t=29s (4:30)
 Why Graduate School Will Not Be Like Undergrad https://www.youtube.com/watch?v=rAx35lsDvuw (3:00)
 How to Read for Grad School https://www.youtube.com/watch?v=eWuxW2qAYSE (4:56)
 How to Write a Good Argumentative Essay: Logical Structure. https://www.youtube.com/watch?v=tAmgEa1B1vI
(9:50)
 Thesis Statements: Four Steps to a Great Essay | 60second Recap®:
https://www.youtube.com/watch?v=9R0ivCaLtnY (4:30)
 How to Write an Argumentative Essay by Shmoop: https://www.youtube.com/watch?v=-lzGy5gizKg (2:55)
 Plagiarism by Shmoop: https://www.youtube.com/watch?v=hJipA52LOms (4:10)
 Plagiarism ... Definition, Consequences and Examples: https://www.youtube.com/watch?v=LV0Fy9X56FY (5:10)
 The punishable perils of plagiarism - Melissa Huseman D'Annunzio:
https://www.youtube.com/watch?v=SrjoaaIxaJI (3:47)

Reading Skills Resources

 How to Read for Grad School https://miriamsweeney.net/2012/06/20/readforgradschool/
 How to Improve Your Reading Skills: http://www.wikihow.com/Improve-Your-Reading-Skills
 Strategies for Developing Reading Skills: http://www.nclrc.org/essentials/reading/stratread.htm
 How to Improve College Reading Skills In 10 Steps: http://www.upb.pitt.edu/uploadedFiles/reading%20skills.pdf
 Skimming And Scanning: Two Important Strategies For Speeding Up Your Reading:
http://www.howtolearn.com/2013/02/skimming-and-scanning-two-important-strategies-for-speeding-up-your-
reading/
 Critical Thinkers' World: The Basic Structure of Arguments: https://criticalthinkersworld.wordpress.com/the-
basic-structure-of-argument/

Page | 6
 WK / Date Topics/Issues
1 1/30 Discussion Topics
✓ Course Administration
✓ Instructor and Student Introductions
✓ Assignment of the Numbers
✓ Learning Objectives and Learning Expectations
✓ Time Management
✓ Bachelor’s vs. Master’s Degree

Assigned Reading
 The Plagiarism Spectrum (Blackboard)
 Defining and Avoiding Plagiarism Statement on Best Practices (Blackboard)
Wisdom from YouTube
 Cyber Security 101 - https://www.youtube.com/watch?v=sdpxddDzXfE&t=28s (3:52)
 C-I-A Basics - https://www.youtube.com/watch?v=89WXcyWZ-qc (6:31)
 Careers in Cybersecurity - Expert Advice from Black Hat & DEFCON
https://www.youtube.com/watch?v=EhIp3b8iGm4 (8:53)
 Careers in Cybersecurity - New Advice from DEFCON 24
https://www.youtube.com/watch?v=Mg7_XlP4gqA&t=365s (8:34)

Assignment for ALL Students:

Register for and complete the “Avoiding Plagiarism at JHU” training module NO LATER THAN the beginning of
our week 3 class session – e-mail the certificate of completion to the Instructor.

2 2/6 Discussion Topics

✓ The Economics of Information Security
✓ Federal Information Security Management Act 2002
✓ Federal Information Security Modernization Act 2014

Assigned Reading
 A Closer Look at Information Security Costs.
http://www.econinfosec.org/archive/weis2012/papers/Brecht_WEIS2012.pdf
 The Economics of Information Security Investment (Blackboard)
 The Financial Management of Cyber Risk – Chapter 1 (Blackboard) Pages 9-18.
 Information Security Trends: IT Security Spending Remains Robust – Compliance is Key Driver
of Security Initiatives.
https://www.451alliance.com/Portals/5/TMC_it_security_june2015.pdf
 How to Dramatically Improve Corporate IT Security without Spending Millions.
https://www.praetorian.com/downloads/report/How%20to%20Dramatically%20Improve%2
0Corporate%20IT%20Security%20Without%20Spending%20Millions%20-%20Praetorian.pdf
 Determining How Much to Spend on Your IT Security. http://www-
03.ibm.com/industries/ca/en/healthcare/documents/IDC_Canada_Determining_How_Much
_to_spend_on_Security_-_Canadian_Perspective_2015.pdf

Page | 7
  4 Tips for Planning an Effective Security Budget. http://www.darkreading.com/careers-and-
people/4-tips-for-planning-an-effective-security-budget/d/d-id/1325290
 Federal Information Security Management Act of 2002.
http://csrc.nist.gov/groups/SMA/fisma/overview.html
 FISMA Updated and Modernized. http://www.natlawreview.com/article/fisma-updated-and-
modernized-federal-information-security-management-act
 The Fallacy of the FISMA Critics:
http://www.infosectoday.com/Articles/Fallacy_FISMA_Critics.htm
 Congress Passes The Federal Information Security Modernization Act of 2014: Bringing
Federal Agency Information Security into the New Millennium:
http://www.privsecblog.com/2014/12/articles/cyber-national-security/congress-passes-the-
federal-information-security-modernization-act-of-2014-bringing-federal-agency-
information-security-into-the-new-millennium/

Wisdom from YouTube

 What is ECONOMICS OF SECURITY? What does ECONOMICS OF SECURITY mean?
ECONOMICS OF SECURITY meaning - https://www.youtube.com/watch?v=TAEr5VOzeR4
(5:13)
 Gordon-Loeb Model for Cybersecurity Investments -
https://www.youtube.com/watch?v=cd8dT0FuqQ4 (3:33)

Class Session 2 Questions:

2.1 The Federal Information Security Management Act (FISMA) of 2002 is a federal law enacted
as Title III of the E-Government Act of 2002. The Act recognized the importance of INFOSEC
to the economic and national security interests of the United States and requires each federal
agency to develop, document, and implement an agency-wide program to provide
information security for the information and information systems that support the
operations and assets of the agency, including those provided or managed by another
agency, contractor, or other source. Please write an essay discussing the pros and cons of
the original legislation that was passed in 2002. It took a dozen years to pass FISMA reform
(to the original 2002 legislation) – since there were issues with FISMA before the original ink
was dry, please discuss why you think it took so long to pass FISMA reform. What did the
FISMA 2014 legislation change? FISMA was further reformed when President Trump signed
the Cybersecurity Executive Order in early 2017 – please integrate this latest iteration of
FISMA reform into your overall discussion.
2.2 Employees are cited as a security weak link. Many organizations would like to allocate a
bigger share of the security budget toward employee training (primarily in departments
outside of IT such as sales, marketing, and HR). On average organizations would like to spend
a significant 24% of their IT security budget on building INFOSEC best practices, INFOSEC
awareness, training and education. The reality is that shoring up employee lack of security
knowledge will continue to be carried out on much less than this percentage. For this essay,
assume that you have just been hired the new Johns Hopkins University (JHU) CISO. Please
write an essay discussing how you would turn this situation around at JHU. Your essay should
span a 3-5 year timeframe and should include both short and long-term initiatives.

Page | 8
 2.3 Organizations need to understand the financial impacts of insufficient cybersecurity. In
addition, they need to enact management systems that bring all of the necessary executives
to the table to address cybersecurity issues on an enterprise-wide basis. For this essay,
assume that you have just been hired the new CISO for M&T Bank. Please write an essay
discussing who you would bring to the table to help address the insufficient cybersecurity
issues at the bank. Your essay should span a 3-5 year timeframe and should include both
short and long-term initiatives.

Assignment for ALL Students:

Register for and complete the “Avoiding Plagiarism at JHU” training module NO LATER THAN the
beginning of our week 3 class session – e-mail the certificate of completion to the Instructor.

3 2/13 Discussion Topics

✓ JHU Library Services
✓ Guest Speaker - Dr. Sue Vazakas – JHU Librarian: - svazakas@jhu.edu
✓ 410-516-4153 - MSEL C-level, #30
✓ The 2017 Cybersecurity Executive Order (EO)

Assigned Reading
 President Trump signs cybersecurity executive order -
https://www.usatoday.com/story/news/politics/2017/05/11/president-trump-signs-
cybersecurity-executive-order/101556518/
 White House Cybersecurity Executive Order Summary -
https://blog.rapid7.com/2017/05/12/white-house-cybersecurity-executive-order-summary/
 A Summary of the Cybersecurity Executive Order - https://www.lawfareblog.com/summary-
cybersecurity-executive-order
 A Framework for Protecting Our Critical Infrastructure - https://www.nist.gov/blogs/taking-
measure/framework-protecting-our-critical-infrastructure
 (Draft) Cybersecurity Framework v1.1 Draft 2 (PDF) without markup -
https://www.nist.gov/sites/default/files/documents/2017/12/05/draft-2_framework-v1-
1_without-markup.pdf

Class Session 3 Questions:

3.1 In January 2017 President Trump signed the long-awaited Cybersecurity Executive Order (EO)
aimed at beefing up cybersecurity at federal agencies with a shift of computer capabilities to
the cloud as a key part of the strategy. For this essay, assume that you have just been hired as
the new CISO for the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF). Please write
an essay discussing your recommendations on how you would implement this EO within your
Agency.

Page | 9
 3.2 The Framework for Improving Critical Infrastructure Cybersecurity provides a voluntary, flexible
approach to help an organization better understand, manage, and reduce its cybersecurity
risks. Based on existing standards, guidelines, and practices, the Framework can aid in
prioritizing investments and maximizing the impact of each dollar spent on cybersecurity.
Cybersecurity risk management requires the buy-in of all levels of management, including the
board of directors. The Framework provides guidance as to how organizations can use a
common lexicon to communicate between and among organizations. Industry has provided
comments that suggest the board level of organizations requires more attention when
spreading cybersecurity risk management awareness. For this essay, assume that you have just
been hired as the new CISO for the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF).
Please write an essay discussing your recommendations on how you would ensure buy-in at all
levels of management within your Agency. Please start by defining “buy-in” as it relates to the
Framework for Improving Critical Infrastructure Cybersecurity.

Assignment for ALL Students:

Completion Certificate for “Avoiding Plagiarism at JHU” training module due NO LATER THAN 6:00 PM

4 2/20 Discussion Topics

✓ Risk Management
✓ Committee of Sponsoring Organizations (COSO) of the Treadway Commission
✓ National Institute of Science and Technology (NIST) Risk Management Framework (RMF)
✓ Risk Appetite and Risk Tolerance
✓ Quantitative vs. Qualitative Risk Assessments
✓ Annual Loss Expectancy (ALE)

Assigned Reading
✓ NIST Risk Management Framework. http://csrc.nist.gov/publications/nistpubs/800-37-
rev1/sp800-37-rev1-final.pdf
✓ Committee of Sponsoring Organizations of the Treadway Commission (COSO).
http://www.coso.org/documents/coso_erm_executivesummary.pdf
✓ Quantitative Risk Analysis Step-By-Step. https://www.sans.org/reading-
room/whitepapers/auditing/quantitative-risk-analysis-step-by-step-849
✓ Difference between Quantitative and Qualitative Risk Analysis.
http://www.izenbridge.com/blog/differentiating-quantitative-risk-analysis-and-qualitative-
risk-analysis/
✓ Risk Appetite and Risk Tolerance. https://www.apm.org.uk/media/1257/risk-appetite-and-
risk-tolerance.pdf
✓ How Security Risk Assessments & Risk Management Can Improve Your Security Program -
https://www.hitachi-systems-security.com/blog/how-security-risk-assessments-risk-
management-can-improve-your-security-program/
✓ Successful Security Programs: Security vs. Risk Management vs. Compliance -
https://technical.nttsecurity.com/post/102dwj8/successful-security-programs-security-vs-
risk-management-vs-compliance
✓ Cyber-security: More Than Just A Reputational Risk -
https://www.holmesreport.com/agency-playbook/sponsored/article/cyber-security-more-
than-just-a-reputational-risk
Page | 10
 Wisdom from YouTube
✓ Risk Appetite and other Terms vs Performance Measurement Scorecard terms -
https://www.youtube.com/watch?v=ektmWa2b9VQ (6:19)
✓ Risk Appetite and Risk Tolerance - https://www.youtube.com/watch?v=OIQntO0p-jQ (4:33)

Class Session 4 Questions:

4.1 The COSO model has been adopted as the generally accepted framework for internal control
and is widely recognized as the definitive standard against which organizations measure the
effectiveness of their systems of internal control. The COSO framework defines internal
control as a process, effected by an entity’s board of directors, management and other
personnel, designed to provide reasonable assurance of the achievement of objectives in the
following categories:
✓ Effectiveness and efficiency of operations
✓ Reliability of financial reporting
✓ Compliance with applicable laws and regulations
In an “effective” internal control system, COSO identifies five components (Control
Environment, Risk Assessment, Control Activities, Information and Communication, and
Monitoring) to support the achievement of an entity’s mission, strategies and related business
objectives. Please write an essay that discusses how you would go about using the COSO cube
to manage enterprise risk. Integrate into your discussion how you think COSO measures up to
some of the other frameworks we have been discussing in class.
4.2 The NIST Risk Management Framework (RMF) for Federal Information Systems is an
overarching framework that provides security-related guidance on a very wide range to topics
and issues. The E-Government Act (P.L. 107-347) recognizes the importance of information
security to the economic and national security interests of the United States. Title III of the E-
Government Act, entitled the Federal Information Security Management Act (FISMA),
emphasizes the need for organizations to develop, document, and implement an organization-
wide program to provide security for the information systems that support its operations and
assets. Please write an essay that discusses the pros and cons of the NIST RMF. Please
integrate into your discussion how the NIST RMF stacks up against other risk management
frameworks we have discussed. Specifically, how does the NIST RMF compare to ISO 31000
and the COSO Enterprise Risk Management Framework?
4.3 Risk Assessment is the process whereby organizations identify hazards that could negatively
impact an organization's ability to conduct business or perform their mission. These
assessments help identify these inherent business and security risks and provide measures,
processes and controls to reduce the impact of these risks to business operations and/or
mission effectiveness. Please write an essay discussing the differences between qualitative and
quantitative risk assessments.
4.4 Risk Assessment is the process whereby organizations identify hazards that could negatively
impact an organization's ability to conduct business or perform their mission. These
assessments help identify these inherent business and security risks and provide measures,
processes and controls to reduce the impact of these risks to business operations and/or
mission effectiveness. Please write an essay discussing the concepts of risk appetite and risk
tolerance and how they figure into the management of risk.

Assignments: Essays Due by Midnight – Numbers 1 thru 15

Page | 11
 5 2/27 Discussion Topics
 The INFOSEC Budgeting Process
 Capital Investment Analysis
 Discounted Cash Flow (DCF)
 Net Present Value (NPV)
 INFOSEC Portfolio Management (PM)
 Return on Security Investment (ROSI)
Assigned Reading
 ROSI -15 Things to Consider 2015 (Blackboard)
 Resources for an information security budget discussion -
https://www.kaspersky.com/blog/calculator-financial-report/18534/
 Capital Investment Analysis and Project Assessment.
https://www.extension.purdue.edu/extmedia/ec/ec-731.pdf
 Capital Budgeting Analysis. http://www.exinfm.com/training/pdfiles/course03.pdf
 Taking a Business Risk Portfolio (BRP) Approach to Information Security.
https://www.rsaconference.com/writable/presentations/file_upload/grc-f03-taking-a-
business-risk-portfolio-_brp_-approach-to-information-security.pdf
 A Review of Return on Investment for Cybersecurity (Blackboard)
 Evaluating Information Security Investments from Attackers Perspective (Blackboard)
 The Evolution of Return on Security Investment (Blackboard)
 Value Creation and Return on Security Investment (Blackboard)
 Cyber ROI - https://apps.fcc.gov/edocs_public/attachmatch/DOC-343096A1.pdf
 The Real Cost of Not Implementing Cybersecurity Practice. http://pellcenter.org/the-real-
cost-of-not-implementing-cybersecurity-practices/

Wisdom from YouTube

 What is Portfolio Management vs. Project Management?
https://www.youtube.com/watch?v=9Tchp8LljXY (5:11)
 What do Portfolio Managers do? - Project Management Training?
https://www.youtube.com/watch?v=E5II1pEBpbY (3:04)

Class Session 5 Questions:

5.1 There have been numerous media articles and academic research papers on the topic of
Return on Security Investment (ROSI). No matter what methodology is used to calculate the
ROSI, there will always be a level of uncertainty. Please write an essay that discusses the pros
and cons of the ROSI calculation. Please include in your discussion how intangibles are
addressed within the information security field in general and specifically as it relates to the
ROSI.
5.2 A systematic process for identifying, evaluating, and addressing INFOSEC risks is the NIST
Cybersecurity Framework, released in February 2014. The NIST Cybersecurity Framework
characterizes an organization’s maturity in cybersecurity risk management in terms of tiers,
with Tier 1 (the lowest) having a partial process for these core functions, and Tier 4 (the
highest) having a highly adaptive, responsive set of processes for each of these core functions.
Please write an essay discussing the pros and cons of the NIST Cybersecurity Framework and
compare it to the NIST Risk Management Framework.

Page | 12
 5.3 Producing a cost-benefit analyses of security solutions has always been hard, because the
benefits are difficult to assess and often only a part of the overall cost is clear. Despite this,
today the provision of economic evaluations of security technology investments is a
requirement that more and more customers ask vendors to satisfy. The typical calculation for
a Return-On-Investment (ROI) index is based on the evaluation of the Annual Loss Expectancy
(ALE). Our motivating assumption is that such a classical index, the ROI, provides only a partial
characterization of investments in information security technology, because it fails to explicitly
consider attackers' behavior. Security professionals are beginning to suggest that to better
evaluate security technology investments, the ROI index should be coupled with a
corresponding index aimed at measuring the convenience of attacks, or “the Return-On-Attack
(ROA)” especially in situations where different technologies are combined or where the
possible degradation of a security solution's efficiency over time must be taken into account.
Please write an essay discussing the concept of ROA and discuss how it may be coupled with
ROI to provide a full characterization of investments in information security. Does ROA make
sense? How does the combination of ROI/ROA compare with ROSI?
5.4 The article titled: Return on Security Investment – 15 Things to Consider includes a checklist of
15 issues/topics that the INFOSEC professional should consider in an effort to improve the
accuracy and usability of the Return of Security Investment (ROSI). Many of the existing
methods for calculating the ROSI are complex and include an array of mathematical formulas
and statistical analyses. No matter what method is used, these calculations almost always rely
on soft data (i.e.: intangible values) to derive hard numbers associated with Return on
Investment (ROI), making the challenge of an accurate and reliable ROSI elusive. Please write
an essay discussing your thoughts on the ROSI calculation (in general) and the 15 topic areas
that the author recommend should be considered. Please include in your discussion if you
think the suggested element is useful, makes no difference, or is a waste of time. Finally,
include your own recommendations on elements that may be missing from the list.

Assignments: Essays Due by Midnight – Numbers 16 thru 32

Page | 13
 6 3/6 Discussion Topics
✓ Mid-Term Q & A and Clarification
✓ Mid-Term Examination Review

Assignments: Essays Due by Midnight – Numbers 33 thru 51

7 3/13 Mid-Term Examination - This examination is an Open Book /Open Note Examination
The examination becomes available on Blackboard at 6:00 PM. Students must complete the exam
and upload to Blackboard NLT 9:00 PM (timestamp) on March 13, 2018.
Please ensure that you put your name on the examination.
✓ On page 1 enter your first and last name plus your JHUISI Student Number.
✓ When you save the Mid-Term Exam replace “YOUR LAST NAME HERE” with your last name.
o For example, your Instructor would save the exam as follows: “Spring 2018 650.653.01
Mid-Term Exam for Kociemba.”
PLEASE NOTE:
1 Late exams will be assessed a 10% (25 points) penalty for the first 60 minutes. Additional
penalties of 5 points per half hour will be assessed for each additional ½ hour that the exam
is late. These penalties are not negotiable. Avoid them be not being late.
2 Students who do not turn in exams by 3:00 am the next morning (March 14, 2018) will be
awarded 0 (zero) points.
3 Students who are taking the exam and are observed communicating (i.e.: talking, e-mailing,
texting, or signing) with other students will forfeit all points associated with this exam. The
student you are talking with will also forfeit all points associated with this exam.

8 3/20 Spring Vacation – 3/19 thru 3/25 – NO CLASS

Page | 14
 9 3/27 Discussion Topics
✓ INFOSEC Total Cost of Ownership (TCO)
✓ INFOSEC Balanced Scorecard Framework
✓ INFOSEC Metrics

Assigned Reading
 How to Calculate Total Cost of Ownership.
http://www.graco.com/us/en/products/manufacturing/cost/how-to-calculate-total-cost-of-
ownership.html
 Total Cost of Ownership (TCO) for Access Control Systems (Blackboard)
 Calculating Total Cost of Ownership for Intrusion Prevention Technology (Blackboard)
 Minimizing Security Related Total Cost of Ownership -
https://www.scribd.com/document/86807927/Minimizing-Security-Related-Total-Cost-of-
Ownership
 The True Cost of Compliance.
https://www.ponemon.org/local/upload/file/True_Cost_of_Compliance_Report_copy.pdf
 Migrating Security to the Cloud: A Model for Total Cost of Ownership -
https://securityintelligence.com/migrating-security-to-the-cloud-a-model-for-total-cost-of-
ownership/
 The Hidden Costs of Information Security Projects - https://zeltser.com/hidden-costs-of-
information-security-projects/
 Calculating TCO: The Real Cost of Cloud Security -
https://www.threatstack.com/blog/calculating-tco-the-real-cost-of-cloud-security/
 A Strategy Map for Security Leaders: Applying the Balanced Scorecard Framework to
Information Security. https://securityintelligence.com/a-strategy-map-for-security-leaders-
applying-the-balanced-scorecard-framework-to-information-security/
 Balanced Scorecard for Information Security Introduction. https://technet.microsoft.com/en-
us/library/bb821240.aspx
 Security Metrics and the Balanced Scorecard.
https://www.csoonline.com/article/2137095/identity-management/security-metrics-and-
the-balanced-scorecard.html

Wisdom from YouTube

 Spotlight on Total Cost of Ownership -
https://www.youtube.com/watch?v=0RAcIsjTaHc&t=83s (4:33)
 Introduction to Balanced Scorecard and Measurement tools -
https://www.youtube.com/watch?v=SV7FDpPdPVQ

Class Session 9 Questions:

9.1 When organizations undertake Information Technology (IT) projects, including those related to
information security, they often underestimate the effort of getting the work done. This might
occur because we don’t understand the complexities of completing projects or because we
underestimate the time and money needed complete tasks. We also tend to exhibit wishful
thinking, fooling ourselves regarding the risks of projects going awry and the cost of mitigating
such risks. Please write an essay regarding your recommended approach to Total Cost of
Ownership (TCO) including the hidden costs you might encounter with INFOSEC projects.
Please include in your discussions strategies you would recommend to a Chief Executive Officer
(CEO) if you were interviewing for the CISO position at Cisco in 12 years.
Page | 15
 9.2 “Hope is not a strategy” is a provocative phrase of unknown origin that has become
commonplace in business and politics. Hope is about achieving goals. Coincidentally, strategy
is also about achieving goals — but hope is not a strategy. Both have to do with the
achievement of desired objectives in conditions that are uncertain and constantly changing.
However, hope has to do with a belief that these outcomes are possible. Strategy has to do
with a plan of action required to achieve these outcomes along with the resources necessary to
execute the plan. Hope is necessary but is not sufficient. Please write an essay discussing how
you might overcome this paradox of hope vs. strategy. Hint: you might want to start your
research by looking for strategy maps for security leaders.
9.3 Information security professionals traditionally have had difficulty trying to justify their
existence. IT security staff agree there should be some security controls in place but trying to
validate a defense in depth approach is difficult. Organizations have tried to use Return on
Investment (ROI) and Return on Security Investment (ROSI) as a method to prove the value in
security controls with varying degrees of success. ROI and ROSI don’t always work for an
organization’s information security goals. The Balanced Scorecard is an accepted business
framework for showing progress on organizational goals. Please write an essay discussing the
use of the Balanced Scorecard concept as a potentially more effective measure of
organizational performance. If you were being recruited for a CSO position at Bank of America
(B of A), discuss what your position might be as you prepare for the interview with the B of A
CEO.

Assignments: NO Essays Due

10 4/3 Discussion Topics

✓ INFOSEC Outsourcing

Assigned Reading
 Outsourcing - www.referenceforbusiness.com/small/Op-Qu/Outsourcing.html
 The 10 hidden costs of outsourcing -
www.supplychainquarterly.com/topics/Strategy/20130621-the-10-hidden-costs-of-
outsourcing/
 The Hidden Costs of Outsourcing -
https://www.forbes.com/sites/forbesinsights/2013/03/29/the-hidden-costs-of-
outsourcing/#36c3cd8971c7
 The Real Cost of Outsourcing 2012 – PDF
 How to Determine Your Outsourcing Cost - http://www.smarthustle.com/determine-
outsourcing-cost/
 When You’ve Got to Cut Costs—Now - https://hbr.org/2010/05/when-youve-got-to-cut-
costs-now
 How to Cut Costs – Strategically https://hbr.org/ideacast/2009/09/how-to-cut-costs-
strategically?referral=03759&cm_vc=rr_item_page.bottom

Page | 16
  A Better Way to Cut Costs - https://hbr.org/2009/03/a-better-way-to-cut-
costs?referral=03759&cm_vc=rr_item_page.bottom
 Cutting Costs Without Cutting People - https://hbr.org/2011/04/cutting-costs-without-
cutting?referral=03759&cm_vc=rr_item_page.bottom
 In-house vs. outsourced IT: what makes the most business sense? - http://www.information-
age.com/top-five-things-consider-when-outsourcing-123459436/
 To Outsource or Not to Outsource: a Cost Accounting Decision -
http://www.dummies.com/business/accounting/to-outsource-or-not-to-outsource-a-cost-
accounting-decision/

Wisdom from YouTube

 MSSP: The Pros and Cons of Outsourcing Network Security -
https://www.youtube.com/watch?v=qUJMwEHu4GU (1:38)

Class Session 10 Questions:

10.1 Outsourcing occurs when a company purchases products or services from an outside
supplier, rather than performing the same work within its own facilities, in order to cut costs.
The decision to outsource is a major strategic one for most companies, since it involves
weighing the potential cost savings against the consequences of a loss in control over the
product or service. Some common examples of outsourcing include manufacturing of
components, computer programming services, tax compliance and other accounting
functions, training administration, customer service, transportation of products, benefits and
compensation planning, payroll, and other human resource functions. Similar to other
INFOSEC-related business components there are intangible elements associated with the
outsourcing of security-related functions and responsibilities. For this essay, assume that
you have just been hired as the first Chief Security Officer (CSO) for the ACME Widget
Company and your first official duty is to perform analysis to determine if it makes good
business sense to outsource some or all of the INFOSEC functions you are now responsible
for. Please write an essay discussing your analysis including your recommendation to the
Board of Directors.
10.2 In today’s fast-paced business world, driving efficiency is often at the heart of growth plans.
When thoroughly planned, outsourcing plays a vital role in ensuring productivity is high;
enabling managers to focus on business development and disruptive innovation. However,
some organizations cause irreparable damage to their business by outsourcing too early,
while others risk falling behind to more innovative competitors by ignoring the opportunities
available to them; and some companies outsource the wrong mix of services and/or
activities. Put simply, the majority of outsourcing takes place to increase profit margins,
lowering expenditures on labor and operational costs, while improving the bottom line.
However, the cost-efficiency of taking this approach comes into question if the wrong
processes are left in the hands of a third party. For this essay, assume that you have just
been hired as the Chief Security Officer (CSO) for the ACME Widget Company and your first
official duty is to perform analysis to determine if it makes good business sense to outsource
some or all of ACME’s Information Technology (IT) infrastructure and Data Center
operations. Please write an essay discussing your analysis including your recommendation to
the Board of Directors.

Page | 17
 Assignments: Essays Due by Midnight – Numbers 1 thru 9

11 4/10 Discussion Topics

✓ The Cost of Data and Security Breaches

Assigned Reading
 Data breaches cost US businesses an average of $7 million — here’s the breakdown -
http://www.businessinsider.com/sc/data-breaches-cost-us-businesses-7-million-2017-4
 Rand Study: Average Data Breach Costs $200K, Not Millions -
https://www.darkreading.com/attacks-breaches/rand-study-average-data-breach-costs-
$200k-not-millions/d/d-id/1326962?
 Global Cost of Cybercrime Predicted to Hit $6 Trillion Annually By 2021, Study Says -
http://www.darkreading.com/attacks-breaches/global-cost-of-cybercrime-predicted-to-hit-
$6-trillion-annually-by-2021-study-says/d/d-id/1326742

Wisdom from YouTube

 The true cost of a security breach - https://www.youtube.com/watch?v=83ZRjoI7lVs (2:19)

Class Session 11 Questions:

11.1 There is little doubt that data breaches are expensive both in terms of dollars and cents and
reputation. There are many articles and research reports that seek to define what costs and
expenses are appropriate to include in data breach calculations (including the three reading
assignments for this module). The numbers are rather staggering and are not completely
consistent – the Business Insider article concludes that the “average” data breach costs $7
million while the Rand Study indicates that the cost is much lower – around $200K for each
occurrence. Finally, a Cybersecurity Ventures Report indicates that Cybercrime costs will
grow to $6 Trillion by 2021. Please write an essay comparing these three cost estimates as
well as others you may come across in your research. Why is there such a disparity in the
numbers? What do you think are the core cost and expense drivers that should be included
in data breach calculations? If you were going to present a research paper on The Practical
Costs and Expenses of the “Average” Data Breach at the 2019 RSA security conference, what
would be your findings and recommendations?

Assignments: Essays Due by Midnight – Numbers 10 thru 20

Page | 18
 12 4/17 Discussion Topics
✓ INFOSEC Education, Awareness, and Training
✓ IAWIP – Cyber Workforce Management Program

Assigned Reading
✓ Information Assurance Workforce Improvement Program. DoD 8570.01-M.
http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf
✓ DoD 8570.01-M Manual Information Assurance Workforce Improvement Program and DoD
Directive 8140.01 Cyberspace Workforce Management Frequently Asked Questions (FAQs).
http://iase.disa.mil/iawip/Pages/iaetafaq.aspx
✓ Summary of IA Workforce Qualification Requirements.
http://iase.disa.mil/iawip/Pages/summary_wf_requirements.aspx
✓ DoD Approved 8570 Baseline Certifications. http://iase.disa.mil/iawip/Pages/iabaseline.aspx
✓ What Types of Background Checks are There?
https://www.criminalwatchdog.com/faq/types-of-background-checks

Class Session 12 Questions:

12.1 The primary objective of the DoD 8570.01-M, Information Assurance Workforce
Improvement Program (IAWIP) is to train, educate, certify, and qualify personnel
commensurate with their responsibilities to develop, use, operate, administer, maintain,
defend, and dispose/retire DoD Systems.
The goal of DoD 8570.01-M is to “develop a cybersecurity workforce with a common
understanding of the concepts, principles, and applications of cybersecurity for each
category, level, and function to ensure the confidentiality, integrity, and availability (CIA) of
DoD information, information systems, networks and information stored within.” The IAWIP
seeks to provide qualified cybersecurity personnel in each of the 8570 categories identified
for Information Assurance Technical (IAT), Information Assurance Management (IAM),
Computer-Network Defense - Service Providers (CND-SPs), IA System Architects and
Engineers (IASAEs), Authorizing Officials (formerly called Designated Accrediting/Approving
Authorities [DAAs]), and Assessing Functions.
For this essay, assume that you have just been hired as the Chief Information Security Officer
(CISO) for the Smith, Barrett, Jones, and Darby (SBJ&D) Cybersecurity Convergence Group
(CCG)1 and your first task as CISO is to consider all or specific parts of the DoD 8570.01-M,
IAWIP for implementation at the CCG. What 8570.01-M components will you recommend
for adoption at SBJ&D CCG? Why did you select specific components while leaving others
out? Are there IAWIP-related components that you added that were not in 8579.01-M? If
so, what were they and why did you add them? Your paper will be sent as a read ahead for
the Board of Directors and Senior Partnership Group for the annual SBJ&D CCG Security
Conference in New Zealand next month. Good Luck.

Assignments: Essays Due by Midnight – Numbers 21 thru 30

1
The Smith, Barrett, Jones, and Darby (SBJ&D) Cybersecurity Convergence Group (CCG) is comprised of 1200 Partners and a
10 member Board of Directors. Below the partnership, there is a global workforce of 6,000 INFOSEC Professionals working in 60
countries worldwide.
Page | 19
 13 4/24 Discussion Topics
✓ The Cost of Business Recovery
✓ Disaster Recovery
✓ Continuity of Operations
✓ High Availability

Assigned Reading
 The Power of Information Availability (Blackboard) 12 pages.
 Disaster Recovery Planning Guide 2013 (Blackboard) 11 pages.
 Business Impact Analysis 2007 (Blackboard) 52 pages.
 Executive Guide to Business Continuity Management 2017 (Blackboard) 14 pages.
 Ten steps to a successful business impact analysis.
http://searchsecurity.techtarget.com/tip/Ten-steps-to-a-successful-business-impact-analysis
 Continuity of Operations Plans. https://emergency.princeton.edu/how-to-
prepare/continuity-of-operations-plans
 High Availability Computer Systems (Blackboard) 19 pages.
 US-CERT Federal Incident Notification Guidelines - https://www.us-cert.gov/incident-
notification-guidelines
 3 Crisis Management Case Studies We Can Learn From -
https://www.rockdovesolutions.com/blog/3-crisis-management-case-studies-we-can-learn-
from

Wisdom from YouTube

✓ Mapping Interdependence - https://www.youtube.com/watch?v=agTv028ESkA
✓ Disaster Recovery Contracts - http://www.sungardas.com/en/resources/videos-and-
demos/disaster-recovery-contracts/
✓ Sungard Availability Services Assurance Plan Maintenance -
https://www.youtube.com/watch?v=OedtFzsUQPc
✓ Sungard Availability Services Disaster Recovery as a Service (RaaS) Explained -
https://www.youtube.com/watch?v=qEtF_8B2juI
✓ Business Impact Analysis - https://www.youtube.com/watch?v=bMkyV4bMCM4
✓ BIA – Business Impact Analysis - https://www.youtube.com/watch?v=GXNDSOxfri0

Class Session 13 Questions:

13.1 Please write an essay describing what a Business Impact Analysis (BIA) is and how it is or should be
performed. Are there alternatives to the BIA? If yes, what are they? If no, why not? Also, please
discuss how the BIA fits into Disaster Recovery Planning (DRP), Continuity of Operations Planning
(COOP), and/or High Availability Planning (HAP). One of the key deliverables from a BIA is what’s
known as an Interdependency Map – please define what the Interdependency Map is and how it can be
constructed and why it is vitally important to the DRP/COOP/HAP Chief.
13.2 Disaster Recovery Testing is a key component of any DRP/COOP/HA program. That said, testing in a
production environment is risky and is usually frowned upon unless absolutely necessary. There are
several alternatives to testing on production systems. Table Top Testing has emerged as an effective
methodology to prepare key recovery executives as well as the organization itself. Please write an
essay discussing the general requirements for Disaster Recovery and Continuity of Operations testing
and then, if appropriate, discuss why and how table top testing has emerged as a viable and cost-
effective solution. In your discussion, please identify who in the organization needs to participate in a

Page | 20
 Table Top Test in order for it to be a success. Finally, discuss how a Table Top Test can be performed
across International Boundaries and across multiple time zones.
13.3 Availability is one of the three primary components in the CIA Triad. The concept of Recover Time
Objective (RTO) is measured in seconds, minutes, hours, and/or days. RTO drives the Continuity of
Operations planning process and is the defining variable when determining if the organization needs
Disaster Recovery Planning (DRP), Continuity of Operations Planning (COOP), or High Availability
Planning (HAP). Please write an essay discusses the significance of the availability component and its
key driver, the RTO. Once the relationship between RTO and availability has been established, discuss
the level of preparedness that will be required to support RTOs ranging from 0 seconds to 60 days.
13.4 Assume that you graduate from the MSSI program and are hired by a rather large organization with an
established presence in markets around the world. Please write an essay describing the difference
between Disaster Recovery Planning (DRP), Continuity of Operations Planning (COOP), and High
Availability Planning (HAP)? Incorporate into your paper how and why you arrived at your conclusions –
the BIA and the RTO should figure prominently in your decisions.

Assignments: Essays Due by Midnight – Numbers 31 thru 45

Page | 21
 14 5/1 Discussion Topics
✓ Final Q & A and Clarification
✓ Final Examination Review

Assignments: Essays Due by Midnight – Numbers 46 thru 51

15 5/8 Reading Period – 5/5 thru 5/8 – NO CLASS

16 5/15 Final Examination - This examination is an Open Book /Open Note Examination
The examination becomes available on Blackboard at 6:00 PM. Students must complete the exam
and upload to Blackboard NLT 9:00 PM (timestamp) on May 15, 2018.
Please ensure that you put your name on the examination.
✓ On page 1 enter your first and last name plus your JHUISI Student Number.
✓ When you save the Final Exam replace “YOUR LAST NAME HERE” with your last name.
o For example, your Instructor would save the exam as follows: “Spring 2018 650.653.01
Final Exam for Kociemba.”
PLEASE NOTE:
4 Late exams will be assessed a 10% (25 points) penalty for the first 60 minutes. Additional
penalties of 5 points per half hour will be assessed for each additional ½ hour that the exam
is late. These penalties are not negotiable. Avoid them be not being late.
5 Students who do not turn in exams by 3:00 am the next morning (May 16, 2018) will be
awarded 0 (zero) points.
6 Students who are taking the exam and are observed communicating (i.e.: talking, e-mailing,
texting, or signing) with other students will forfeit all points associated with this exam. The
student you are talking with will also forfeit all points associated with this exam.

Page | 22
Appendix A – Rubric and Grading Criteria / Standards for Course Essays

As a graduate student at Johns Hopkins University, you are expected to write well (in this class) – to be clear, concise,
articulate, and to the point. Plagiarism will not be tolerated – cite your sources and DO NOT COPY AND PASTE. Direct
quotations can be no more that 5% of your paper.

A+ 98-100 Offers a genuinely new understanding of the topic. Indicates brilliance. An organized, coherent and well-
written product that clearly warrants publication. Demonstrates total grasp of the topic. Error free and
proper use of grammar.

A 93-97 Work of superior quality that shows a high degree of original thought. Addresses all major considerations.
Demonstrates excellent grasp of topic.

A- 90-92 Clearly well above the average expected of graduate work; contains original thought. Demonstrates a
comprehensive grasp of topic. Addresses all major and key minor points. To receive this grade or higher,
inclusion of a counter-argument must be included that explores the case which could be made against the
offered thesis.

B+ 87-89 A sound effort that meets all the criteria of a well-crafted essay; discusses all important ideas related to the
topic.

B 83-86 Average graduate-level performance. A solid essay that is, on the whole, a successful consideration of
topic.

B- 80-82 An essay that addresses the question and has a clearly-stated thesis, but fails to fully support the thesis
and either does not address counter- arguments thoroughly, has serious structural flaws or does not fully
develop conclusions. Below average grade.

C+ 77-79 Sufficiently analytical to distinguish it from a C, but lacks sufficient support, structure, analysis or clarity to
merit graduate credit. An essay that does not include a thesis cannot receive a grade higher than this. Fair
grade.
C 73-76 Indicates that the work is barely adequate and does not meet the standards of graduate work. Expresses a
responsible opinion but makes inadequate use of evidence, has little coherent structure, is critically
unclear, or lacks the quality of insight deemed sufficient to explore adequately the issue. Poor grade.
C- 70-72 Attempts to address the question and approaches a responsible opinion but does not come to a
responsible, defensible conclusion worthy of serious attention or is sufficiently below average in one or
more of the six standards of an essay. Substandard grade.

D Blatantly minimal effort made in preparation of essay. Totally ignores six standards of an essay.
F 69 and An essay that is clearly unrepresentative of the qualities expected of graduate-level work or that fails to
below address the question. Failing grade.

Six standards for an essay:

1. Addresses the assigned topic/question in a highly analytical manner.
2. Proposes a well-defined thesis, stated early.
3. Presents evidence to support that thesis.
4. Addresses specific course themes and concepts relevant to the assigned topic/question.
5. Addresses, explicitly or implicitly, opposing arguments or weaknesses in the thesis and supporting evidence (this constitutes a
counter-argument).
6. Accomplishes all of the above in a clear and well-organized fashion using proper grammar, punctuation, usage, and sentence
structure.

Page | 23
Appendix B – Rubric and Grading Criteria for Class Participation

A+(98-100) Strikes an outstanding balance between listening and contributing. Demonstrates complete preparation for
each class as reflected in the quality of contributions to discussions. Contributions indicate brilliance through a
wholly new understanding of the topic.

A (93-97) Contribution is always of superior quality. Unfailingly thinks through the issue at hand before comment. Can
be relied upon to be prepared for every class meeting. Contributions highlighted by insightful thought,
understanding, and in part original interpretation of complex concepts.

A- (90-92) Above the average expected of a graduate student. By the insightful quality of contributions, commands the
respect of other students and instructors. Fully engaged in class discussions.

B+ (87-89) A positive contributor to class discussions. Joins in most weekly discussions. Contributions reflect
understanding of the material.

B (83-86) Average graduate level contribution. Involvement in weekly discussions reflects adequate preparation for
seminar.

B- (80-82) Contributes infrequently. Sometimes speaks out without having thought through the issue well enough to
marshal logical supporting evidence, address counter-arguments, or present a structurally sound position.

C+ (77-79) Sometimes contributes voluntarily; more frequently needs to be encouraged. Content to allow others to take
the lead or frequently tries to dominate the discussion. Minimal preparation for seminar reflected in arguments
lacking the support, structure or clarity to merit graduate credit.

C (70-76) Contribution is barely adequate. Attempts to forward a plausible opinion through inadequate use of evidence,
incoherent logical structure, and a critically unclear quality of insight that is insufficient to adequately examine
the issue at hand. Usually content to let others form the seminar discussions.

D A grade of “D” is not acceptable, and not awarded, for Graduate-level work.

F (69 or Student fails to contribute in any substantive manner. Extremely disruptive or uncooperative. Completely and
lower) habitually unprepared for class.

Page | 24