Managing CyberSecurity Risks: How Much Security is Enough?

How much security against cyber attacks is enough economically in today’s business world? That’s the focus of this two-day program instructed by Tyler Moore, Ph.D., University of Tulsa Associate Professor of Computer Science, Tandy Chair of Cyber Security and Information Assurance, 2016-17 New America Cybersecurity Fellow.

Anyone who has the responsibility of protecting the security of a company’s IT infrastructure but does not have formal training in cybersecurity will benefit from attending.

Participants will learn, through HANDS-ON EXERCISES, how to answer the question, “How much security is enough?”, using three different methodologies:
1. They will understand that when compliance regimes dictate investments, meeting those obligations could be enough.
2. They will understand how to apply security investment frameworks and identify ‘enough’ spending when the controls recommended by the framework are applied.
3. They will learn how to compute quantitative metrics which calculate return on security investment, as well as conduct cost-benefit analysis to determine when security investments bring more benefits than they cost, spending is ‘enough’.

But Most Importantly:
4. Participants will understand the advantages and disadvantages of each approach, and be comfortable using each to guide investment decision.

Who Should Attend:

  • IT Staff with security responsibilities but no formal training
  • Those responsible for designing, implementing and overseeing cybersecurity operations
  • System Architects
  • Chief Information Security Officers
  • Personnel with budgetary authority, or who must appeal to someone with budgetary authority, on IT investments
  • Chief Information Officers
  • Those who understand the technical aspects of security controls but need to have a broader perspective of how to build and implement a program

Value-Added Highlights:
– Interaction with a leading expert on the economics of cybersecurity
– Group exercises which showcase techniques on how to manage risks which might be applied to your own organization


Tyler Moore, PhD
Associate Professor of Computer Science
Tandy Chair of Cyber Security and Information Assurance
The University of Tulsa
2016-27 New America Cybersecurity Fellow

During this two-day seminar, you will learn how to. . .

  • Explain how the most important threats to cybersecurity work
  • Describe operation of controls that mitigate cybersecurity risks and how they fit within investment frameworks
  • Identify compliance regimes that direct cybersecurity investments
  • Relate economic explanations of cybersecurity shortcomings to real-world scenarios
  • Compute quantitative investment metrics and cost-benefit analysis of security controls


  • 1.1 CEUs (Continuing Education Units)
  • 11 PDHs (Professional Development Hours)

Date, Venue, Time, & Hotel Reservations

The course runs from 8:30 am – 4:30 pm both days.
June 11-12, 2019 * Tulsa, OK
The University of Tulsa
Henneke Building (off campus)
1204 S. Harvard, Tulsa, OK 74112
Need a Hotel Room? We suggest booking your hotel room at the Doubletree Hilton Hotel (6110 S. Yale) in Tulsa, OK. Contact them directing at 918-495-1000 and request the University of Tulsa meeting rate. Free covered parking garage for hotel guests.

Course Fee:

BEST DEAL DISCOUNT: $995 per person(register before April 30, 2019 to get this deal)
•Team Discount (2 or more): $1,295 per person
•Early Enrollment Discount: $1,295 per person (deadline: May 14, 2019)
•Regular Tuition Fee: $1,495 per person

Fee includes all course materials, exercises, lectures, continental breakfast & refreshments both days.
We ask everyone to bring a laptop to use during the program.

Course Outline

Understanding the Cyber Threat Landscape
– CIA Model
– Overview of Current Threats
– Traditional Means of Countering Threats
Economic Perspective
– Why Cybersecurity is Hard
– Misaligned Incentives
– Externalities
– Information Asymmetries
Compliance as a Driver of Cybersecurity Investment
– Sarbanes-Oxley
Risk Management Terminology
– Risk Management Process
– Approaches: Mitigation, Acceptance, Avoidance, Transfer
Frameworks as a Means of Managing Cybersecurity Risks
– NIST Cybersecurity Framework
– Others: COBIT, ISO 27001, SANS Critical Controls
– Applying the frameworks to your own organization
Security Metrics as Means of Managing Cybersecurity Risks
– What can be measured? What should be measured?
– High-level Investment Metrics: ROSI, NPV, IRR
– Cost-Benefit Analysis: Estimating Parameters and Breakeven Analysis
Course Wrap-Up Discussion
– Comparison of Advantages and Disadvantages of Different Approaches: Compliance, Frameworks, Metrics

Participants will:
1. Appreciate the cyber threat landscape – what threats are relevant to their organization
2. Identify whether particular compliance regimes apply to their business and require an investment in security controls
3. Frame cybersecurity investment in the language of risk management
4. Use a framework to identify which controls are needed to mitigate which threats
5. Compute security investment metrics to determine whether the cost of a control is justified by the benefits it could bring

Register Here:

Managing CyberSecurity Risks
June 11-12, 2019 in Tulsa, Oklahoma
– Best Deal Discount Deadline: expired
– Early Enrollment Discount Deadline: May 14, 2019

Register Online
Company In-House Training
This course is offered by TU-CESE to companies on an in-company/on-site basis. If interested, complete the Request a Quote Form
In-Company Training Request A Quote