Managing Cyber Security Risks: How Much Security is Enough?

How much security against cyber attacks is enough economically in today’s business world? That’s the focus of this two-day program instructed by Tyler Moore, Ph.D., University of Tulsa Associate Professor of Computer Science, Tandy Chair of Cyber Security and Information Assurance, 2016-17 New America Cybersecurity Fellow.

Anyone who has the responsibility of protecting the security of a company’s IT infrastructure but does not have formal training in cybersecurity will benefit from attending.


“Great class. Included excellent information on what to collect to determine risk in our environment.” – Justin, Security Engineer, QuikTrip Corporation
“Enjoyed the material & group discussion time.” – Patrick, IT, Calyx Energy
“This course is excellent for both cyber security practitioners to help understand the business side of cyber security and instrumental for anyone tasked with convincing CSuite Execs to invest in security.” – Erin, CSOC Lead, QuikTrip Corporation

Participants will learn, through HANDS-ON EXERCISES, how to answer the question, “How much security is enough?”, using three different methodologies:
1. They will understand that when compliance regimes dictate investments, meeting those obligations could be enough.
2. They will understand how to apply security investment frameworks and identify ‘enough’ spending when the controls recommended by the framework are applied.
3. They will learn how to compute quantitative metrics which calculate return on security investment, as well as conduct cost-benefit analysis to determine when security investments bring more benefits than they cost, spending is ‘enough’.

But Most Importantly:
4. Participants will understand the advantages and disadvantages of each approach, and be comfortable using each to guide investment decision.

Who Should Attend:

  • IT Staff with security responsibilities but no formal training
  • Those responsible for designing, implementing and overseeing cybersecurity operations
  • System Architects
  • Chief Information Security Officers
  • Personnel with budgetary authority, or who must appeal to someone with budgetary authority, on IT investments
  • Chief Information Officers
  • Those who understand the technical aspects of security controls but need to have a broader perspective of how to build and implement a program

Value-Added Highlights:
– Interaction with a leading expert on the economics of cybersecurity
– Group exercises which showcase techniques on how to manage risks which might be applied to your own organization


Tyler Moore, PhD
Associate Professor of Computer Science
Tandy Chair of Cyber Security and Information Assurance
The University of Tulsa
2016-27 New America Cybersecurity Fellow

During this two-day seminar, you will learn how to. . .

  • Explain how the most important threats to cybersecurity work
  • Describe operation of controls that mitigate cybersecurity risks and how they fit within investment frameworks
  • Identify compliance regimes that direct cybersecurity investments
  • Relate economic explanations of cybersecurity shortcomings to real-world scenarios
  • Compute quantitative investment metrics and cost-benefit analysis of security controls

Date, Venue, Time, & Hotel Reservations

The course runs from 8:30 am – 4:30 pm both days.
June 10-11, 2020 * Tulsa, OK
The University of Tulsa
Henneke Building (off campus)
1204 S. Harvard, Tulsa, OK 74112

Need a Hotel Room? There are many hotels in Tulsa to choose from. It just depends on where you’d like to stay.
The downtown area has many, many new restaurants and clubs. So if you’d like to stay there, just google-search top hotels in downtown Tulsa and find one you like. It’s an easy 15 minute drive from downtown Tulsa to our building.
Of course, We always recommend booking at the Doubletree Hilton Hotel (6110 S. Yale) in Tulsa, OK. There are new restaurants within walking distance of the hotel; plus it’s a very easy 10-15 minute drive from there to our building. Contact them directing at 918-495-1000 and request the University of Tulsa meeting rate. Free covered parking garage for hotel guests.

Course Fee:

BEST DEAL DISCOUNT: $995 per person (Deadline: April 22, 2020 )
•Early Enrollment Discount: $1,295 per person (Deadline: May 13, 2020)
•Team Discount (2 or more): $1,295 per person
•Regular Tuition Fee: $1,595 per person

Fee includes all course materials, exercises, lectures, continental breakfast & refreshments both days.

We ask everyone to bring a laptop to use during the program.

Course Outline

Understanding the Cyber Threat Landscape
– CIA Model
– Overview of Current Threats
– Traditional Means of Countering Threats
Economic Perspective
– Why Cybersecurity is Hard
– Misaligned Incentives
– Externalities
– Information Asymmetries
Compliance as a Driver of Cybersecurity Investment
– Sarbanes-Oxley
Risk Management Terminology
– Risk Management Process
– Approaches: Mitigation, Acceptance, Avoidance, Transfer
Frameworks as a Means of Managing Cybersecurity Risks
– NIST Cybersecurity Framework
– Others: COBIT, ISO 27001, SANS Critical Controls
– Applying the frameworks to your own organization
Security Metrics as Means of Managing Cybersecurity Risks
– What can be measured? What should be measured?
– High-level Investment Metrics: ROSI, NPV, IRR
– Cost-Benefit Analysis: Estimating Parameters and Breakeven Analysis
Course Wrap-Up Discussion
– Comparison of Advantages and Disadvantages of Different Approaches: Compliance, Frameworks, Metrics

Participants will:
1. Appreciate the cyber threat landscape – what threats are relevant to their organization
2. Identify whether particular compliance regimes apply to their business and require an investment in security controls
3. Frame cybersecurity investment in the language of risk management
4. Use a framework to identify which controls are needed to mitigate which threats
5. Compute security investment metrics to determine whether the cost of a control is justified by the benefits it could bring


  • 1.3 CEUs (Continuing Education Units)
  • 13 PDHs (Professional Development Hours)

Register Here:

Managing Cyber Security Risks
June 10-11, 2020 in Tulsa, Oklahoma
Register Online
Company In-House Training
This course is offered by TU-CESE for companies with 10+ employees as an in-company/on-site basis. If interested, complete the In-Company Training Request Form
In-Company Training Request Form