Integrating Case Studies into Information Security Education

  • Alexandra Savelieva
  • Sergey AvdoshinEmail author
Part of the Progress in IS book series (PROIS)


Today the demand is growing for information security experts capable of analyzing problems and making decisions in business situations that involve risk or uncertainty. These skills can be acquired through systematic studying of various information security incidents. In this paper we propose a framework of methods, tools and taxonomies for analysis of case studies in information security field. Our framework allows to study every situation in a formal rather than ad-hoc way, and apply a wide range of threat modeling, risk analysis and project management techniques under lifelike conditions. We illustrate it by providing two case studies based on real situations: a conflict between a free email service provider and a commercial bank, and an attack on a famous security company by a powerful hacktivist group. The first situation explores the risks of using cloud services, while the second highlights the importance of applying secure code principles for in-house software development. Although the cases are seemingly different, we demonstrate that they can be analyzed with similar tools.


Case study Information security Education Security incident Event chain Parkerian Hexad Threat STRIDE Information asset Risk Attack lifecycle 



The present work benefited from the input of reviewers and participants of BIR 2012 Workshop on Teaching Business Informatics Intelligent Educational Systems and E-learning, thanks to Dr. Prof. Oleg Kozyrev, Director of HSE Nizhny Novgorod campus, and other members of the organizing committee, who made it possible for the authors to give a talk in teleconference mode. Alexandra Savelieva wishes to thank Oksana Chernenko, Executive Director of the HSE Foundation for Education Innovations, for her support, encouragement and guidance throughout the development of this educational project. The authors also wish to express their gratitude to Dr. Anatoli Shkred, CEO and Rector at INTUIT. RU, and Dr. Alexander Gavrilov, Academic Lead at Microsoft Russia, whose positive feedback and useful comments encouraged them to continue the work after the publication of the first case study-based electronic course on information security. The authors would like to sincerely thank Dr. Prof. Arun Sood, Co-Director, International Cyber Center, for the opportunity to present the idea of using case studies to a broad audience of professional specific target groups involved in cyber security all around the world participating in “2011 Workshop on Cyber Security and Global Affairs”, and Dr. Prof. Vladimir Azarov, Deputy Director of Research at MIEM HSE, for the invitation to MQ&ISM-2012 conference collocated with an intensive course on the ISO 27000 series of standards by CIS Austria.


  1. 1.
    Ayyagari, R., & Tyks, J. (2012). Disaster at a university: A case study in information security. Journal of Information Technology Education, 11 (Innovations in practice).Google Scholar
  2. 2.
    Herreid, C. F. (Ed.). (2007). Start with a story: The case study method of teaching science. Arlington, VA: National Science Teachers Association. pp. 466.Google Scholar
  3. 3.
    Workshop on Teaching Information Assurance Through Case Studies and Hands-on Experiences.
  4. 4.
    Logan, P., & Christofero, T. (2009). Giving failure a place in information security: Teaching students to use the post-mortem as a way to improve security. In: Proceedings of the 13th colloquium for information systems security education. University of Alaska, Fairbanks Seattle, WA, June 1–3, 2009.Google Scholar
  5. 5.
    Hartel, P. H., & Junger, M. (2012). Teaching information security students to “think thief”. Technical report TR-CTIT-12-19, Centre for Telematics and Information Technology, University of Twente, Enschede. ISSN 1381–3625.Google Scholar
  6. 6.
    Savelieva, A. (2011). Special considerations in using the case-study method in teaching information security. In: Proceedings of “IT security for the next generation”. TUM, Germany: Garching, Boltzmannstr.
  7. 7.
    Savelieva, A. A., & Avdoshin, S. M. (2011). Information security education and awareness: Start with a story. In: Proceedings of “2011 workshop on cyber security and global affairs”.
  8. 8.
    Bishop, M. (2006, September). Teaching context in information security. Journal on Educational Resources in Computing, 6(3).Google Scholar
  9. 9.
    Homepage — ECCH for educators.
  10. 10.
    McNulty, E. (2007). Boss, I think someone stole our customer data. Harvard Business Review, September, 37–42.Google Scholar
  11. 11.
    ISO/IEC 27001:2005. (2005). Information technology security techniques information security management systems requirements. Google Scholar
  12. 12.
    Parker, D. B. (1998). Fighting computer crime. New York: Wiley.Google Scholar
  13. 13.
    Parker, D. B. (2009). Toward a new framework for information security. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), The computer security handbook (5th ed.). New York: Wiley.Google Scholar
  14. 14.
    Howard, M., & Lipner, S. (2006). The security development lifecycle: SDL: A process for developing demonstrably more secure software (pp. 304). Microsoft Press.Google Scholar
  15. 15.
    Landwehr, C. E., & Bull, A. R. (1994). A taxonomy of computer program security flaws, with examples. ACM Computing Surveys, 26(3), 211–254.CrossRefGoogle Scholar
  16. 16.
    Lindqvist, U., & Jonsson, E. (1997). How to systematically classify computer security intrusions (pp. 154–163). IEEE Symposium on Security and Privacy, Los Alamitos, CA.Google Scholar
  17. 17.
    Paulauskas, N., & Garsva, E. (2006). Computer system attack classification (2nd ed., Vol. 66). Kaunas: Technology.Google Scholar
  18. 18.
    Weber, D. J. (1998). A taxonomy of computer intrusions. Master’s thesis, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology.Google Scholar
  19. 19.
    Howard, J. D., & Longstaff, T. A. (1998). A common language for computer security incidents. Technical report, Sandia National Laboratories.Google Scholar
  20. 20.
    Serdiouk, V. A. (2007). Advances in technologies for protection against attacks in corporate networks. Moscow: Tekhnosphera.Google Scholar
  21. 21.
    Event Chain Methodology in Project Management. White Paper by Intaver Institute Inc.,
  22. 22.
    Zetter, K. (2011). Bank sends sensitive E-mail to wrong Gmail address, Sues Google. Wired, September 21, 2009.
  23. 23.
    Bright, P. (2011). Anonymous speaks: the inside story of the HBGary hack. ArsTechnica, 12 Alexandra Savelieva, Sergey Avdoshin.
  24. 24.
    Honan, M. (2012). How Apple and Amazon security flaws led to my epic hacking.
  25. 25.
    Honan, M. (2012). How I resurrected my digital life after an epic hacking.
  26. 26.
    Russian Court Website Defaced in Support of Pussy Riot. (2012). Moscow: AFP.
  27. 27.
    Rivner, U. (2011). Anatomy of an attack. Copyright 2011 EMC Corporation,
  28. 28.
    Tamai, T. (2009). Social impact of information system failures. IEEE Computer, 42(6), 58–65.CrossRefGoogle Scholar
  29. 29.
    Avdoshin, S. M., Savelieva, A. A., & Serdiouk, V. A. (2010). Microsoft technologies and products for information protection. Microsoft Faculty Resource Center,
  30. 30.
    Kaspersky Lab Global Website. IT security for the next generation.
  31. 31.
    Foundation for Educational Innovations. Best proposals-2011,

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Microsoft CorporationRedmondUSA
  2. 2.National Research University Higher School of EconomicsMoscowRussia

Personalised recommendations