Attend an Open Evening

Management of Information Security and Risk  MSc


Concerns about cyber security and information risk have led to a growing market for technical specialists, but there is also a need for more senior professionals with an awareness of both the technical and the business issues who can bridge the gap between IT security and business risk. Such professionals would be responsible for drawing up organisation strategies for managing risk, identifying trade-offs between multiple risks and the cost of protection, and advising higher management on these issues. Typical roles of these professionals might include Security Architect, Chief Information Risk Manager, or Chief Security Officer.

This Masters course is aimed at IT professionals with about 5 years experience and is intended to provide them with the skills that they need to progress to a management role in information security and risk. Hence it aims to prepare these professionals for the management roles in Information Security including Security Architect, Chief Information Risk Manager, Chief Security Officer or Chief Information Security Officer. It covers both technical issues such as information security, quantitative risk assessment, and assurance, as well as more business oriented issues such as information leadership and executive development. It will be led from academics by the School of Informatics, with input from Cass Business School and experts from industry.

Why you should study for the MSc in Management of Information Security and Risk (MISR) at City University London:

  • Learn about both the technical and the business issues that can bridge the gap between IT security and business risk.
  • Understand how to communicate these risks to both the technical staff and the executive business team (CEO, CIO, CFO and COO) in a language they share.
  • Focus on human-machine interaction and decision making within today's increasingly complex Political-Economical-Socio-Technical (PEST) systems.
  • Find out about latest industry and government standards, legislation and best practice from leading technical experts.
  • Network with your peers to compare and contrast best practices from different industries.

Learn more about how the programme can protect your organisation.

How is the course taught?

All modules are taught in block mode of two long weekends (Thursday evening, all day Friday and all day Saturday).

The course is taught part-time only and in block mode of two long weekends per module on our campus at City University London from 5:00pm.

Applicants can also apply to enrol on individual modules as CPDs. It will then be possible for you to gradually build credits for the MSc should you wish to take this route. City University London is also an approved MoD Enhanced Learning Credits (ELC) scheme provider (ID-1538).

Our part of London is well-served by the Northern Line (City branch), as well as the combination of the Circle/District/Metropolitan/Hammersmith & City lines, and by the Central Line. We are in close proximity to both Kings Cross St Pancras Station (serving the international Eurostar train line) and London Airports, including City Airport.

Scholarships, bursaries and prizes

The School offers a range of generous scholarships, bursaries and prizes to applicants for this course:

Entry Requirements:

Applicants should hold a second class honours degree or the equivalent from an international institution in a cognate subject.


Course Fees:

  • Part-time EU: £5,000 per year
  • Part-time Non EU: £7,500 per year

Start Date:

Autumn 2016

How to Apply

Entry Requirements

Applicants should hold a second class honours degree or the equivalent from an international institution in a cognate subject.

Applicants should also have approximately five years of relevant professional experience (absolute minimum of two years in exceptional circumstances). In some circumstances, professional experience and qualifications are accepted in lieu of a degree.

Other Suitable Qualifications

INTO Postgraduate preparation Programmes

If you do not qualify for direct entry, our partner INTO City University London offers academic preparation programmes which focus on the skills you need. Successful completion of the Graduate Diploma in Science and Engineering at INTO City University London means guaranteed progression to this degree.

English Requirements

For students whose first language is not English, one of the following qualifications is also required:

  • IELTS: 7

Please note that due to changes in the UKVI's list of SELTs we are no longer able to accept TOEFL as evidence of English language for students who require a CAS as of April 2014.

INTO English Language Programmes

If you need to improve your English language skills before you enter this course, our partner, INTO City University London offers a range of English language courses. These intensive and flexible courses are designed to improve your English ability for entry to this degree. Please click the links below for more information.

English for Postgraduate Study

Pre-sessional English

Visa Requirements

If you are not from the European Economic Area / Switzerland and you are coming to study in the UK you may need to apply for a visa or entry clearance to come to the UK to study.  

The way that you apply may vary depending on the length of your course; there are different rules for:

  • Students on courses of more than 6 months
  • Students on courses of less than 6 months
  • Students on a pre-sessional English Language course

Please note: If you require a Tier 4 student visa to study in the UK, you cannot undertake any City University London courses on a part-time basis.

For more information see our main Visa page.

Course Content

Led by the internationally respected Centre for Software Reliability, the course is delivered with the multidisciplinary Centre for Cyber Security Science and Cass Business School. The course is aimed at IT professionals with around five years' experience. It covers the skills and knowledge necessary to be successful in senior roles in information security and risk.

The course supports the extra breadth of knowledge required by people with professional experience to progress towards target roles in management or consulting on security, assurance and risk. This extra breadth is in the directions of:

  • principles of security and resilience
  • understanding of risk as a socio-technical rather than technical issue
  • a common framework for considering risks with technical and human, accidental and malicious causes
  • analysis of assurance (systems and policies) beyond mere compliance with standards and rules
  • as well as professional development and leadership

Course Structure

Modules providing Professional Skills:

Information Leadership

  • The role of the CIO/information leader past, present and future
  • Relationships with key executive posts such as CEO, COO, CFO
  • Talent management: the information leader's team, key IT functional roles and technology specific issues
  • Financial context: budgeting, corporate/public sector financial reporting, balance sheets, cash flow, income/expenditure, etc. Management accounting issues
  • Purchasing, third-party and customer/supplier management
  • Introduction to IT governance, legal/regulatory issues and the role of policy and standards
  • Information as a source of competitive advantage: when IT does and doesn't matter.

Executive Development

  • Competency frameworks, qualifications and CPD, including; IISP, SFIA, ITIL, BCS and industry certifications
  • Personal SWOT analyses and action planning
  • Developing behavioural competencies in an organisational context; leadership, team working, communication, negotiation, and influencing
  • Reflection, performance appraisal, mentoring and coaching
  • Project, programme and change management in uncertain environments
  • Communities of practice and professional identity.

Socio-technical Systems

  • The concept of socio-technical system; examples of errors caused by technical-only analysis of IT based systems
  • Introduction to Human Factors, cognitive processes, assessment of human performance and human error
  • Unexpected effects of automation on work organisation,  behaviour and performance
  • The psychology of risk perception and communication
  • Models and empirical studies of responsibility, trust and trustworthiness
  • Psychology of security and social engineering attacks
  • Organisational factors: roles of culture and incentives
  • Approaches to the study of risk and risk management in socio-technical systems: "Normal accidents", "High reliability organisations", "Resilience engineering".

IT Risk Management for effective performance and the prevention of fraud, error and disaster

  • The assurance gap -  how to identify the black hole between the Board's understanding of the governance of the organisation and the operational reality
  • IT Risk Management - how to ensure that IT risks are part of the enterprise risk management process
  • IT Audit - the multi-layered approach to identifying the effectiveness of controls over the systems life cycle, the operational efficacy and the security of the IT resource
  • IT Governance - demonstrating the need for transparency and integration of the IT resource
  • Continuous Monitoring and Continuous Audit - the new dynamic - providing assurance that events - specifically IT related events - are controlled in real time - or close to real time
  • Best Practice IT workshop including case studies showing the causes of major IT failures
  • Prevention of Fraud, denial of service.

Specialized Security and Risk Modules:

Information Security Management

  • Information Security in the 21st century, evolving threats and defences
  • Security policies and governance; Role of standards, guidelines and legislation
  • Communicating security and risk issues to general and executive audiences
  • Selecting and evaluating strategies and technologies for organization wide security.

IT Risk and Resilience

  • Basic concepts, definitions and types of requirements in dependability, security, resilience including reference to the relevant international standards and adopted good practices
  • Systematic methods for identifying vulnerabilities and threats; basic concepts and examples about means for achieving resilience and security: avoidance, prevention, removal, mitigation and recovery at the technical and at the organisational levels
  • Fundamental design trade-offs in formulating information security/resilience strategies; introduction to the means for assessing dependability and resilience and information assurance methodologies
  • Basic concept of the risks due to the interdependencies between critical infrastructures (i.e. power grid reliance on telecommunication and vice versa, etc.) and methods of its quantification and management (interdependency analysis).

Quantitative Risk Analysis

  • Quantifying risk. Probabilistic models.  Statistical inference
  • Subjective probabilities and Bayesian inference
  • Dependent events.  Dependent random values
  • Worst / best case estimates of probabilities and random values
  • Models of defence / protection
  • Presenting results of risk analysis

Assurance Cases

  • The nature of the assurance and evaluation problem for computer based systems
  • Deriving and structuring of claims in an assurance case; claim expansion from architecture; from dependability attributes.
  • The role of standards, policies and regulations in deriving claims and argument strategies
  • Evidence and arguments for different attributes
  • Reviewing and assessing cases; improving communication. Developing cases for a range of stakeholders - from "boardroom to back office"
  • Cases for specific classes of systems. Issues of scalability
  • The use of tools for assurance cases (e.g. ASCE).

Students also take an independent individual project, which applies the technical contents of the course to a concrete problem. The project may be executed during an internship in an outside organisation, within a successful internship scheme.

Read the full programme specification

Teaching and Assessment

The modules will be delivered in block mode, with students taking 2 modules per term. Each module consists of two blocks as follows:

  • Thursday evening: 5pm - 9pm
  • Friday: 9am-5pm
  • Saturday: 9am-5pm

Modules can also be taken individually for Continuing Professional Development (CPD).

In summary, assuming attendance at the Thursday evening sessions can be done without having to take any time off from work, the students are expected to take 8 Fridays off from work in a calendar year (though some employers may allow their employees to take these times off as study leave), and they will need to also attend classes for a further 8 Saturdays (i.e. 2 Fridays and 2 Saturdays per module). Timetables are for guidance only and are subject to change.

Semester 1 (October-December)

IT Risk and Resilience

IT Risk Management for effective performance and the prevention of fraud, error and disaster

Semester 2 (January- April)

Quantitative Risk Analysis

Executive Development

Semester 1 (October-December)

Information Security Management

Information Leadership

Semester 2 (January- April)

Socio-Technical Systems

Assurance Cases

Read the full programme specification

Recommended Reading

You may wish to undertake some preparatory reading.

Introduction to IT Risk & Resilience (INM417)

  • Dev G. Raheja, Michael Allocco, (2006) "Assurance Technologies Principles and Practices: A Product, Process, and System Safety Perspective", Wiley, ISBN - 13: 978-0-471-74491-7, 2nd edition.
  • Scott Jackson, "Architecting Resilient Systems" (2010), Wiley, ISBN 978-0-470-40503-1.
  • Hollnagel E, Woods DD and Leveson N (2006) "Resilience Engineering: Concepts and Precepts", Aldershot, Ashgate.

Information Security Management (INM416)

  • National Institute of Standards and Technology (1995), An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12. Available online:
  • National Institute of Standards and Technology (2006). Information Security Handbook: A Guide for Managers, Special Publication 800-100. Available online:
  • Edward Humphreys (2010), Information Security Risk Management: Handbook for ISO/IEC 27001, British Standards Institute, 2010
  • Bruce Schneier (2000). Secrets & Lies. Digital Security in a Networked World,John Wiley & Sons.
  • Ross Anderson (2008). Security Engineering (2nd edition), John Wiley & Sons. 1st edition available online:

Assurance Cases (INM419)

  • R E Bloomfield, P G Bishop, C C M Jones, P K D Froome, ASCAD-Adelard Safety Case Development Manual, Adelard 1998, ISBN 0-9533771-0-5.
  • R E Bloomfield, and B Littlewood (2007)."Confidence: its role in dependability cases for risk assessment". International Conference on Dependable Systems and Network, Edinburgh, IEEEComputer Society.
  • P G Bishop, Dependability of Critical Computer Systems 3: Techniques Directory, Elsevier Applied Science, ISBN 1-85166-544-7, 1990.
  • R E Bloomfield, S Guerra, A Miller, M Masera and C B Weinstock, "International Working Group on Assurance Cases (for Security)," IEEE Security and Privacy, 4 (3), pp. 66-68, May/June, 2006.
  • R E Bloomfield and B Littlewood, "Multi-legged Arguments: The impact of Diversity upon Confidence in Dependability Arguments", Proceedings DSN 2003, pp. 25-34, IEEE Computer Society, ISBN 0-7695-1952-0,2003.
  • CAA CAP 670, "SW01-Regulatory Objectives for Software Safety Assurance", CAP 670 Air Traffic Services Safety Requirements. CAA Safety Regulation Group, 1998.
  • UK Ministry of Defence. Def Stan 00-56, "Safety Management Requirements for Defence Systems", Defence Standard 00-56/Issue 4, 2008.
  • W S Greenwell, J C Knight, C M Holloway, and JPease, A Taxonomy of Fallacies in System Safety Argument, 24th International System Safety Conference, Albuquerque, NM, August 2006.
  • D Jackson, M Thomas, and L I Millett, Editors, "Software for Dependable Systems: Sufficient Evidence?" Committee on Certifiably Dependable Software Systems, National Research Council ISBN: 0-309-10857-8, 2007

Quantitative Risk Analysis (INM418)

  • David Vose  "Risk Analysis: A Quantitative Guide", 3rd Edition by, John Wiley & Sons, 2008, ISBN 978-0-470-51284-5
  • K. S. Trivedi "Probability and Statistics with Reliability, Queuing, and Computer Science Applications", Second Edition, John Wiley & Sons, 2002
  • "System Analysis Reference, Reliability, Availability and Optimization" ReliaSoft Publishing. Rev 2007. available online ( last accessed on 20/05/2009)

Information Leadership (INM412)

  • N. Carr (2004). Does IT Matter? Information Technology and the Corrosion of Competitive Advantage, Harvard Business School Press.
  • Robert D. Austin, Richard L. Nolan, Shannon O'Donnell (2009). The Adventures of an IT Leader. Harvard Business School Press.
  • Peter Atrill, Eddie McLaney (2006). Accounting and Finance for Non-Specialists (5th Edition). Financial Times/ Prentice Hall.
  • Elizabeth Orna (2004). Information strategy in practice. Gower.
  • Gareth Morgan (2006), Images of Organization. Sage Publications, Inc; Updated Edition.
  • Kaye Thorne, Andy Pellant (2006). The Essential Guide to Managing Talent: How Top Companies Recruit, Train and Retain the Best Employees. Kogan Page Limited.
  • You should also make use of the academic primary literature, for example.
  • Grover, V., Jeong, S., Kettinger, W. J., and Lee, C. C. (1993). The chief information officer: a study of managerial roles. J. Manage. Inf. Syst. 10, 2 (Sep. 1993), 107-130.
  • Bartol, K.M., and Martin, D.C. Managing information systems personnel: a review of the literature and managerial implications. MIS Quarterly, special issue (1982), 49-70.
  • Armstron, Curtis and Sambamurthy, V., "Creating Business Value Through Information Technology: The Effects of Chief Information Officer and Top Management Team Characteristics" (1996). ICIS 1996 Proceedings.  Paper 14.
  • Anne Woodsworth, (1993) "Libraries and the Chief Information Officer: Implications and Trends", Library Hi Tech, Vol. 6 Iss: 1, pp.37 - 44

Socio-technical Systems (INM415)

  • Baron, J. (2008) Thinking and deciding, Cambridge Univ Press.
  • Dekker, S. (2006) The Field Guide To Understanding Human Error, Aldershot, UK, AshgatePublishing Ltd.
  • Flin, R., O'Connor, P. & M., C. (2008) Safety at the Sharp End: A Guide to Non-Technical Skills, Aldershot, Ashgate.
  • Gigerenzer, Gerd (2008) "Rationality for Mortals: How People Cope with Uncertainty (Evolution and Cognition)" Oxford University Press
  • Hastie, R. & Dawes, R. M. (2009) Rational choice in an uncertain world: The psychology of judgment and decision making, Sage Publications, Inc.
  • Hollnagel, E, Woods, D D & Leveson, N (2006) "Resilience Engineering: Concepts and Precepts" Aldershot, Ashgate.
  • Klein, G., Orasanu, J., Calderwood, R. & Zsambok, C. E. (1993) Decision Making in Action: Models and Methods, Norwood, NJ, Ablex Publishing Co.
  • Reason, J (2002) "Human Error" Cambridge University Press.
  • Reason, J. (2008) The Human Contribution: Unsafe Acts, Accidents and Heroic Recoveries, Aldershot, UK, Ashgate Publishing Ltd.
  • Salvendy, G. (2006) Handbook of Human Factors and Ergonomics (3rd edition), Wiley.
  • Stanton, Neville A, Salmon, Paul M, Walker, Guy H Baber, Chris, Jenkins, Daniel P (2006) "Human Factors Methods: A Practical Guide for Engineering And Design" Ashgate Publishing
  • Whetton, Sue (2005) "Health Informatics: A socio-technical perspective" Oxford University Press
  • Wickens, Christopher D,  Hollands, Justin G (1999) "Engineering Psychology and Human Performance" Prentice Hall


  • Part-time EU: £5,000 per year
  • Part-time Non EU: £7,500 per year


For up-to-date information about tuition fees, living costs and financial support, visit Postgraduate Fees and Finance.

Future Finance Loans

Future Finance offers students loans of between £2,500 and £40,000 to help cover tuition fees and living expenses. All students and courses are considered. All loans are subject to credit checks and approval for further details please visit the City Finance website.


Scholarships, bursaries and prizes

The School offers a range of generous scholarships, bursaries and prizes to applicants for this course:

Career Prospects

This course will appeal to companies and professionals that need to develop or improve their capability in managing IT-related security, in order to enter markets with higher demands of dependability and security, comply with new regulations, or re-qualify for new roles. Graduates should be suitable for consideration as the CSO or Security Architects and Senior Information Risk Managers and would also greatly help them in information security Consultancy and Auditing roles.

Our previous and existing cohort of students attending MISR have all been full-time employed in various companies, ranging from multi-billion pound turnover multi-nationals in the aviation industry, auditing multi-national companies (e.g. KPMG), media companies (e.g. Sky and Sony), companies in the financial sector (e.g. Deutche Bank and  Charles Stanley) in the City of London, small and medium enterprises (SMEs), government department and NHS trusts. The programme helps students build a strong network with their peers as well as maintaining the network as part of their career development.

After the successful completion of the course candidates may also consider a PhD degree, towards an academic/research career.

Learn more about how the programme can protect your organisation.

Apply for MSc Management of Information Security and Risk

We invite all suitable applicants living within a 200-mile radius of London to an open evening and/or interview session; these are held monthly between March and July. Overseas and more distant applicants are sent a questionnaire, which may be supplemented by a telephone interview or email discussion. Such students are welcome to visit the Department if they are in or near London at some stage.

You should submit your application by one of the following two methods:

1. Completing the online form; or

2. Completing a hard copy of the application form and sending this to the address below.

Please ensure you include your supporting documentation with your application. If you are applying online you should note that confidential references are only acceptable as originals sent in signed and sealed envelopes by post to the address below. References attached as supporting documentation to an online application cannot be considered.

International students: it is important you submit your application to us in sufficient time for you to arrange your visa before the start of the course.

You will be able to attach electronic copies of your supporting documents. However, you will be required to submit your confidential references in hard copy (in signed and sealed envelopes) to the address below, together with any supporting documents you do not attach when applying online.

Postal applications and supporting documents

Alternatively, to receive an application pack in the post please contact the Programmes Office:

Tel: +44 (0) 20 7040 0248

Please send your completed paper application form, together with supporting documents, to:

Programmes Office
School of Mathematics, Computer Science & Engineering
City University London
Northampton Square