Unit rationale, description and aim

In an increasingly digital and interconnected world, organisations face growing and complex cybersecurity threats, making it essential for professionals to understand how to manage security risks effectively and ethically.

Students will develop an understanding of security risk and appropriate frameworks, models, and strategies to identify, categorise and mitigate risk as a scalable, repeatable process, to best prepare and protect organisations from IT related threats. The standards and frameworks examined in the unit are constantly being revised and updated as new technologies and capabilities emerge in the threat landscape, such as cloud computing, quantum processors and artificial Intelligence platforms.

The aim of this unit is to equip students with the knowledge and skills to understand and manage security risks in organisations through the application of appropriate cybersecurity frameworks, models, and strategies.

2026 10

Campus offering

No unit offerings are currently available for this unit.

Prerequisites

Nil

Learning outcomes

To successfully complete this unit you will be able to demonstrate you have achieved the learning outcomes (LO) detailed in the below table.

Each outcome is informed by a number of graduate capabilities (GC) to ensure your work in this, and every unit, is part of a larger goal of graduating from ACU with the attributes of insight, empathy, imagination and impact.

Explore the graduate capabilities.

Apply the principles, tools and techniques related...

Learning Outcome 01

Apply the principles, tools and techniques related to information systems security risk analysis.
Relevant Graduate Capabilities: GC2, GC10

Investigate the Information Security Manual (ISM) ...

Learning Outcome 02

Investigate the Information Security Manual (ISM) Essential Eight Maturity Model as developed by the Australian Signals Directorate.
Relevant Graduate Capabilities: GC1, GC10

Critically analyse the Risk Management Framework (...

Learning Outcome 03

Critically analyse the Risk Management Framework (RMF) as developed by the US National Institute of Security and Technology (NIST)
Relevant Graduate Capabilities: GC1, GC7

Analyse the ISO 27001 model for risk assessment an...

Learning Outcome 04

Analyse the ISO 27001 model for risk assessment and treatment.
Relevant Graduate Capabilities: GC2, GC8

Apply elements of the NIST Risk Management Framewo...

Learning Outcome 05

Apply elements of the NIST Risk Management Framework (RMF) , the ADS Essential Eight Maturity Model and the ISO 27001 assessment and treatment model to the design of a risk management framework for an organisation.
Relevant Graduate Capabilities: GC4, GC10

Content

Topics will include:

  • Understanding cybersecurity risk and risk management principles
  • Methods for risk identification and categorization
  • Methods for risk prioritization/assessment
  • Selecting and implementing both mitigation and contingency actions
  • Assessment of implemented strategies
  • Risk management as a repeatable cycle
  • Analysis of examples of both successful and unsuccessful implementations of cybersecurity
  • Risk management and resulting business outcomes.

Assessment strategy and rationale

A range of assessments will be used to meet the unit learning outcomes and develop graduate attributes consistent with university assessment requirements.

  • Assessment 1 requires students to apply their theoretical knowledge in solving problems. The purpose of this assessment is to guide students to recognise, categorise and prioritise cybersecurity risks and to develop appropriate mitigation strategies and actions.
  • Assessment 2 requires students to assess the implementation of a risk management framework in a chosen organization and to report on the success (or otherwise) of that framework.
  • Assessment 3 requires the student to develop a report (and associated presentation) on the capabilities of the standards and frameworks to respond to changes in the threat landscape relating to changes in information technology hardware, software, and platforms, and how those changes can be integrated into business risk management.


To pass the unit, students must demonstrate achievement of every unit learning outcome, pass hurdle tasks, and obtain a minimum mark of 50% in graded units. Assessments will be graded using rubrics aligned with the intended learning outcomes, ensuring transparency and consistency in evaluation. The staged nature of the assessments supports the development of both analytical and applied capabilities in a coherent and cumulative manner.

Overview of assessments

Assessment Task 1: Report (Individual) This asse...

Assessment Task 1: Report (Individual)

This assessment requires students to apply their theoretical knowledge in solving problems. The purpose of this assessment is to guide students to recognize, categorise and prioritise cybersecurity risks and to develop appropriate mitigation strategies and actions.

Submission Type: Individual

Assessment Method: Written Report

Weighting

25%
Learning Outcomes LO1, LO2
Graduate Capabilities GC1, GC2, GC10

Assessment Task 2: Case Study (Group) This task ...

Assessment Task 2: Case Study (Group)

This task requires students to assess the implementation of a risk management framework in a chosen organization and to report on the success (or otherwise) of that framework. The students are required to present the solution in the form of 1500- word report to a real- world scenario of their choice. Students need to submit a 5-10 minutes group presentation on their work.

Submission Type: Group

Assessment Method: Case Study & Group Presentation

Weighting

40%
Learning Outcomes LO3, LO4, LO5
Graduate Capabilities GC1, GC2, GC7, GC8, GC10

Assessment Task 3: Report (Individual) Assessmen...

Assessment Task 3: Report (Individual)

Assessment 3 requires the student to develop a report (and associated presentation) on the capabilities of the standards and frameworks to respond to changes in the threat landscape relating to changes in information technology hardware, software and platforms, and how those changes can be integrated into business risk management. The students are required to produce a reflective 1000-word report on their learning from the case study and their proposed solution and present their future approach in addressing similar issues in workplace to solve real world problems in the form of a 4-5 minute presentation.

Submission Type: Individual

Assessment Method: Written Report & Presentation

Weighting

35%
Learning Outcomes LO1, LO3, LO4
Graduate Capabilities GC1, GC2, GC7, GC8, GC10

Learning and teaching strategy and rationale

This unit is delivered through Attendance and Online modes using a single, integrated learning and teaching strategy designed to ensure equivalent learning outcomes and a comparable learning experience for all students, while supporting diverse learning needs and maximising access.

Across both modes, learning activities are intentionally aligned to the unit learning outcomes and assessment tasks, and are underpinned by active learning, guided engagement with disciplinary knowledge, opportunities for peer interaction, and regular, timely feedback. While the mode of delivery shapes how students participate, the pedagogical intent, expectations and standards remain consistent.

In Attendance mode, students engage in weekly face-to-face classes at designated locations, supported by preparatory activities prior to workshops and opportunities for consolidation following classes. Online learning platforms are used to complement face-to-face teaching through additional resources and learning activities.

In Online mode, students engage with the same core content and learning outcomes through a combination of synchronous and asynchronous activities, including structured discussions and applied learning tasks that support learning in professional contexts.

Across both delivery modes, students should plan to commit approximately 150 hours to this unit over the semester, including participation in learning activities, independent study, readings and assessment preparation.


Representative texts and references

Representative texts and references

Anson, S. (2019). Applied incident response. Wiley.

Australian Signals Directorate. (n.d.). Information Security Manual (ISM). Australian Government. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism

Brumfield, C. (2021). Cybersecurity risk management. Wiley.

Clark, C. (2020). Cyber security incident management: Masters guide Vols. 1, 2, 3. Independently Published.

International Organization for Standardization. (2013). ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirementshttps://www.iso.org/standard/27001

Klipper, S. (2015). Information security risk management. Springer.

National Institute of Standards and Technology. (n.d.). Risk Management Framework (RMF). U.S. Department of Commerce. https://csrc.nist.gov/projects/risk-management

Sophie Grace Pty Ltd. (2022). Australian Financial Services Licence (AFSL) risk management policy: Risk assessment and management matrix.

Pascoe, C., Quinn, S. & Scarfone, K. (2024). The NIST Cybersecurity Framework (CSF) 2.0. NIST Cybersecurity White Papers (CSWP), National Institute of Standards and Technology, Gaithersburg, MD.

Data Breach Notifications in Australia, https://www.webberinsurance.com.au/data-breaches-list

Locations
Credit points
Year
Back to previous page

Have a question?

We're available 9am–5pm AEDT,
Monday to Friday

If you’ve got a question, our AskACU team has you covered. You can search FAQs, text us, email, live chat, call – whatever works for you.

Live chat with us now

Chat to our team for real-time
answers to your questions.

Launch live chat

Visit our FAQs page

Find answers to some commonly
asked questions.

See our FAQs
 Ask a question
Call 1300 275 228