Unit rationale, description and aim

In an increasingly digital and interconnected world, organisations face growing and complex cybersecurity threats, making it essential for professionals to understand how to manage security risks effectively and ethically.

Students will develop an understanding of security risk and appropriate frameworks, models, and strategies to identify, categorise and mitigate risk as a scalable, repeatable process, to best prepare and protect organisations from IT related threats. The standards and frameworks examined in the unit are constantly being revised and updated as new technologies and capabilities emerge in the threat landscape, such as cloud computing, quantum processors and artificial Intelligence platforms.

The aim of this unit is to equip students with the knowledge and skills to understand and manage security risks in organisations through the application of appropriate cybersecurity frameworks, models, and strategies.

2026 10

Campus offering

No unit offerings are currently available for this unit.

Prerequisites

Nil

Learning outcomes

To successfully complete this unit you will be able to demonstrate you have achieved the learning outcomes (LO) detailed in the below table.

Each outcome is informed by a number of graduate capabilities (GC) to ensure your work in this, and every unit, is part of a larger goal of graduating from ACU with the attributes of insight, empathy, imagination and impact.

Explore the graduate capabilities.

Apply the principles, tools and techniques related...

Learning Outcome 01

Apply the principles, tools and techniques related to information systems security risk analysis.
Relevant Graduate Capabilities: GC2, GC10

Investigate the ISM Essential Eight Maturity Model...

Learning Outcome 02

Investigate the ISM Essential Eight Maturity Model as developed by the Australian Signals Directorate.
Relevant Graduate Capabilities: GC1, GC10

Critically analyse the Risk Management Framework a...

Learning Outcome 03

Critically analyse the Risk Management Framework as developed by the US National Institute of Security and Technology (NIST)
Relevant Graduate Capabilities: GC1, GC7

Analyse the ISO 27001 model for risk assessment an...

Learning Outcome 04

Analyse the ISO 27001 model for risk assessment and treatment.
Relevant Graduate Capabilities: GC2, GC8

Apply elements of the NIST RMF, the ADS Essential ...

Learning Outcome 05

Apply elements of the NIST RMF, the ADS Essential Eight Maturity Model and the ISO 27001 assessment and treatment model to the design of a risk management framework for an organization.
Relevant Graduate Capabilities: GC4, GC10

Content

Topics will include:

  • Understanding cybersecurity risk and risk management principles
  • Methods for risk identification and categorization
  • Methods for risk prioritization/assessment
  • Selecting and implementing both mitigation and contingency actions
  • Assessment of implemented strategies
  • Risk management as a repeatable cycle
  • Analysis of examples of both successful and unsuccessful implementations of cybersecurity
  • Risk management and resulting business outcomes.

Assessment strategy and rationale

A range of assessments will be used to meet the unit learning outcomes and develop graduate attributes consistent with university assessment requirements.

  • Assessment 1 requires students to apply their theoretical knowledge in solving problems in the lab environment. The purpose of this assessment is to guide students to recognise, categorise and prioritise cybersecurity risks and to develop appropriate mitigation strategies and actions.
  • Assessment 2 requires students to assess the implementation of a risk management framework in a chosen organization and to report on the success (or otherwise) of that framework.
  • Assessment 3 requires the student to develop a report (and associated presentation) on the capabilities of the standards and frameworks to respond to changes in the threat landscape relating to changes in information technology hardware, software, and platforms, and how those changes can be integrated into business risk management.


Students must achieve a minimum overall mark of 50% to pass the unit. Assessments will be graded using rubrics aligned with the intended learning outcomes, ensuring transparency and consistency in evaluation. The staged nature of the assessments supports the development of both analytical and applied capabilities in a coherent and cumulative manner.

Overview of assessments

Assessment Task 1: Report (Individual) This asse...

Assessment Task 1: Report (Individual)

This assessment requires students to apply their theoretical knowledge in solving problems in the lab environment. The purpose of this assessment is to guide students to recognize, categorise and prioritise cybersecurity risks and to develop appropriate mitigation strategies and actions.

Submission Type: Individual

Assessment Method: Written Report

Weighting

25%

Learning Outcomes LO1, LO2
Graduate Capabilities GC1, GC2, GC10

Assessment Task 2: Case Study (Group) This task ...

Assessment Task 2: Case Study (Group)

This task requires students to assess the implementation of a risk management framework in a chosen organization and to report on the success (or otherwise) of that framework. The students are required to present the solution in the form of 1500- word report to a real- world scenario of their choice.

Submission Type: Group

Assessment Method: Case Study

Weighting

40%

Learning Outcomes LO3, LO4, LO5
Graduate Capabilities GC1, GC2, GC7, GC8, GC10

Assessment Task 3: Report (Individual) Assessmen...

Assessment Task 3: Report (Individual)

Assessment 3 requires the student to develop a report (and associated presentation) on the capabilities of the standards and frameworks to respond to changes in the threat landscape relating to changes in information technology hardware, software and platforms, and how those changes can be integrated into business risk management. The students are required to produce a reflective 1000-word report on their learning from the case study and their proposed solution and present their future approach in addressing similar issues in workplace to solve real world problems in the form of a 4-5 minute presentation.

Submission Type: Individual

Assessment Method: Written Report & Presentation

Weighting

35%

Learning Outcomes LO1, LO3, LO4, LO5
Graduate Capabilities GC1, GC2, GC4, GC7, GC8, GC10

Learning and teaching strategy and rationale

Students are expected to engage in approximately 150 hours of learning over a twelve-week semester or equivalent study period. This includes scheduled classes, independent readings, participation in online forums, and preparation for assessments. Weekly workshops and practical lab activities support students in developing and applying core cybersecurity risk management concepts through individual and collaborative learning.

This unit is offered in both Attendance and Online modes to support diverse learning needs and preferences.

In Attendance Mode, students will participate in scheduled face-to-face workshops that involve hands-on activities, case study discussions, and guided group work. Preparation prior to sessions is essential and supported through online materials and self-paced quizzes.

In Online Mode, students will engage in a structured sequence of e-learning modules that include interactive tutorials, guided readings, formative quizzes, and collaborative tasks such as discussion forums and virtual labs. Online workshops and webinars provide opportunities for real-time interaction with peers and instructors. Pre-recorded lectures and curated electronic resources support flexible, self-directed learning while ensuring alignment with learning outcomes.

This blended, active learning approach ensures that students in all modes can build practical skills and theoretical understanding in cybersecurity governance and risk management.

Representative texts and references

Representative texts and references

Anson, S. (2019). Applied incident response. Wiley.

Australian Signals Directorate. (n.d.). Information Security Manual (ISM). Australian Government. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism

Brumfield, C. (2021). Cybersecurity risk management. Wiley.

Clark, C. (2020). Cyber security incident management: Masters guide Vols. 1, 2, 3. Independently Published.

International Organization for Standardization. (2013). ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirementshttps://www.iso.org/standard/27001

Klipper, S. (2015). Information security risk management. Springer.

National Institute of Standards and Technology. (n.d.). Risk Management Framework (RMF). U.S. Department of Commerce. https://csrc.nist.gov/projects/risk-management

Sophie Grace Pty Ltd. (2022). Australian Financial Services Licence (AFSL) risk management policy: Risk assessment and management matrix.

Locations
Credit points
Year

Have a question?

We're available 9am–5pm AEDT,
Monday to Friday

If you’ve got a question, our AskACU team has you covered. You can search FAQs, text us, email, live chat, call – whatever works for you.

Live chat with us now

Chat to our team for real-time
answers to your questions.

Launch live chat

Visit our FAQs page

Find answers to some commonly
asked questions.

See our FAQs