About this online course


Cybersecurity breaches are the outcome of bad incentives. This course teaches you how to think about rational security investments, aligning security with the business strategy, insurance, incident response and much more. As well as individual organizations, it also covers solutions to address market failures.

This course brings together state-of-the-art expertise on solutions to cybersecurity failures at both  organization and market levels.

Organizations face difficult decisions about how to manage the cybersecurity risks that they face. How much should you spend on security? How can you align security with your business strategy? What is a rational approach to managing your vulnerabilities? Should you adopt cyber insurance? After you have suffered an incident, is it better to go public or to keep it a secret? 

This course,  provides you with a clear way of thinking about these issues, supporting you to make better decisions. It trains professionals in IT and business to think about investment decisions, risk mitigation and insurance. It also provides boardroom-level executives with the training required under NIS2. 

These issues extend beyond the individual organization. Market failures are everywhere in cybersecurity. Information asymmetry, adverse selection and externalities cause inefficient markets and mean that the costs and benefits of security risks are distributed unequally. Some organizations capture the benefits, while the consequences are suffered by others. 

How can these market failures be addressed? The last part of the course focuses on policy interventions. We explain when ex ante regulations are effective and when it is more efficient to rely on ex post liability. A lot of new regulation in the US, EU and Asia relies on certification. Does this actually work? We bring together insights into a response that is often overlooked: encouraging voluntary action by firms. These insights enable policymakers and decision makers to design better policies to improve the cybersecurity of our economy and the country at large.

What You'll Learn

After completion of the course, participants should be in a position to:

  1. Define the main organization-level solutions to security failures
  2. Evaluate the strengths and weaknesses of each organization-level solution in a specific context
  3. Define the main market-level solutions to security failures
  4. Evaluate the strengths and weaknesses of each market-level solution in a specific context


Course Syllabus

Week 1:
In this week we will introduce key concepts for the field of security and risk management. We will also investigate what security investments are and the decision-making process associated with them.
Topics covered this week:

  • Security and risk management per-breach
  • Decision theory for security investments
  • Security investments and organization politics

Week 2:
This week we will describe the different security providers’ functions and specifically focus on what cyber insurance is, as well as what possibilities there are to transfer cyber security risk.
Topics covered this week: 

  • Focus on security providers
  • Cyber insurance 101
  • A closer look at cyber risk transfer

Week 3:
In this week we continue our investigation of cyber risk by looking into the different risk information sharing principles and what barriers there are that inhibit it. We conclude this section with a close look at post-breach security strategies.
Topics covered this week:

  • Cyber risk information sharing
  • Barriers to cyber risk information sharing
  • Security and risk management post-breach

Week 4:
This week we will explain the different policy intervention approaches at an organizational level. We will dive deep into ex-ante safety regulations as well as  ex-post liability.
Topics covered this week:

  • Policy intervention overview
  • Ex ante safety regulations
  • Ex post liability

Week 5:
The focus of this week is on analyzing the process of certifying products and the potential issues that arise from the certification process. We will also discuss what information disclosure is and its effects. 
Topics covered this week:

  • Certifying products
  • Certifying processes
  • Information disclosure

Week 6:
In this final week we will conclude the analysis of different security solutions, by looking into what data protection and breach disclosure tries to achieve, what voluntary actions are taken in practice, and what incentives are included in policy regulations. We conclude this section with a quick look at other policy responses, that we have not investigated in detail in this course.
Topics covered this week:

  • Data protection and breach disclosure
  • Voluntary actions
  • Regulatory “carrots”
  • Other policy responses



If you successfully complete this course you will earn a professional education certificate and you are eligible to receive 2.5 Continuing Education Units (CEUs).

View sample certificate


This course is primarily geared towards working professionals.


Participants are encouraged to combine this course with the course “Economics of Cybersecurity: Foundations and Measurements” and “Economics of Cybersecurity: Solutions”.


If you have any questions about this course or the TU Delft online learning environment, please visit our Help & Support page.

Enroll now Enroll with STAP

  • Starts: Mar 05, 2025
  • Fee: €1050
  • Group fee: contact us
  • Enrollment open until: Feb 26, 2025
  • Length: 6 weeks
  • Effort: 4 - 6 hours per week

Related courses and programs