Security failures in organizations are often caused by bad economic incentives rather than bad technical measures. This program trains professionals in business and government to understand root causes for breaches and design better solutions to protect organizations and the wider ecosystem.

Organizations face cybersecurity threats with potentially devasting and costly consequences. Yet, they often struggle to identify and implement the right measures. How much to invest in security? How to assess the security of suppliers? How can you measure the effectiveness of security controls? How to align security with the business strategy? What interventions get your employees to behave more securely? How do attackers choose their targets? Can regulations protect me against insecure products?

For all these questions, economic thinking is not only valuable, but necessary. Security is the product of tradeoffs made under imperfect information and misaligned incentives. This series provides three courses that enable you to diagnose these issues and design solutions that make organizations more cyber secure.

The course series allows professionals to more effectively manage the cybersecurity risks facing their organization and the wider ecosystem in which they operate.

We will include case studies and live webinars with the lecturers. Assignments will receive individual feedback.

With new laws like NIS2 requiring cybersecurity training, the program is ideal for professionals in management, IT, auditing, compliance, risk governance and related fields. By the end, you'll be prepared to proactively address cybersecurity challenges and enhance your organization's resilience against threats.

The first course on Foundation and Measurament provides you with foundational micro-economic concepts to explain security behavior of various actors involved securing the organization – internally, like IT and business units, and externally, like suppliers, customers and regulators. Next, it equips you with a causal framework to understand how to measure the effectiveness of security controls, as well as what measurements are currently available.

The second course on Users and Attackers presents a wealth of insights on the individuals involved in security: from user behavior to the strategies of attackers. Contrary to popular opinion, users are not the weakest link. If you want to know why do users not follow company security policies, you need to look at the costs imposed on them. On the side of the attackers, there are also clear incentives at work. The course covers the latest insights on attacker behavior.

The third course on Solutions covers answers to overcome the incentive misalignment and information problems at the level of organizations and at the level of markets. Starting with the standard framework of risk management, the course unpacks how to identify solutions in risk mitigation and risk transfer and where risk acceptance might be more rational. Finally, we need to address market failures, since they end up undermining the security of firms and society at large.

By following this series, participants will be in a position to:

	Explain security failures with concepts like incentives, information asymmetry, externalities, moral hazard, and network effects
	Describe the economic effects of regulation, liabilities and standards on structure of markets relevant to cyber security
	Understand and explain behavioral patterns of users and attackers in enterprise environments
	Apply course concepts to evaluating cyber security policies and controls, determine which factors will contribute positively or negatively to cybersecurity
	Identify solutions to better address cyber security issues - from the perspective of government as well as organizations