Case-based learning in the management practice of information security: an innovative pedagogical instrument

Abstract

Case-based learning (CBL) approaches are critical to the education of tomorrow’s executives and managers. CBL instigates critical discussion, draws out relevant experiences from students, encourages questioning of accepted practices, and creates dialogue between theory and practice. There is unfortunately a lack of quality teaching resources to support CBL in information security management (ISM). In this paper, we address this need by developing, refining, and evaluating a teaching case of a hypothetical firm that suffers a catastrophic incident of intellectual property (IP) theft. Protecting IP is both complex and expensive as it involves developing enterprise-wide security mechanisms for the people, process, and technology dimensions of organizations. We drew the plot, narrative, characterization, dilemmas, and conflict from two landmark legal cases to focus on the three key areas of organizational security as defined by the joint task force on cybersecurity education—risk management, planning and strategy, and policy and governance. Our case was used to teach information security to Management Information Systems students enrolled in a Master’s Degree at the University of Melbourne, Australia. We subsequently developed a survey instrument to measure the utility of the teaching instrument for teaching. Survey data collected across 2 consecutive years indicated that students strongly agreed that the teaching case was relevant, realistic, engaging, challenging, and instructional.