To Top Page

2026 (Current Year) Faculty Courses School of Computing Major courses

Cybersecurity Governance

Academic unit or major
Major courses
Instructor(s)
Keisuke Tanaka / Masayuki Mamiya
Class Format
Lecture/Exercise
Media-enhanced courses
-
Day of week/Period
(Classrooms)
Class
-
Course Code
XCO.T478
Number of credits
110
Course offered
2026
Offered quarter
4Q
Syllabus updated
Mar 26, 2026
Language
Japanese

Syllabus

Course overview and goals

With the advanced use of information and communications technology involving the internet, cybersecurity threats have become increasingly serious. Cyber attacks continue to have a serious impact on society, and the damage caused to society by the leakage of personal information and intellectual property due to cyber attacks is immeasurable. Despite the importance of the cybersecurity field, there is currently a significant shortage of human resources.
In response to such social needs, Tokyo Institute of Technology, the predecessor of Institute of Science Tokyo, has launched Progressive Graduate Minor in Cybersecurity in April 2016. In this minor, students will learn the practical aspects of cybersecurity, in collaboration with NRI as core, Rakuten, NTT, and AIST, and at the same time acquire knowledge of the theoretical background by taking advantage of the strengths of the theoretical field, which is a distinctive feature of the information and communication research field at Institute of Science Tokyo.
The curriculum consists of the following seven courses as core, offerred at School of Computing.
Foundation of Cybersecurity (1Q, 2-0-0)
Theory of Cryptography for Cybersecurity (3Q, 2-0-0)
Practice and Application for Cybersecurity (3Q, 1-1-0)
Cybersecurity Governance (4Q, 1-1-0)
Attack and Defense on Cybersecurity I (2Q, 1-1-0)
Attack and Defense on Cybersecurity I (2-3Q, 1-1-0)
Attack and Defense on Cybersecurity II (4Q, 1-1-0)

This course aims to provide an understanding of the fundamental frameworks for information security management measures and to equip students with methods for corporate governance that take security into account.

Course description and aims

By completing this lecture, students will achieve the following:
1) Explain the concept of cybersecurity governance from a management and governance perspective.
2) Identify risks in research and medical institutions based on economic security and the prevention of intellectual property leakage.
3) Compare and apply major frameworks such as NIST CSF and ISO/IEC 27001/27014.
4) Conduct organizational risk assessments, prioritize risks, and formulate mitigation plans.
5) Understand the concept of Zero Trust, and discuss its application to information systems and its limitations.
6) Make decisions and provide recommendations as a CISO through case studies.

Student learning outcomes

実務経験と講義内容との関連 (又は実践的教育内容)

The lecturer will deliver a practical lecture on cybersecurity governance based on experience in information security management gained in the private sector and expertise developed as a cybersecurity auditor in a government agency. Case studies will utilize the case method. Using real incidents handled by the lecturer as teaching materials, students will actively engage in discussions to develop practical skills, exploring questions such as "What should a CISO be like?" and "How should staff support the CISO?"

Keywords

Security, Information Security, Cybersecurity, Governance, Incident Handling, Risk Management, IoT, Information Security Audit, Zero Trust, Proactive Cyber Defense, State-Sponsored Cyberattacks, Economic Security, Research Governance, Intelligence, OSINT, Institutional Engineering, CISO, Cybersecurity Framework, Case Method

Competencies

  • Specialist skills
  • Intercultural skills
  • Communication skills
  • Critical thinking skills
  • Practical and/or problem-solving skills
  • By completing this course, participants will acquire broad and practical knowledge and perspectives necessary for cybersecurity governance.

Class flow

The course will be conducted through a combination of lectures, dialogue-based sessions, group discussions, and the case method. In the case method approach, students are expected to carry out their own research and analysis in advance, and class sessions will proceed through active discussion between the instructor and students.

Course schedule/Objectives

Course schedule Objectives
Class 1

Introduction: What is Cybersecurity Governance? (From Technical to Governance Issues, Overview of GRC)

Understand cybersecurity not as a technical issue but as a matter of management and governance, and grasp the fundamental concepts of governance as well as the scope of this course.
Note: GRC stands for G/Governance, R/Risk Management, and C/Compliance.
Class 2

Economic Security and Cybersecurity
(Medical Diagnostic AI, Dual-Use Technology, and Prevention of IP Leakage)

Using medical diagnostic AI as an example, identify the governance challenges required for research and medical institutions from the perspective of economic security and IP leakage prevention.
Class 3

International Standards and Governance Frameworks
(NIST CSF, ISO/IEC 27001-27014)

Overview international standards such as NIST CSF and ISO/IEC 27001/27014, and understand the positioning of frameworks in organizational governance.
Class 4

Risk Management and Business Judgment
(Risk Tolerance and Prioritization)

View cyber risks as a subject of business judgment, and understand the concepts of risk tolerance and prioritization.
Class 5

CISO and Organizational Governance
(Responsibility and Authority Connecting Management and Operations)

Clarify the roles and capabilities required of a CISO, and understand the ideal governance structure connecting management and operations.
Class 6

Security Policy and Internal Control
(Regulatory System, Demarcation of Responsibility, Effectiveness of Control)

Grasp the system of security policies and internal controls, and understand the demarcation of responsibility and ensuring the effectiveness of controls.
Class 7

Human Factors and Security Culture
(Why Organizations Make Wrong Decisions)

Understand the impact of human factors on security, and clarify the importance of governance as an organizational culture.
Class 8

Audit and Accountability
(Internal Audit, Third-Party Audit, Regulatory Response)

Understand the role of audits and inspections, and clarify governance as a verification function to fulfill accountability.
Class 9

Incident Response and Crisis Management
(Initial Assessment, Management Responsibility, Tabletop Exercise)

Understand the initial response and management responsibility during an incident, and grasp that establishing a crisis management system is essential for governance.
Class 10

Governance of IoT and Control Systems

Understand the risks specific to IoT and control systems, and identify governance challenges in critical infrastructure.
Class 11

Governance of Healthcare Information Systems
(EHR, IoMT, Patient Data Protection and Constraints)

Understand the possibilities and limitations of applying Zero Trust based on the characteristics of healthcare information systems and medical device systems.
Class 12

Case Study 1 (Domestic)
AIST Incident: Advanced Persistent Threats to Research Institutions and IP/Security Governance

Analyze the challenges of advanced persistent threats and IP/security governance in research institutions through the AIST incident.
Class 13

Case Study 2 (Overseas)
SolarWinds Incident: Supply Chain Compromise and the Necessity of Zero Trust

Clarify the necessity of Zero Trust and governance lessons demonstrated by supply chain compromises through the SolarWinds incident.
Class 14

Final Presentation and Conclusion
(Final Recommendations to Management and Wrap-up)

Integrate recommendation skills as a CISO through final presentations, and summarize the overall picture of cybersecurity governance. (Note: The Japan Pension Service incident will be handled as a case for the final presentation, where students will create a proposal for management.)

Study advice (preparation and review)

Prior to each class, students are expected to carefully read the handouts and reference materials, and organize their thoughts based on the specified viewpoints before attending.
Because this course includes discussions in group work and case studies, students must write and submit a position paper (approximately one A4 page) on "The Ideal State of Cybersecurity Governance in Research Institutions Based on the University's Philosophy" at the first class. This assignment is not about finding a "correct" answer; rather, it is an opportunity for students to candidly verify their resonance with the university's philosophy. It will serve as reference material for the instructor during class discussions. Although submission is required, the content will not affect grading in any way.
After class, students should review the material by re-organizing the governance issues discussed during the lectures and debates, and refine their ideas as if preparing a proposal for top management. Particularly for case study sessions, students should summarize the incident timeline, decision-making challenges, and recurrence prevention measures to prepare for the final presentation.

Textbook(s)

Textbooks will not be used in this course.

Reference books, course materials, etc.

References will be announced in the classes.

Evaluation methods and criteria

The evaluation is based on the percentage of correct answers on quizzes to check understanding of the classes, as well as the evaluation of a final presentation or report upon completion. In addition, attendance and participation (active and constructive comments, and a listening attitude towards others' comments) will be considered. These factors will be combined for a comprehensive evaluation.

Related courses

  • XCO.T473 : Foundation of Cybersecurity
  • XCO.T474 : Theory of Cryptography for Cybersecurity
  • XCO.T475 : Attack and Defense on Cybersecurity I
  • XCO.T476 : Attack and Defense on Cybersecurity II
  • XCO.T477 : Attack and Defense on Cybersecurity III
  • XCO.T480 : Practice and Application for Cybersecurity

Prerequisites

There are no specific knowledge, skills, or previously taken subjects required as a condition for taking this course. However, basic knowledge of computer science concepts and networks will help students understand the course content smoothly.

Contact information (e-mail and phone) Notice : Please replace from ”[at]” to ”@”(half-width character).

keisuke[at]comp.isct.ac.jp (Contact us via Slack direct message)

Office hours

Appointment by Slack direct message is required.

Other

Excerpts from Participant Feedback

[Participant 1]
The lecture format, which involves immediate discussion on assigned topics, was innovative for a university course. I felt that it could contribute to developing the ability to gather relevant stakeholders and determine response policies and initial actions when an incident actually occurs.

[Participant 2]
I was struck by how the spread of cyberspace has transformed and diversified the nature of warfare. At the same time, I was reminded of the wide range of challenges that remain.

[Participant 3]
What stood out to me was the importance of reducing the “burdensomeness” of rules through dialogue with frontline staff when establishing them, as well as the importance of fostering a culture that allows for “open give-up,” where people can frankly state when something is not feasible.

[Participant 4]
The concept of “key competencies” mentioned at the end of today’s lecture left a strong impression. I have an academic conference in January where I will have opportunities to interact with various people, so I would like to approach it with this in mind.

[Participant 5]
I was impressed by the point that human curiosity can sometimes serve as a motive for cybercrime, and that it is important to properly understand this aspect.

[Participant 6]
Considering the physical security of our university, I felt that there are many areas that require attention. On the other hand, if countermeasures are made too strict, it becomes inconvenient for everyday use, so finding the right balance is challenging.

[Participant 7]
I had thought that Zero Trust was an important concept, but I learned that it also has its limitations and that layered defense and continuous monitoring and operation are indispensable. This made me realize that implementing Zero Trust is not simple.

[Participant 8]
I had only heard the term “DX” in a business context, but I learned that it originally comes from a broader societal context, which left a strong impression on me.

[Participant 9]
What stayed with me was the idea that we say “safety first,” not “peace of mind first,” and that it is important not to make something that is unsafe appear safe. I also found the example of aircraft armor improvements, introduced as a case of selection bias, to be very interesting and memorable.

[Participant 10]
Listening to the final presentations, I found it interesting that each participant focused on different aspects. I realized that I should have more carefully considered what needs to be conveyed to management. Regarding my presentation, I also felt that I could have improved my delivery and phrasing to make it more impactful.