Skip to main content Skip to navigation

Cyber Intelligence and Operations

This is a course module on MSc Cyber Security Engineering and is available as an elective on MSc Cyber Security and Management.

This module is one of the eight modules required for the GCHQ Master's certification.


Routine operations management should maintain a cyber system within its operational envelope and in an optimal state to do useful work; life-cycle operations such as patches, upgrades, replacements and training are performed in a planned and orderly fashion as part of routine operations management.

With indefinite resource, that would be sufficient; the preparedness of the cyber system would always be sufficient to deal with any threat or hazard to which it is exposed. With limited resource however, it is probable that the cyber system will be exposed to some specific threat or hazard that it is not sufficiently prepared to deal with. When this happens, an incident occurs which takes the cyber system outside its intended operational envelope.

The prioritisation and timely coordination of activities is critical to minimise the harm that follows from an incident. These activities should progressively restore the cyber system, re-mediate harm, prevent recurrence, inform interested parties, and restore confidence. Having a well rehearsed incident response plan helps to do this right.

In the cyber context, situational awareness presents the human decision maker with an intuitive representation of the well-being of their cyber environment. Critically, when things go wrong, the important symptoms of this wrongness are highlighted, facilitating corrective action.

Cyber intelligence provides an organisation with the ability to assess the cyber-related threats and hazards that may damage them. It is particularly concerned with the purposeful collection of information, its processing and analysis in order to produce actionable intelligence.

This module gives students a framework to reason about cyber security in order both to anticipate incidents, and to deal with their occurrence.

Learning Outcomes

  • Reason about the threats and hazards to which a cyber system may be exposed.

  • Evaluate the situational awareness of an organisation.

  • Reason about the production of actionable intelligence.

  • Synthesise key indicators of cyber well-being.


Cyber Intelligence
- Risk in the cyber context – assessment, management, hazard vs threat
- Threat actors – organisation, motivation, attention and deception
- Narratives, language and communication
- The intelligence cycle and current intelligence theory and practice, toolsets
Situational Awareness
- data collection, sensors, endpoint and channel hardening,
- prioritisation, timeliness, presentation, normal vs abnormal, information overload,
Incident response
- The incident response lifecycle
- Roles and structures
- Facilities, equipment, tools and techniques
- Internal and external communication pre-, mid- and post-incident


100% weighting post-module assignment


This module is delivered in an intensive one-week block of directed tuition (nominally 40 hours, including 18 hours of lectures, 10 hours of seminars and 12 hours of practical classes)

Other useful information

Students will be based in the WMG Cyber Security Centre, with most taught sessions taking place in our specialist cyber security and forensics laboratory / classrooms.

This is a course module on MSc Cyber Security Engineering and is available as an elective on MSc Cyber Security and Management.

Please note: the details of this module are correct for the current year of study and may be subject to change for future years.