Master of Cyber Security - programme specification

Master i Cyber Security

Master in Cybersecurity

About the programme specification

The study programme for the Master in Cybersecurity consists of 8 taught courses and 2 projects (incl. the final Master thesis project). The total workload is equivalent to one year of full-time work (i.e. 1680 hours), or 60 ECTS. The study programme is designed so that the courses and projects are taken over a 2 year period, but it is possible to develop an individual study plan that extends the programme for up to 4 years in total. All of the taught courses on the Master in Cybersecurity can be taken individually, and courses passed within the past 5 years will count for students who later decide to complete the remaining courses and projects and thus obtain the master degree.

The study programme is divided into 4 thematic semesters, where students are recommended to follow two semesters every year. The Autumn Semester starts at the end of August and ends in the middle of December and the Spring Semester starts in the middle of January and ends at the end of June. 1st and 3rd semester courses run in the autumn whereas 2nd semester courses run in the spring. The projects are typically completed in the 2nd and 4th semester, i.e. in the spring semesters. The exact dates for course start-up and examination periods are given in DTU’s academic calendar.

Each of the taught courses has a workload of 140 hours, which corresponds to 5 ECTS. The number of hours includes time spent in class or in online teaching activities, as well as time spent on preparation and any assignments, examination and such like.

All courses are taught and examined in English.


General admission requirements

Programme specific admission requirements

Admission to the master's program requires either a bachelor's degree in a relevant technical discipline, such as computer science, computer engineering or information management, or equivalent technical qualifications, e.g. obtained through certifications and job experience. The study programme assumes that all student have fundamental intuitions about mathematical concepts and knowledge of scientific thinking, as well as a solid understanding of the architecture, development, operation and application of IT systems.

Applicants with a bachelor's degree in Technical Science, Strategic Design and Systems Analysis from DTU are qualified for the Master programme as per legal requirement. Applicants with a Bachelor’s or Master’s degree (incl. a Diploma Engineering degree) in an IT-related field from DTU or other universities, a Bachelor’s degree from one of the business academies (Da. “professionsbachelorer fra et erhvervsakademi”) are also eligible to apply. It is assumed that all applicants have received IT education as part of their initial degree, as well as having 2 years of work experience in IT, either as an employee of an IT department or as a super user.

The program may also accept applicants who do not meet the formal requirements above, but who, on the basis of an individual assessment (Da. “realkompetencevurdering”), are deemed to have equivalent qualifications (incl. applicants who have completed a Diploma programme under the flexible degree programme). Examples of admissions without full academic qualifications include, but are not limited to, graduates from short tertiary education who have completed the admission course, obtained an IT security profile based on certifications from one or more of the following providers; CompTIA, ISACA, (ISC) 2 or GIAC / SANS, or applicants with completed relevant training at either the Police or Defense Academy. Decision on admission to the master is based on individual assessments and interviews with the applicants.

The Master in Cybersecurity programme is offered in English, so all applicants should have good English language skills, i.e. equivalent to English at minimum B level in the Danish secondary education system.

General Learning Objectives for the part time programs

Specific Learning Objectives for the part time programme

The Master in Cybersecurity programme touches on all the major aspects of cyber security, as well as key elements of the overall concept of "information security". It is designed to provide a professional overview for the benefit of those who work (or want to work) with IT security and to provide the necessary competences to manage cybersecurity efforts from project management (e.g. software development of security critical systems) to the corporate level.

Candidates who have completed the program will be able to:

  • Develop security plans for IT systems, including:
    • Conduct risk analyzes of IT systems
    •  Identify security objectives for a given IT system
    •  Formulate security policies for a given IT system
    •  Implement security technologies that support the defined security policies
  • Prepare contingency plans for IT security incidents (incident response)
  • Prepare emergency plans for disaster events related to IT use in order to maintain the company's functions, possibly including a restoration of the operating facilities
  • Understand the development and operation of secure IT Infrastructure, including:
    • Define a system architecture that supports security policies and controls
    • Design and development of an identity and rights management architecture, which includes authentication mechanisms and access control systems for both physical and IT resources
    • Perform a cybersecurity consultancy, where the various elements of the education are applied within a specific consultancy task provided by an external assignment author (usually one of the companies the students are recruited from)
  • Understand the development of secure IT systems, including:
    • Development of secure software systems
    • Development and configuration of secure communication protocols
    • Design, development and operation of secure networks
  • Conduct security analysis of IT systems (including ethical hacking / penetration testing)

Programme specific competence profile



The study plan outlined below shows the order that we recommend for the courses. It is possible to follow the courses in a different order, but the academic progression and scheduling of activities are based on students following the taught courses in the recommended order. The 4 semesters are outlined in Figure 1.

Figure 1 Recommended study plan for Master in Cybersecurity
                                                             Figure 1 Recommended study plan for Master in Cybersecurity

The themes for the 4 semesters are:

Semester 1: IT-Security Management and Governance
Semester 2: IT-Security Infrastructure
Semester 3: Secure Applications and Systems Semester
4: Master thesis project

Many of the courses and both projects are, at least partly, evaluated through practical work carried out in collaboration with external organisations, in many cases the student’s own organisation.

Taught Courses

Security principles (and their implementation in systems)
Objective: to provide an overview of fundamental security principles and their implementation in computer systems.

Content: introduction to the fundamental security principles, which include Simplicity, Open Design, Compartmentalization, Minimum Exposure, Least Privilege, Minimum Trust and Maximum Trustworthiness, Secure & Fail-Safe Defaults, Complete Mediation, No Single Point of Failure, Traceability, Generating Secrets, and Usability.

Risk Management
Objective: to introduce and train methodical risk management techniques, to help identify and justify necessary risk mitigations to management.

Content: introduction to a standard risk management process (e.g. based on ISO 27005) including different approaches to risk analysis, risk assessment, risk mitigation and monitoring controls. Students must understand that risk management must cover all business processes that rely in IT in some way.

IT Security Governance (legislation/regulation/standards)
Objective: to expand theory and practise in cybersecurity with an understanding of how IT Security Governance relates to Corporate Governance aligns with the overall strategy of the organisation.

Content: introduction to security governance issues (based on ISO 27001), such as Information Security Management System (ISMS), managing security operations, awareness and security training, data management issues, business continuity planning, management of suppliers and security service providers, contingency planning and testing, and satisfying legal, regulatory and contractual obligations.

Enterprise Security Architectures
Objective: to introduce the most common elements in an Enterprise Security Architecture and provide a framework for the security engineering process of developing an Enterprise Security Architecture for both new and legacy systems.

Content: overview of common frameworks for Enterprise Security Architectures (e.g. SABSA, COBIT and TOGAF) and a working understanding of enterprise security design and implementation.

Identity and Access Management
Objective: to introduce the theoretical foundations for Identity and Access Management (IAM) and provide an overview of the most common techniques and tools in IAM.

Content: Common identity management architectures and frameworks, authentication and access control models, policies and mechanisms, including multifactor authentication, biometric systems for both identification and verification and provision, administration and enforcement of access control policies.

Application Security
Objective: to provide an overview of the most critical application security risks and introduce to proactive techniques to prevent them.

Content: application security risks (e.g. injection, sensitive data exposure, …), proactive security programming techniques.

Data Protection & Privacy
Objective: to provide an overview of privacy models and privacy protection approaches.

Content: privacy models, privacy-by-design, privacy enhancing technologies, anonymization, privacy-preserving data mining.

Trends and Technologies in Cybersecurity
Objective: to provide an overview of current trends and introduce emerging technologies in cyber security, i.e. the course provides a security technology foresight.

Content: course content will reflect current trends in cybersecurity, so topics covered in the course will change to reflect the changing challenges organisations are facing and the emerging solutions to address these challenges.

Curriculum, previous admission years

Master thesis

Project Courses

The study programme in cybersecurity includes 2 project courses, which are both scheduled in the spring semester.

Consultancy Project

The consultancy project is scheduled for the end of the 2nd semester and has a workload of 140 hours, which corresponds to 5 ECTS. The consultancy project is completed in groups, which typically consist of 4-6 students.

Master Thesis Project

The master thesis project takes up the majority of the 4th semester and has a workload of 420 hours, which corresponds to 15 ECTS. The Master thesis project is typically completed individually by the students addressing a relevant problem from the student’s own organisation. It is, however, possible for students to collaborate on a master thesis project; up to 4 students can work together on a Master thesis project.

Head of study

Christian Damsgaard Jensen

Rules for teaching

Exam rules

Credit transfers and exemptions

Head of studies
21 JULY 2024