14-817   Cyber Risk Modeling

Location: Pittsburgh

Units: 12

Semester Offered: Fall

Course description

There are too many cybersecurity risks to manage them all informally. You need a plan! Risk management and threat analysis are structured to craft better organizational security decisions. This course helps you learn how to prioritize risks, secure data assets, and to communicate your security knowledge. This is not a programming class but requires basic statistics (e.g. Monte Carlo analysis, which you will learn or review.) Major topics include: legal compliance, threat modeling, Mitre ATT&CK, the Common Vulnerabilities and Exposures database, and popular risk frameworks (STRIDE, PASTA, NIST, etc.) Those seeking roles where they will work with or become a CSCO, risk officer, or risk analyst will most benefit from this course.


By the end of the course, students should be able to:

  • Communicate the strengths, weakness, and limitations of a risk-based approach to security management both to other security professionals as well as to non-technical decision makers.
  • Prioritize the most important assets to defend against attacks within a given system or organization.
  • Categorize the likelihood of types of risks. Work with uncertainty, estimations, and probabilistic models based on qualitative and quantitative data.
  • Perform threat analysis for common computing scenarios with tools like PASTA and NIST frameworks.
  • Over time, validate, monitor, update, and iterate plans to address risks.
  • Make appropriate recommendations to accept, mitigate, or insure against risks, with accompanying written analysis to support your recommendations.
  • Demonstrate understanding of security within the broad context of an organization by role playing concerns from different stakeholders.
  • Present a request for resources from your fictional management in order to address threats including financial modeling, clear presentation of the relative probabilities of different threats, the magnitude of threats, and specific mitigation plans. Develop the ability to convey technical concepts to non-technical stakeholders and understand likely concerns.




Joanne Peca