Cyber Risk Management - Grading and materials
The grade for the course is based on the mid-term exam (50%) and the assignment (50%). Both grades need to be at least 5.0 to get a final grade for the course. The grade for the assignment consists of the presentation (30%) and the paper (70%).
The exam is closed-book; no materials allowed. The exam covers all mandatory videos, literature, and lectures/slides. Example questions can be found in the slides.
Mandatory online video material
This is the final list of materials.
This is the final list of materials. A reading guide is available.
All articles are available through the TUDelft library / via the TUDelft network unless stated otherwise. For information on access from other locations, see link.
- Jack A. Jones (2005). An Introduction to Factor Analysis of Information Risk (FAIR). Risk Management Insight.
- Jan van den Berg et al. (2014). On (the Emergence of) Cyber Security Science and its Challenges for Cyber Security Education. In: NATO STO-MP-IST-122.
- Norman Fenton and Martin Neil (2012). The Need for Causal, Explanatory
Models in Risk Assessment. Chapter 2 of Risk assessment and decision analysis with Bayesian networks (pp. 31-50). CRC Press.
- Louis Anthony Cox, Jr. (2009). Game Theory and Risk Analysis. Risk Analysis 29(8), 1062-1068.
- Wolter Pieters (2013). Defining "The Weakest Link": Comparative Security in Complex Systems of Systems. In Cloud Computing Technology and Science (CloudCom), 2013 IEEE 5th International Conference on (Vol. 2, pp. 39-44). IEEE.
- Matt Rosenquist (2009). Prioritizing Information Security Risks with Threat Agent Risk Assessment. IT@Intel White Paper.
- Morali, Ayse and Zambon, Emmanuele and Etalle, Sandro and Wieringa, Roel (2010) CRAC: Confidentiality Risk Assessment and IT-Architecture Comparison. In: Proceedings of the 6th International Conference on Network and Service Management, CNSM 2010, 25-29 Oct 2010, Niagara Falls, Canada.
- William H. Sanders (2014). Quantitative Security Metrics: Unattainable Holy Grail or a Vital Breakthrough within Our Reach? IEEE Security & Privacy 12(2), 67-69.
- Wes Sonnenreich, Jason Albanese and Bruce Stout (2006). Return On Security Investment (ROSI) – A Practical Quantitative Model
Journal of Research and Practice in Information Technology, 38(1).
- Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). A model for evaluating IT security investments. Communications of the ACM, 47(7), 87-92.
- Labunets, K., Massacci, F., Paci, F., Marczak, S., & de Oliveira, F. M. (2017). Model comprehension for security risk assessment: an empirical comparison of tabular vs. graphical representations. Empirical Software Engineering.
Slides and lectures (mandatory)
For those who don't have access to Brightspace, the slides are available at this site.
Videos of the lectures can be found at Collegerama (NetID required, course code SPM5442).
Tools (as an exercise to practice with the concepts)
- ADTool for attack-defense trees