I am pleased to announce our collaboration with Boise State University College of Engineering Cyber Operations and Resilience (CORe) Program to develop the Cybersecurity Risk Quantification course. CORe has been rated a 2023 top cybersecurity program by Forbes Magazine
A special thanks to Sin Ming Loo, Ph.D. Program Director for agreeing to open this course up to cyber professionals and offering continuing education units. Thank you!
I believe this is the first course of its kind being offered to undergraduates, graduates, and cyber professionals.
This is not a lecture series; it's a hands-on skills development course. Students will be involved in every aspect of cybersecurity risk quantification.
This course is based on my years of experience providing cybersecurity risk quantification services for the Nuclear Regulatory Commission (NRC). It also includes a complete set of models and proven methods that are easy to understand and use. In fact, no prior experience is required. With these models, you can complete basic and advanced analyses.
The course is designed for undergraduate, graduate and professional development. There are seven modules, six of which include student work with the last module reserved for presentations of student projects.
Each module includes:
- Concepts and Terminology, and knowledge check
- Case studies and exercises. and knowledge check.
- Course Project content and knowledge check.
There is also a YouTube channel with additional presentations and workbook demonstrations and additional readings linked at the bottom of this page.
Module 1: Introduction to Cybersecurity Risk Quantification
Getting started with risk quantification can be challenging so we start with the basics. You'll learn how to use a 5-point scale from Very High to Very Low and establish some basic ranges. You'll get a worksheet that while simple, is the foundation for everything else you'll ever learn about quantifying risk. Threat x Likelihood = Risk is the foundational formula for everything we do in this class. By the end of module 1 you will creating initial estimates and quantifying risk. In this module you are given a packet of information providing the background and interview notes for the organization you will be working with and for which you will develop your end-of-course analysis presentation.
Module 2: Vulnerability Analysis
One of the easiest ways to estimate threat is by using existing vulnerability data. That's why the second thing you'll learn is how to rapidly analyze vulnerability data. You will focus on identifying those vulnerabilities most likely to be leveraged against you in a cyber attack. Specifically you will find those vulnerabilities leading to initial access or privilege escalation. This is one of the most powerful methods as it helps you prioritize vulnerability remediation based on real risk. In your course project work you will be analyzing data for your end-of-course analysis.
Module 3: Attack Analysis
Now that you can analyze vulnerabilities and generate initial estimates we will focus on attack analysis. Everyone want to be able to answer the question of "what's my risk from an attack". In this module you will learn the process for applying what you've learned in modules 1 and 2 to answer this question. In your project data you will quantify the risk of cyber attack based on the vulnerabilities in the sample organization. This will be included in your end-of-course presentation.
Module 4: Probabilistic Methods
In this module you will be given the basic probabilistic equation calculator. You will also get two advanced modesl; the probability tree and the Bayesian model. All the tools and models you receive work togehter or independently and are all build upon the same foundations you learned in Module 1. With these models you can provide more indepth analysis of questions like "what's the likelihood of a data breach given that we received a phishing emails", or "how probable was my initial estimate and should I consider revising it". In your course project work you will explore these tools as options to the analysis you've already performed.
Module 5: Monte Carlo and FAIR
In this module you will continue to build on what you learned in Module 1 and now you will be able to turn you Module 1 intiail analyses into probability charts using the Monte-Carlo tool. You will also work with the Factor Analysis of Information Risk (FAIR) model which is a series of Monte-Carlo simulations. This model will help you understand and calculate financial impacts. In your project data you will calculate financial impact for the ficticious organization which you will include in your final presentation in Module 7.
Module 6: Communicating Risk
In this module you will prepare your final project presentation. You will learn some basic best practices for organizing and presenting analysis.
Module 7: Final Project Presentations
In this module you will record and post your Course Project Presentations. You will explain the methods you applied to analyzing the data, present your findings and recommendations.
