User Tools

Site Tools


This is an old revision of the document!

Cyber Security Risk Assessment

This course is offered at the University of Trento by the security group in the framework of the Cyber Security track of the European Institute of Innovation and Technology (EIT Digital) Master School programme.

See the UniTrento Cyber Security Master Track page for further information.

Course Objectives (2017/2018)

Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decide which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on balancing threat and controls, costs, impact and likelihood of events. In other words the course will teach them to manage risk.

The course will introduce students to the key principles of Security Risk Assessment (Risk and Threat Analysis, Risk Assessment, Control Frameworks). The student will identify threats and the corresponding security controls appropriate for two industrial case studies.

At the end students should be able to make their own cyber risk assessment, documenting the threats and the security controls or requirements for an industrial case study


General knowledge about Security is mandatory before attending this course (for the obvious reason that you cannot chose among technologies you don't know at all). This might be obtained by attending the Master Level courses of Introduction to Computer and Network Security, Cryptography, and Security Testing at the Cyber Security track in Trento. Bachelor students from Trento might also consider the course on Reti Avanzate which provides the minimum knowledge about cryptographic protocols.

Course Material of Previous Years


  • Lecturers: Fabio Massacci
  • Teaching assistants: TBA


Other recommended texts are

Exam Modalities

The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of both individual exercises to be done in the lab and a final report.

In the report students working in group or alone apply the concepts learned during the course to analyze a real case study. The report will be discussed with the lecturer and a company representative owning the case study. If the work for the report has been done in group, all the group members will normally be assigned the same mark.

  • Step-by-Step Qualita/ve RA Exercises during the course (up to 16/30)
    • Item Industrial Cases:Remote Virtual Control Tower Center (RTC)
    • Building AutomaMon by UTC (UTC)
    • These include: Identify Assets, Threats, Pre and Post Controls
  • Assess Vulnerabilities Exercise (Up to 6/30)
    • CVSS (Common Vulnerabilities Scoring System), world standard.
    • exercise 1 is to identify risk from descriptions as they arrive in a CERT Bulletin)
    • Exercise 2 is to identify risk as they apply to you on your security architecture
  • Final Project (Up to 12/30)
    • A complete detailed quantitative risk assessment of the industrial automation case study security architecture
    • Evaluation by Industry experts of UTC

Being able to defend your ideas in class is an important part of the evaluation (if you cannot explain why you chose something you get a negative vote for the relative exercise).

Classroom Registration Form

Please register to Google Classroom for assignments and notifications.

If you do not register you will not be able to submit the step-by-step assignments and therefore you will not get the correspoding grades.

Schedule and Additional Material

  • Monday - room A220 - 11:30-13:30
  • Friday - room A114 - 14:30-16:30 (up to 17:30 when practical exercises are held)
Date Topic Slides Other Material
2018-02-19 Introduction Introduction, Terminology Card FraudsID Theft Stats
2018-02-23 Risk Management Fundamentals Risk Management The SESAR SecRAM Manual is available on the Google ClassRoom. As examples of management guides COBIT 5 Book e NIST 800-30 Risk Assessment Guide and the associated NIST 800-53 Security Controls Catalog, UK IAS risk Assessment
2018-02-26 Identifying Assets and Activities to Be Protected Slides BSI Catalogues
2018-03-05 Identifying and Analyzing Threats, Vulnerabilities, and Exploits Slides ENISA Threat Taxonomy.
2018-03-12 Risk Mitigation with Security Controls Slides see above for information.
2018-03-19 UTC - Case Study Presentation See Google Classroom for the presentation US CERT's case study on Malware attacks on Industry Control Systems
2018-03-23 Mitigating Risks by post-controls for Business Continuity and Disaster Recovery Slides
2018-03-26 Discussion on Likelihood estimation See above for the IAS
2018-04-06 Visit to a SOC @ Trentino Network
2018-04-13 Introduction to Quantitative Risks cybrisk-2017-09-quantitative.pdf There are several proposals for example metrics using attack graphs, another variant available as NIST Interagency report
2018-04-16 CVSS Base Introduction Slides CVSS Original User Guide, CVSS SCoring Examples. There is also an official tutorial on CVSS, which also has an HTML transcript
2018-04-23 CVSS Environment Introduction Slides See above. Look also at PCI Compliance
2018-05-04 CVSS Environment Review
2018-05-07 Quantitative Risk Analysis II Slides

Assigned Exercises (Graded)

All assignments are assigned through Google Classroom. Students will be asked to comment in class on their assignment which must be submitted through Classroom.

Date Topic Other Material
2018-03-02 ROT Exercise - Assets Remote Virtual Tower Description
2018-03-09 ROT Exercise Threats Chris Johnson's analysis of the incidents of Linate and Uberlingen and of 114 US incidents. An article on the drone accident nearby Nogales (2006), and Washington Post's article on Drones' incidents. ABC reports of attempted voice hijacking of airplanes. Bowden's Hacking of a sewage treatment plant (FISMA study of security controls or the Court conviction). Terry Childs' refusal to pass admin rights (Court documents and discussion on CIO Magazine and on ComputerWorld)
2018-03-16 ROT Exercise - Pre Controls see above
2018-04-09 ROT Exercise - Post Controls see above

Forthcoming Lectures

Date Topic Slides Other Material
2018-04-23 CVSS Environmental (Introduction)
2018-04-07 Quantitative Risk Assessment (cont)
2018-05-14 UTC Case Study Webinar See Google Classroom There is a comprehensive tutorial on Security for ICS
2018-05-06 Presentations Review

Forthcoming Discussion in Class of Exercises (Graded)

Date Topic Other Material
2018-04-20 CVSS Base Exercise in Class (Graded - individually)
2018-04-27 CVSS Environmental Exercise in Class (Graded -individually)
2018-05-18 UTC Exercise - Qualitative Report Review
2018-05-28 UTC Exercise - Quantitative
2018-06-04 UTC Exercise - Quantitative II

Final Report

The final deliverable by June 11 should include:

  • the report summarising the finding of your security risk assessment in Google Docs format
  • security risk assessment of the case with SESAR SecRAM in Google Spreadsheets format

Please check Google Classroom for the templates and submission.

security_engineering.1526257713.txt.gz · Last modified: 2021/01/29 10:58 (external edit)