User Tools

Site Tools


Cyber Security Risk Assessment

This course is offered at the University of Trento by the security group in the framework of the Cyber Security track of the European Institute of Innovation and Technology (EIT Digital) Master School programme.

See the UniTrento CSE track page for further information.

Course Objectives (2016/2017)

Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decide which security technology they are going to use. However, they are not trained to actually choose the technology. The course should teach them to chose the technology based on balancing threat and controls, costs, impact and likelihood of events. In other words the course will teach them to manage risk.

The course will introduce students to a number of methodologies for Security Management (Risk and Threat Analysis, Risk Assessment, Control Frameworks). The student will identify threats and the corresponding security controls appropriate for an industrial case study.

At the end students should be able to make their own cyber risk assessment, documenting the threats and the security controls or requirements for an industrial case study


  • Lecturers: Fabio Massacci
  • Teaching assistants: TBA


Exam Modalities

The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of both classroom exercises to be done in the lab and a final report.

In the report students working in group or alone apply the concepts learned during the course to analyze a real case study. The report will be discussed with the lecturer and a company representative owning the case study. If the work for the report has been done in group, all the group members will normally be assigned the same mark.

Classroom Registration Form

Please register to Google Classroom for assignements and notification.

Schedule and Additional Material

  • Tuesday - room B103 - 11:00-13:00
  • Wednesday - room B103 (labs in A201) - 14:00-16:00 (up to 17:00 when practical exercises are held)
Date Topic Slides Other Material
2016-09-14 Introduction Admin. Introd., Security Terminology Card FraudsID Theft Stats
2016-09-20 Risk Management Fundamentals RA Introd. There is one exercise on Google Classroom. To understand risks, try also doing this exercise in Epidemiology
2016-09-21 Comprensibility Exercise See Google Classroom See Google Classroom
2016-09-27 Developing a Risk Management Plan and Performing a Risk Assessment Slides The SESAR SecRAM Manual is available on the Google ClassRoom. As examples of management guides COBIT 5 Book e NIST 800-30 Risk Assessment Guide and the associated NIST 800-53 Security Controls Catalog.
2016-09-28 Exercise on Risk AssessmentSee Google Classroom
2016-10-04 Identifying Assets and Activities to Be Protected SlidesChapter 7: Identifying Assets and Activities to Be Protected. Terry Childs' refusal to pass admin rights (Court documents and discussion on CIO Magazine and on ComputerWorld)
2016-10-04 Remotely Operated Virtual Tower See Google Classroom The scenario desription is on Google Classroom.
2016-10-05 RVT Exercise - Assets See Google Classroom Chris Johnson's analysis of the incidents of Linate and Uberlingen and of 114 US incidents. An article on the drone accident nearby Nogales (2006), and Washington Post's article on Drones' incidents
2016-10-11 Identifying and Analyzing Threats, Vulnerabilities, and Exploits cybrisk-2016-08-threats-vulns-exploits.pdf Chapter 8: Identifying and Analyzing Threats, Vulnerabilities, and Exploits. Threat, vuln and exploit assessment. Review public penetration testing reports from the industry for a practical perspective on the material seen in class: If you want to get your hands “dirty” with some guided pentesting, see Rapid7's Metasploitable 2 Exploitability guide here:
2016-10-12 RVT Exercise - Threat See Google Classroom Bowden's Hacking of a sewage treatment plant (FISMA study of security controls or the Court conviction). ABC report of attempted voice hijacking of airplanes.
2016-10-18 Identifying Controls cyberrisk-2016-08-controls.pdf Chapter 9: Identifying and Analyzing Risk Mitigation Security Controls. See also last year's slide on controls Identity Management, Access Control Models, Cryptography, Authentication, Web Application Security, Database Security, Network and Infrastructure SecurityO.S. Security, as well as Ross Anderson Book.
2016-10-19 RVT Exercise - Pre-Controls See Google ClassroomReport on the frauds by John Rusnak and by Jerome Kevriel as (INSEAD Case study or the offical report). Information on the importance of protecting keys and certificates for Diginotar Failure and additional details in FoxIT security report
2016-10-25 Mitigating Risk with a Business Continuity and Disaster Recovery Plan Slides For a discussion on Dyn Attacks in the USA see Monday 24/10 lecture of Offensive Technologies
2016-10-26 RVT Exercise - Post-Controls See Google Classroom See Exercise 1 Assignment in Google Classroom
2016-11-02 RVT Full fledged Exercise See Google ClassroomSee Exercise 2 Assignment in Google Classroom
2016-11-08 Managing Risk: Threats, Vulnerabilities, and Exploits - CVSS Base Slides CVSS Base Note: Scoring slides are updated with comments for each metric. Official scores with additional information reported. CVSS Specification documentation:
2016-11-09 CVSS Base Exercise
2016-11-15 Managing Risk: Threats, Vulnerabilities, and Exploits - Network CVSS Env + Temporal
2016-11-16 CVSS Environmental
2016-11-22 Case Study Presentation Please see Google Classroom for the material, the report format and how to submit clarification issues
2016-11-23 Detailed feedback Slides
2016-11-29 understanding Internet Evidence for Risk assessment
2016-11-30 Mitigating Risk with a Business Impact Analysis
2016-12-06 Quantitative approaches to risk - Part 1 Slides
2016-12-07 Quantitative approaches to risk - Part 2 Slides Verizon DBI Reports: 2013, 2014, 2015, 2016; Verizon dataset: XLSX. See Google Classroom for MATLAB script.
2016-12-13 Visit to a SIEM @ Informatica Trentina Registration is Mandatory. Please see Google Classroom
2016-12-14 G. Woo (Risk Management Solutions) Slides from Dr. Gordon Woo Lecture starts at 14:30.
2016-12-20 Students Presentations See Google Classroom for the registration.
2016-12-21 Students Presentations See Google Classroom for the registration.

Forthcoming Lectures

Date Topic Slides Other Material

Final Report

The final deliverable by January 11 should include:

  • the report summarising the finding of your security risk assessment in Google Docs format (CybSec-2016-Report-template)
  • security risk assessment of the case with SESAR SecRAM in Google Spreadsheets format (SecRAM-template).

Please check Google Classroom for the templates and submission.

security_engineering_2016.txt · Last modified: 2021/01/29 10:58 (external edit)