User Tools

Site Tools


Cyber Security Risk Assessment

This course is offered at the University of Trento by the security group in the framework of the Cyber Security track of the European Institute of Innovation and Technology (EIT Digital) Master School programme.

See the UniTrento Cyber Security Master Track page for further information.



Course objectives

Most CS professionals will actually use, buy, or sell security technology and make security decisions. They don't design protocols, nor crypto algorithms, they decide which security technology they are going to use. The course provides the fundamentals to chose the appropriate security technology based on balancing threat and controls, costs, impact and likelihood of events. In other words the course will teach students to manage risk.

The course will introduce students to the key principles of Security Risk Assessment (Risk and Threat Analysis, Risk Assessment, Control Frameworks) both qualitatively and quantitatively. The student will identify threats and the corresponding security controls appropriate for two industrial case studies.

Students interested in further exploring the research topics behind this area can also take a Software Project (6ECTS) or a Research Project (12ECTS) by contacting the lecturers.

Intended learning outcomes

Regular and active participation in the teaching activities offered by the course (lectures, laboratories and group work) and in independent study and project activities will enable students to:

  • understand the fundamentals of risk management;
  • identify the relevant assets and the corresponding impacts of possible threats for a moderately complex case study;
  • mitigate threats with control according to the risk appetite of a relevant stakeholder;
  • quantitatively estimate, for the particular case of cyber threats, the technical impact of vulnerabilities and the particular impact on their presence in a company's enviroment;
  • quantitatively estimate the overall risk for a large scale network.

In terms of soft skills, active participation in the group-based teaching activities will enable students to learn how to organize group work, apply problem-solving techniques, deliver a presentation, and support their results with compelling arguments.

At the end students who successfully passed the course should be able to prepare and defend a cyber risk assessment, identifying the threats and the security controls and the residual risk for an industrial case study of moderate complexity.


General knowledge about Security is mandatory before attending this course (for the obvious reason that you cannot chose among technologies you don't know). This might be obtained by attending the Master Level courses of Introduction to Computer and Network Security, Cryptography, and Security Testing at the Cyber Security track in Trento. Bachelor students from Trento might also consider the course on Reti Avanzate which provides the minimum knowledge about security protocols.

Content of the course

Month Topic
February Introduction and Methodology
Risk Management Fundamentals
Risk Methodology to be used
IND1 - First Case Study Presentation
Identifying Assets and Activities to Be Protected
March Identifying and Analyzing Threats, Vulnerabilities, and Exploits
Risk Mitigation with Security Controls
Mitigating Risks by post-controls for Business Continuity and Disaster Recovery
Discussion on Likelihood estimation
IND2 - Second Case Study Presentation by Company
April Introduction to Quantitative Risks
CVSS Base Metrics
CVSS Environmental Metrics
Quantitative Risk Analysis - Operational Risk Measures
May Review of students' reports and material
Clarification of previous arguments

During the course we will have a visit to a Security Operations Center @ Trentino Network.

Teaching Methods and Learning Activities

The instructors will use:

  • highly interactive lecture-style presentation during which students will be required to actively participate;
  • group projects given to small groups of students, who must discuss, analyze and present to the class the results achieved.

Assessment Methods and Criteria

The exam will evaluate the skills of the students in solving problems and the acquired knowledge of course's arguments. The exam will consists of both individual exercises to be done in the lab and a final report.

In the report students working in group or alone apply the concepts learned during the course to analyze a real case study. The report will be discussed with the lecturer and a company representative owning the case study. If the work for the report has been done in group, all the group members will normally be assigned the same mark.

  • Step-by-Step Qualita/ve RA Exercises during the course: 12 points
    • Identify Assets, Threats, Pre and Post Controls
  • Technical Assessment of Cyber Vulnerabilities: 8 points
    • Students will use the CVSS (Common Vulnerabilities Scoring System), world standard to identify risk
    • from descriptions as they arrive in a CERT Bulletin
    • as they apply to one's own security architecture
  • Final Project: 14 points
    • A complete detailed quantitative risk assessment of the industrial automation case study security architecture
    • Evaluation by Industry experts from the case study

A key criteria for the assessment would be the ability to identify risk assessment elements that are specific to the case study.

Being able to defend one's ideas in class is an important part of the evaluation (if a student cannot explain why s/he choses something him/her will get a negative vote for the relative exercise).

Reference and Bibliographic Material

The following books might be useful:

Other recommended texts are

Detailed Schedule and Additional Material

The precise schedule will only be available in the late winter 2019.

  • 2 hours lectures/exercises by professors
  • 2-3 hours students presentations and reviews

Past Lectures

Date Weekday Hours Topic Slides Additional materials

To be filled when the course starts.

Upcoming Lectures

Date Weekday Hours Topic Slides Additional materials

To be filled when the course schedule is known (around January).

Assigned Exercises (Graded)

All assignments are assigned through Google Classroom. Students will be asked to comment in class on their assignment which must be submitted through Classroom.

The following is a tentative schedule.

Date Topic
1 week March IND1 - Assets Identification
2nd week March IND1 - Threats Identification
3rd week March IND1 - Pre Controls Identification
1st week April IND1 - Post Controls Identification
4th week April CVSS Base Lab
1st week May CVSS Environmental Lab
2nd week May IND2 Case Study Webinar by Industry partner
1st week June IND2 Draft Report - Qualitative
Mid June IND2 Final Report - Quantitative
4th week June IND2 - students' presentations to industry partners

Final Report

The final deliverable by Mid June on case study IND2 should include:

  • the report summarizing the findings of your security risk assessment
  • the spreadsheet with the detailed security risk assessment

Please check Google Classroom for the templates and submission.

Classroom Registration Form

Please register to Google Classroom for assignments and notifications.

If you do not register you will not be able to submit the step-by-step assignments and therefore you will not get the correspoding grades.

Course Material of Previous Years

security_engineering.txt · Last modified: 2021/01/29 10:58 (external edit)