Risk Analysis and Management

The main goal of this course is to provide students with a wide overview on Risk Analysis, which is characterized by strong multidisciplinarity and a long tradition in fields like Economy, Finance, Business Management, Public Health and Infrastructures. Within the Computer Science area, the study and application of Risk Analysis principles are recent and often limited to some aspects of information system management. The aim of this course is then to familiarize students with Risk Analysis and Management principles and methods, providing them with analytical and conceptual means for analyzing complex phenomena in the area of information security, evaluating technical aspects and technologies, and approaching how to adopt standard management practices of information security in a corporate environment.

Students learn to analyze international reports about information security.
Risk Analysis is introduced through some essays both from computer science studies and other disciplines in which Risk Analysis has a longer history.
The Expected Utility Model is presented in its most relevant theoretical aspects, followed by behavioral-based Prospect Theory. Through these models of decision under risk, students learn about modelling and quantitative analysis.
Next, qualitative methods are introduced: ranking systems and risk matrix. Of these methods, their applicability and limitations are analyzed considering some case studies. Learning about these methods is useful to students given the large adoption they have in corporate analyses and in the consulting sector.
Some of the most adopted international standard for information security management are presented. In particular, PCI-DSS and standards of the ISO-IEC 27000 and 31000 groups. In addition, the recent CVSS v3 for software vulnerabilities scoring is discussed.