Risk Analysis and Management

A.Y. 2022/2023
Overall hours
Learning objectives
The objective of the course is to provide students with a wide overview on Risk Analysis, which is characterized by strong multidisciplinarity and a long tradition in fields like Economy, Finance, Business Management, Public Health and Infrastructures. The aim of this course is then to familiarize students with Risk Analysis and Management principles and methods, providing them with analytical and conceptual means for analyzing complex phenomena in the area of information security, evaluating technical aspects and technologies, and approaching how to adopt standard management practices of information security in a corporate environment.
Expected learning outcomes
At the end of the course, the student should be able to demonstrate a sound understanding of risk analysis principle, and in particular ISO31000:2018 international guideline. He / she will have to possess an appropriate vocabulary in the domain of risk management and understand the interrelationships that characterize the discipline with greater depth regarding the issues relating to IT security
Course syllabus and organization

Single session

Lesson period
First semester
Course syllabus
The teaching will cover the following topics: enterprise information systems, information security, introduction to management systems and international best practices, risk management with ISO 31000, information security management systems with ISO/IEC 27000:2018, the risk management process, threat database, security controls. In addition, some vertical insights on opportunities, risks and recommendations of digital transformation (cloud, IoT, artificial intelligence) and finally on the role of the Chief Information Security Officer.
Prerequisites for admission
There are no mandatory prerequisites to participate in this course but given the subject matter it is useful to have a knowledge of information systems of public and private companies, hacker threats, vulnerabilities of hardware/software infrastructures and security measures to protect corporate assets.
Teaching methods
The teaching will be based on lectures and external testimonies from professionals from the world of work. Students will be invited to study collateral topics and volunteers will be able to present their work during the lessons with short interventions.
Teaching Resources
The reference texts are:
Diego Fiorito; Risk management: how to achieve personal and business goals. ISBN 9798686535879 / Except chapter III (pages 59-70).

Ioannis Tsiouras; Risk Management - La norma ISO 31000:2018. ISBN 978889114981. In Italian.

ISO 31000:2018; Risk management — Guidelines. https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en

ISO/IEC 27000; Information technology — Security techniques — Information security management systems — Overview and vocabulary. https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

Cesare Gallotti; Sicurezza delle informazioni (edizione del 2022). ISBN 9791220888196 (e-book) e 9791220388450 (cartaceo) https://www.cesaregallotti.it/libro.html in italiano.
Cesare Gallotti; Information Security (2022 edition). ISBN 9791220888851 (e-book) and 9791220388474 (hardcopy) https://www.cesaregallotti.it/libro-ENG.html (alternativa in inglese).

Optional books:
Clusit Community for Security; I primi 100 giorni del Responsabile della Sicurezza delle Informazioni. https://100giorni.clusit.it/#/ (in Italian)
Clusit Community for Security; The first 100 days of the Information Security Manager. https://100days.clusit.it/#/Download (in English)

Clusit Community for Security; Rischio digitale Innovazione e Resilienza. https://risk.clusit.it/ solo in italiano (just in Italian)

Alan Calder; NIST Cybersecurity Framework. A pocket guide. ISBN 9781787780408
Assessment methods and Criteria
Verification of learning will be through an oral exam. The assessment will strongly consider the correct use of terms and definitions of ISO 31000:2018, the ability to document some hypothetical business risk scenarios, and the understanding of information security (ISO / IEC 27000: 2018).
INF/01 - INFORMATICS - University credits: 6
Lessons: 48 hours
Professor: Vallega Alessandro
Educational website(s)