Introduction
Our Story
When I needed to do this work for my client, the Nuclear Regulatory Commission, I had to hire a mathematician to teach me the math, then find a tool and build models to do the work. That’s when I realized there is a massive gap in our industry. This is my effort to bridge that gap by bringing Open Educational Materials to high schools and colleges.
This work has been a labor of love. I have to thank all those involved, from the earliest idea to the final product.
Special thanks to Jeffrey Negus, my first teacher. I hope you are proud of what I’ve done. Special thanks to Mark Kosfeld for all your work on the models. You were so patient with all the edits and design changes. I couldn’t have done this without you. Thanks to Sandy Dunn. Your enthusiasm for this work was energizing. Without your involvement, this textbook would never have been conceived. Thank you for introducing me to Dr. Sin Ming Loo. Dr Loo, thank you for the opportunity to develop this course as part of the Boise State Cyber Operations and Resilience (CORe) program. It is truly a unique program, and Forbes Magazine was right to include CORe in the top Cyber Programs! Thanks to Eli Taylor for helping me with the rewrite. Thank you for your endless quiz questions and all our engaging discussions.
To my husband, I can only say thank you for all your patience and support. You know that I love you.
Any errors in this work are my own. If you would like to help me improve the work by correcting errors or making suggestions, I will happily add your name to this page. You can reach me at https://cyberriskmodels.com/contact.
How This Course Is Organized
This textbook is designed for delivery of a 7-week course. It includes a companion Excel workbook that contains the tools and models discussed in the textbook. You can download the Excel workbook here. Additional resources are available for download in the Additional Resources section. https://cyberriskmodels.com/crq-open-education
This textbook has six modules, one each for weeks 1-6 of the course. There is no 7-week module as the final week of the course is reserved for student presentations of their course projects. Each week (1-6) has a separate module (chapter). Each module has three sections: Concepts and Terminology, Examples and Case Studies, and Course Project. Modules are designed to be delivered in sequence as modules build upon each other. The examples and case studies expand on the module concepts, providing additional tips and insights into hands-on implementation. Exercises and case studies are designed to prepare the students for completing that week’s portion of their course project.
Module 1 provides students with a history and an overview of Cybersecurity Risk Quantification. It introduces students to the concept of a 5-point scale and 3-point range values for describing and quantifying risk. These foundational concepts are carried throughout the textbook. Students receive background information for their course project, which includes corporate information and interview notes on a fictitious company.
Module 2 introduces students to the concept of vulnerability data analysis. Students will learn how to “tag” vulnerability data to identify vulnerabilities most likely to be leveraged in various attack stages, including initial access and privilege escalation. They will also work with vulnerability data and learn how to obtain additional insights into it.
Module 3 introduces students to a simple attack analysis model. Students will combine what they have learned in modules 1 and 2, apply what they learned about the 5-point scale and 3-point ranges, and use vulnerability data analysis to generate initial risk estimates. This is a basic method for estimating risk.
Module 4 introduces students to the math of probability. Students will use the Excel workbook tools and models to calculate independent and dependent probabilities. Students will learn how to use probability trees and Bayesian Inference to refine an initial estimate into a more precise estimate. These are advanced methods for estimating risk. The examples and case studies in this module demonstrate how these advanced methods are related and how the workbook is designed to combine these advanced methods easily.
Module 5 introduces the students to the Factor Analysis of Information Risk (FAIR) standard, and the Excel workbook provides a fully functional model for their use. The FAIR model is a series of probability distributions produced through Monte Carlo Simulations. In addition, students are given a set of Monte Carlo Simulations and probability distributions for ad hoc analysis.
Module 6 prepares students to deliver their risk analysis and covers some best practices for communicating risk effectively.
Additional Resources
Companion YouTube videos are available at https://www.youtube.com/@CyberRiskModels
Additional models and materials are downloadable at https://cyberriskmodels.com/crq-open-education.
The online version of this textbook is available at https://boisestate.pressbooks.pub/cybersecurityriskquantification/.
The companion Excel base toolkit CyberRiskModels – Open Educational Toolkit 2024 v2.0 is available at https://cyberriskmodels.com/crq-open-education.