Part of the
Cyber Security
TU DelftTU EindhovenUniversity of TwenteWageningen University
Cyber Security


+31(0)6 48 27 55 61



4TU.CybSec Syllabus Cyber Risk Management (CRM)

Credits: 5EC

Prerequisites: None

Motivation: The challenge of selecting the optimal technical, organisational, legal, and other preventive and repressive measures to reduce cyber risks to acceptable levels can only be understood in the context of the application of Cyber Risk Management. Risk Management is about analysing the relationships between threats, incidents and risks (here in the complex world of cyberspace), based on which an adequate set of countermeasures can be designed.

Synopsis: Risk (= the potential lo loosing something of value) can manifest itself in cyberspace in all kinds of ways: values at stake are financial wealth, health, physical condition (of people, materials, goods, infrastruc-tures, etc.), well-being, reputation, privacy, trust, etc.

Based on a conceptualisation of cyberspace and its various sub-domains (discussed in the project week of year 1), we introduce risk assessment approaches, both of qualitative and quantitative manner, illustrated with case studies, a.o., related to a set of well-known real-world cyber security incidents. In addition, technical and non-technical cyber risk mitigation strategies are being introduced and discussed.

Aim: To obtain knowledge, understanding and skills with respect to

Learning outcomes: The student will acquire:

Lecturers: Prof. Dr. Pieter van Gelder (TUD)

Examination: There is a written exam at the end of the course.

Contents: Cyberspace and its various sub-domains and layers (recap); dependencies on IT and related risks; diginotar, Stuxnet, KPN-hack, and other big cyber incidents; bowtie model, vulnerabilities, barriers; cyber threats; fault and attack trees; APTs; cyber incidents; impact scenarios and cascading effects; cyber risks of all kinds expressed in the loss of various values; risk metrics; prioritization of risks; security-by-design principles; principles of technical preventative measures (IAA principles, mechanisms & tools; software quality; architectural decomposition; redundancy; firewalls, scanning tools; predictive analytics) and non-technical preventative measures (risk policies, organisation-wise, awareness training); fundamentals of technical repressive measures (monitoring & analytics, data & information sharing tools, IDS; SOCs) and non-technical repressive measures (disaster recovery and crisis management); cyber security as societal problem, nationally and internationally (institutional arrangements); cyber security standards (and their current shortcomings);

Core text: Various papers from the literature.