Simulating Cybersecurity Risk Using Advanced Quantitative Risk Assessment Techniques: A Teaching Case Study

Abstract

This paper; a scenario-based teaching case study, aims to introduce students in a Cybersecurity Risk Management course to advanced quantitative risk assessment techniques. The case study utilizes a fictitious company for which a risk assessment is underway. Assuming the role of the Cybersecurity Risk Team of the company, students are tasked with determining the risk exposure the company faces from a threat scenario against one of its mission-critical information resources. Specifically, the students are required to (1) quantify the monetary losses that could result from a threat scenario, (2) compute the inherited risk exposure from the threat scenario, (3) compute the residual risk given the implantation of certain security controls, and (4) compute the rate of return on the security controls. The case study holds the promise of enhancing the overall learning of the students and boosting their marketability as future cybersecurity professionals.