PH: (518) 956-8323
FX: (518) 442-2666
Business Building 311
1400 Washington Ave.
Albany, NY 12222

INF 740: Information Security Risk Assessment

Download Spring 2007 syllabus: inf740syllabus.pdf

Instructor Information

Sanjay Goel picture Sanjay Goel
Office: BA 310b
Hours: M 11:30AM-1:00PM & by appt.
PH: (518) 442-4925
FX (518) 442-2568


Call #:8943


Course Website: The course website is located at: You must click on "West Lafayette Open Campus" to access the proper site. Click on "Log In" and sign in using the User name and Password assigned to you via email.

Readings: Reference readings will be posted at the end of each presentation. Available readings will be accessible via You must click on "Electronic Reserves & Reserve Pages" and then type in "INF740" in the empty box. Click under the Course Number section (which is hyperlinked) you will be asked to input a password. The password to access this information will be provided via email and is case-sensitive. All of the readings is divided by Unit and contains readings in .pdf format or web links to readings.

Reference Books:
Secrets & Lies by Bruce Schneier
Hackers Beware by Eric Cole


This course provides students with an introduction to the field of information security risk assessment. Initially, the students will be introduced to basic definitions and nomenclature in the area of security assessment. Thereafter they will be taught different approaches for assessment of risk. The course will incorporate cases in risk analysis derived from state and law enforcement agencies. Students will learn how to use a risk analysis matrix for performing both quantitative and qualitative risk analysis. As a part of the course, students learn of the different threats that they need to incorporate in their risk analysis matrices.


This course is being offered as an online course through the help of CERIAS and Purdue University. However, the intent of the course is to provide students with an interactive learning environment through instructor audio, discussion groups, and interactive quizzes. The purpose of the course is to train students in the practice of risk analysis by elucidating the concepts through examples and case studies. Students are expected to use critical thinking skills as they go through the material rather than accepting facts at face value. Even though the course is spread over 2 weeks, it is important that students stay on schedule so that they can participate with other students in discussions.

The class should require approximately 40 hours of work. This should work out to roughly 15 hours of video and lecture material, 2 hour worth of quizzes, 4 hours for discussion postings, 12 hours for the final project, and 7 hours of readings.


It is assumed that students will come in with varied backgrounds in information systems so the class will start with a general background of computer security. It would be helpful if students have some knowledge of the following topics:
  1. Computer Networks
  2. Computer Architecture
  3. Software Design
  4. Statistical and Probabilistic Analysis


Students should be able to:
  1. Understand the basic nomenclature and definitions of risk analysis
  2. Develop a work plan for executing a risk analysis in the organization
  3. Understand the various threats to information assets in the organization
  4. Identify and valuate assets
  5. Determine exploitable vulnerabilities
  6. Determine threats to an organizational system
  7. Recommend controls to mitigate risk
  8. Aggregate the data qualitatively and quantitatively to perform risk analysis


Quizzes- 20% : Please work individually on all quizzes. A quiz will be offered after each Unit is completed. Please go to the Toolbar and click "Other Tools". Select "Assessments" and you will see the quiz for the appropriate Unit. This will be graded automatically via WebCT.

Discussion Postings- 30% : Even though this is an online course, it is expected that students will be able to learn from each other and participate in a discussion. To promote this, you will be assigned discussion postings, which will be graded. Discussions will be able to be created and viewed by going to the "Discussions" link on the top right hand corner of the page. In addition, they will generally be due on Wednesday and you should give a response to someone else's posting should be up by the Sunday of that week.

Project- 50% : The end of semester project involves the use of both qualitative and quantitative risk analysis methodologies described within the lecture and should be due after the end of the class on April 15, 2007. through the WebCT interface (taking into account the other course students are also taking. To do this, go to "Other Tools" on the Toolbar on the right-hand corner and click on "Assignments". Select "Risk Analysis Project". This should be done based on your own existing organizations (or another real organization). Make sure to scope the work appropriately.

First, collect the data on assets, threats, vulnerabilities, and controls. Use the spreadsheet provided to fill in the three matrices based on the qualitative data collected:
  • Asset & Vulnerabilities
  • Vulnerabilities & Threats
  • Threats & Controls
Compute the values of the assets for the asset-vulnerability matrix and then find relative associations between assets-vulnerabilities, vulnerabilities-threats, and threat-controls. You will need to figure out the impacts and probabilities based on the information you can gather from co-workers or other sources to come up with the best estimates possible. Remember that this information should not be the average of opinions, but should be a result of consensus. Make sure to write the reasoning behind the values you came up with similar to the case presented.

Use the methodology in the lecture notes (and recommended readings) to cascade the values from one matrix to the other to compute the relative impact of different vulnerabilities, threats, and controls. You may choose any scale that you like (e.g. 0, 1, 3, 9) to reflect the associations between different parameters. Finally, compute the costs of the controls and perform a cost-benefit analysis.

After performing the qualitative risk analysis, perform a quantitative analysis by filling in the matrices with the appropriate numeric data. It is not expected that you will necessarily get the most accurate data, however, make the best estimates possible based on other data (references should be listed). Compute and cascade the values from one matrix to the other. Then compute the cost of the controls and optimize the final security posture.

Copyright © 2013, Sanjay Goel. All Rights Reserved.