Foundations of Risk Analysis
2009-2010 - IMT6061 - 5 ECTS

Expected learning outcomes

Having completed the course, the student should have acquired skills to be capable of critical analysis, evaluation and synthesis of ideas and concepts relating to risk analysis.


  • Classifications of Risk Analysis methods
  • Examples of Risk Analysis Methods.
  • Decission theory
  • Risk, Threat and vulnerability discovery
  • Uncertainty
  • Game theory

Teaching Methods


Form(s) of Assessment


Form(s) of Assessment (additional text)

  • Written exam (alternatively oral exam): 51%
  • Projects: 49%.
  • Both parts must be passed.

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

Evaluated by external and internal examiner.

Re-sit examination

The whole subject must be repeated.

Examination support

Approved calculator

Coursework Requirements


Teaching Materials

Books, articles and WEB resources such as

RA method classification

Douglas J. Landoll. The security risk assessment handbook, p. 8-15. CRC. 2005.

Bornman, G, and Labuschagne, L, 2004, A comparative framework for evaluating information security risk management methods, In proceedings of the Information Security South Africa Conference. 2004,

Vorster, A. and Labuschagne, L. 2005. A framework for comparing different information security risk analysis methodologies. In Proceedings of the 2005 Annual Research Conference of the South African institute of Computer Scientists and information Technologists on IT Research in Developing Countries (White River, South Africa, September 20 - 22, 2005). ACM International Conference Proceeding Series, vol. 150. South African Institute for Computer Scientists and Information Technologists, 95-103.

ENISA. Inventory of risk assessment and risk management methods. Deliverable 1, Final version Version 1.0, 0/03/2006

Campbell and Stamp. A classification scheme for Risk Assessment Methods. Sandia Report. SAND2004-4233.

RA method examples


NIST SP 800-42, p3.1 - 3.21, 4.1- 4.3, C.1-C.9

NIST SP 800-30. p8-27

OECD, “OECD Guidelines for the Security of Information Systems and Networks -- Towards a Culture of Security.” Paris: OECD. July 2002. P 10-12

ISO/IEC 27005:2008(E) Information technology - Security techniqueues - Information security risk management

Decision theory

Sven Ove Hansson. Decision Theory - A brief introduction. 2005

Sven Ove Hansson. Fallacies of Risk

Risk Threat and Vulnerability discovery

ISO 27005, Annex C,D

Ed Yourdon. Just enough Structured Analysis. Chapter 9, Dataflow diagrams. + 'How to'.

The vulnerability assessment and mitigation methodology. Chapter 1-4, p. 1-36. MITRE technical report..


Lindley, Dennis V. (2006-09-11). Understanding Uncertainty. Wiley-Interscience. ISBN 978-0470043837

H. Campbell. Risk assessment: subjective or objective? Engineering science and education journal, 7:57 -63, 1998.

F. Redmill. Risk analysis-a subjective process? Engineering Management Journal. Apr 2002. Volume: 12, Issue: 2. p. 91-96

Game theory

Stanford Encyclopedia of Philosophy . Game theory. Available from

Fudenberg, Drew & Tirole, Jean (1991), Game theory, MIT Press, ISBN 978-0-262-06141-4 , Chapters 1,3,6,8

Additional information

There is room for 50 students for the course.