Teaching case study: introducing quantitative risk assessments in a cybersecurity risk management course

Despite the recent development of rigorous quantitative approaches for cybersecurity risk assessment, much of the focus in the pedagogical materials remains on teaching qualitative and semi-quantitative assessment approaches. To help fill this gap, this paper provides a scenario-based teaching case that introduces students in a Cybersecurity Risk Management course to FAIR; an advanced quantitative framework for risk assessment. The case study utilizes a fictitious company, for which a risk assessment is underway, and requires the students to use the FAIR framework to determine the risk exposure that the company faces from a threat scenario against one of its mission-critical information resources.