Foundations of Risk Analysis
2008-2009 - IMT4771 - 5sp

Forventet læringsutbytte

After the course the students should have:
- advanced level of understanding of assumptions and models on which risk analysis methods are based.
- deep understanding of how different assumptions/models influence outcomes of different risk analysis methods

Emnets temaer

1. Adversary models

2. Uncertainty

3. Game theory

4. Methods for risk assessment

Pedagogiske metoder





  • Written exam (alternatively oral exam): 51%
  • Projects: 49%.
  • Both parts must be passed.


Bokstavkarakterer, A (best) - F (ikke bestått)


Evaluated by external examiner.

Utsatt eksamen (tidl. kontinuasjon)

The whole subject must be repeated.

Tillatte hjelpemidler (gjelder kun skriftlig eksamen)

Approved calculator

Obligatoriske arbeidskrav




Selected chapters from the following or similar books:

[1] Douglas J. Landoll. The security Risk Assessment Handbook. Auerbach Publications,


[2] Joseph Y. Halpern. Reasoning about uncertainty. The MIT Press, 2005.

[3] Drew Fudenberg and Jean Tirole. Game Theory. The MIT Press, 1991.

[4] Terje Aven. Foundations of Risk Analysis. Wiley, 2003.

[5] Tim Bedford and Roger Cooke. Probabilistic Risk Analysis - Foundations and methods. Cambridge University Press, 2006

Selected articles, e.g a subset of

[6] J. A. Adams. 'Richter scale for risk'? Scientifiic management of uncertainty versus

management of scientificc uncertainty. Interdiscip Sci Rev, 23:146-155, 1998.

[7] Ross Anderson and Tyler Moore. The economics of information security. Science, pages 610-613, October 2006.

[8] D. J. Bodeau. A conceptual model for computer security risk analysis. In Proceedings

of the Eighth Annual Computer Security Applications Conference, pages 56-63, San Antonio, TX, USA, 1992. IEEE Press

[9] H. Campbell. Risk assessment: subjective or objective? Engineering science and education journal, 7:57 -63, 1998.

[10] Philip L. Campbell and Jason E. Stamp. A classification scheme for risk assessment methods. Technical Report SAND2004-4233, Sandia National Laboratories1, 2004

[11] Lawrence A. Gordon and Martin P. Loeb. The economics of information security

investment. ACM Trans. Inf. Syst. Secur., 5(4):438-457, 2002.

[12] Yacov Y. Haimes. Total risk management. Risk Analysis, 11(2), 1991.

[13] Kjell Hausken. Probabilistic risk analysis and game theory. Risk Analysis, 22(1):17-27, 2002.

[14] Peng Liu, Wanyu Zang, and Meng Yu. Incentive-based modeling and inference of

attacker intent, objectives, and strategies. ACM Trans. Inf. Syst. Secur., 8(1):78-118,


[15] Yu Liu, Cristina Comaniciu, and Hong Man. A bayesian game approach for intrusion

detection in wireless ad hoc networks. In GameNets '06: Proceeding from the 2006

workshop on Game theory for communications and networks, page 4, New York, NY,

USA, 2006. ACM Press.

[16] Kong-wei Lye and Jeanette Wing. Game strategies in network security. Technical

Report CMU-CS-02-136, School of computer Science, Carnegie Mellon University,


[17] NIST. Draft special publication 800-53a, guide for assessing the security controls in

federal information systems, 2006.

[18] Felix Redmill. Risk analysis - a subjective process. Engineering Management Journal

(IEE), 12(2), April 2002.

[19] Emily M. Smith. Designing for sabotage. Mechanical engineering online, september 2002.

Supplerende opplysninger

There is room for 50 students for the course.