Module/Workshop

Managing Security, Safety, and Risk

8 Lessons

This is the third module in the Cyber-Physical Industry course; however, it can be taught as a standalone module.  The purpose of this module is to introduce students to an integrated perspective on security, safety, and risk that has quality management at its center.

Learning Objectives
  • Distinguish between safety and security using the SEMA framework and recognize standards and guidance that are useful for quality, safety, and risk management
  • Define risk, threat, vulnerability, and capability
  • Use Risk Priority Number (RPN) and Risk Equation to assess and prioritize risks
  • Identify and describe threat actors that seek to target industrial control systems
  • Explain how the NIST Cybersecurity Framework (CSF), Baldrige Cybersecurity Excellence Builder (BCEB), and the Cybersecurity Capability Maturity Model (C2M2) can provide value to an organization
  • Apply the NIST Cybersecurity Framework (CSF), Baldrige Cybersecurity Excellence Builder (BCEB), and the Cybersecurity Capability Maturity Model (C2M2) to provide value to an organization
  • Apply PHA, What-If, and HAZOP to analyze hazards
  • Explain what is meant by “supply chain disruption” and “black swan events” and identify vulnerabilities and capabilities that can be addressed to improve supply chain resilience
Faculty Instructions

This module has been designed with configurability in mind. Optional homeworks and additional assessment opportunities are outlined in each lesson plan, but can be incorporated or completely left out at the discretion of the instructor (with no adverse effect).

This module also contains one exam with 8 short-answer questions, and five lab exercises that can be completed in one or two 50-60 minute class periods:

  • 3B – Risk Analysis & Prioritization
  • 3C – NIST Cybersecurity Framework
  • 3D – Baldrige Cybersecurity Excellence Builder
  • 3F – PHA/What-If and HAZOP
  • 3H – Quality Costs
Files
Managing Security, Safety, and Risk Module Description
Module 3 Exam
Module 3 Exam Answer Key

Log In
to download materials

* NICE Cybersecurity Workforce Framework KSAs Addressed
  • K0002: * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  • K0008: Knowledge of applicable business processes and operations of customer organizations.
  • K0027: Knowledge of organization's enterprise information security architecture system.
  • K0048: Knowledge of Risk Management Framework (RMF) requirements.
  • K0053: Knowledge of measures or indicators of system performance and availability.
  • K0054: Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
  • K0084: Knowledge of structured analysis principles and methods.
  • K0101: Knowledge of the organization’s enterprise information technology (IT) goals and objectives.
  • K0146: Knowledge of the organization's core business/mission processes.
  • K0149: Knowledge of organization's risk tolerance and/or risk management approach.
  • K0150: Knowledge of enterprise incident response program, roles, and responsibilities.
  • K0169: Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.
  • K0198: Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions).
  • K0258: Knowledge of test procedures, principles, and methodologies (e.g., Capabilities and Maturity Model Integration (CMMI)).
  • K0437: Knowledge of general SCADA system components.
  • K0612: Knowledge of what constitutes a “threat” to a network.
  • S0027: Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
  • S0034: Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
  • S0038: Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system
  • S0085: Skill in conducting audits or reviews of technical systems.
  • S0359: Skill to use critical thinking to analyze organizational patterns and relationships.
  • A0009: Ability to apply supply chain risk management standards
  • A0045: Ability to evaluate/ensure the trustworthiness of the supplier and/or product.
  • A0106: Ability to think critically.
  • A0117: Ability to relate strategy, business, and technology in the context of organizational dynamics.
  • A0118: Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
  • A0119: Ability to understand the basic concepts and issues related to cyber and its organizational impact.
* NSA/DHS Center of Excellence (CAE) KUs Addressed
  • Basic Data Analysis
  • Basic Scripting or Introductory Programming
  • Industrial Control Systems
  • Policy, Legal, Ethics, and Compliance,Core
  • Probability and Statistics

* Most courseware content maps to NIST NICE Cybersecurity Workforce Framework (NCWF) Knowledge, Skills, and Abilities (KSAs) and/or NSA/DHS CAE Knowledge Units (KUs). For more information on KSAs and KUs, please visit:

KSAs: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

KUs: https://www.iad.gov/NIETP/documents/Requirements/CAE-CD_2019_Knowledge_Units.pdf