DURATION: OCTOBER 2025 (12 WEEKS) | TUTOR: Dr Maria Alvanou
Learning Objectives
- Identify and analyse critically security risks, threats and vulnerabilities in information systems, accounting for the current threat landscape.
- Gather and synthesise information from multiple sources (including internet security alerts & warning sites) to aid in the systematic analysis of risks & security issues manage and audit risk & security issues.
- Critically determine appropriate methodologies, tools and techniques to mitigate and/or solve security risks and their business impact.
- Articulate the legal, social, ethical, and professional issues faced by information security and risk professionals.
Unit 1: An Introduction to Security and Risk Management
In my initial post for the Unit 1 collaborative discussion, I focused on the ethical risks of using data in investigations and the shared responsibility we have to remain ethically aware. Using the case study by Hancock et al. (2024), I questioned the common belief that more technology and more data automatically lead to better risk management. I then linked this to Khera’s (2017) work on the Aadhaar system, which shows how large security programmes can create serious social and ethical problems of their own. This discussion demonstrates my ability to challenge accepted views and to bring together ideas from diverse academic sources to form a clear, critical argument.
Collaborative Discussion 1 Initial Post
References:
Hancock, J., Hui, R., Singh, J. and Mazumder, A. (2024) ‘Trouble at Sea: Data and digital technology challenges for maritime human rights concerns’, in Proceedings of the 2024 ACM Conference on Fairness, Accountability, and Transparency (FAccT ’24), Rio de Janeiro, Brazil, 3–6 June. New York: Association for Computing Machinery, pp. 988–1001. Available at: https://doi.org/10.1145/3630106.3658950
Khera, R. (2017) ‘Impact of Aadhaar in welfare programmes’, Economic & Political Weekly, 52(50), pp. 61–67. Available at: https://www.epw.in/journal/2017/50/special-articles/impact-aadhaar-welfare-programmes.html
Unit 2: Users, Assessments and the Risk Management Process
This artefact captures my analysis of advanced risk assessment methodologies, specifically the transition from traditional manual analysis to AI-driven quantitative models. Evaluating the research by Kalogiannidis et al. (2024), I examined how tools like Natural Language Processing (NLP) and predictive analytics enhance the Risk Management Process (RMP) by processing unstructured data that traditional qualitative methods miss. This activity demonstrated the critical need to select appropriate assessment tools and highlighted the essential role of ‘user trust’ in effective risk mitigation.
The Role of AI in Risk Management
References:
Kalogiannidis, S., Kalfas, D., Papaevangelou, O., Giannarakis, G. and Chatzitheodoridis, F. (2024) ‘The Role of Artificial Intelligence Technology in Predictive Risk Assessment for Business Continuity: A Case Study of Greece’, Risks, 12(2), p. 19. Available at: https://doi.org/10.3390/risks12020019
Unit 3: Introduction to Threat Modelling and Management
This artefact serves as the conclusion to the three-week collaborative discussion on the ethical implications of security technology. By synthesising my initial analysis of data bias with peer insights on private infrastructure (e.g., Starlink), I demonstrated the ability to consolidate diverse perspectives into a cohesive argument. Crucially, I connected these ethical considerations to the threat modelling frameworks introduced in Unit 3. By framing ‘lack of fairness’ as a systemic vulnerability rather than a glitch, I articulated the profound professional responsibilities involved in designing secure and just systems.
Collaborative Discussuion 1 Summary Post
Unit 4: Application of Threat Modelling and Management Techniques
This artifact presents my critical analysis of threat modelling for Industrial Cyber-Physical Systems (ICPS), developed for the Unit 4 seminar. By evaluating the framework proposed by Jbair et al. (2022), I examined how traditional IT threat models fail to capture the complexity of OT (Operational Technology) environments. I mapped the interdependencies between digital twins and threat vectors, demonstrating that risk identification must occur during the design phase of a system’s lifecycle. Furthermore, I evaluated the use of quantitative metrics (Risk = Attack Vector \times Likelihood) to prioritize vulnerabilities and automate mitigation strategies.
Workshop Activity: Threat Modelling for Industrial Cyber-Physical Systems
References:
Jbair, M., Ahmad, B., Maple, C. and Harrison, R. (2022) ‘Threat modelling for industrial cyber physical systems in the era of smart manufacturing’, Computers in Industry, 137, p. 103611. Available at: https://doi.org/10.1016/j.compind.2022.103611
Unit 5: An Introduction to Security and Risk Standards in Industry and the Enterprise
The case study chosen, analyzes a real-world data breach to demonstrate the critical relationship between regulatory frameworks (GDPR) and technical security standards. Reviewing The Social Engineering Attack Case Study from the Data Protection Commission (2023), I examined how a social engineering attack succeeded due to a lack of standard controls like Multi-Factor Authentication (MFA). This analysis highlights that compliance with legal standards (GDPR Article 32) is often impossible without implementing industry standards such as ISO 27001 (Access Control). It reinforced my ability to select appropriate security controls to mitigate specific threat vectors.
GDPR Case Study Analysis: Social Engineering Attack
References:
- Data Protection Commission (2023) Case Studies: May 2018 – May 2023.
Unit 6: The Practical Implications of Security and Risk Standards
The attached report represents the culmination of our collaborative work to design a risk management strategy for an SME (‘Pampered Pets’) undergoing digital transformation. Our team was tasked with evaluating the ‘Status Quo’ versus a ‘Digital Transformation’ roadmap. To achieve this, we critically determined that a single framework was insufficient; we employed a hybrid methodology using ISO 31000 for high-level organizational risks and NIST SP 800-30 for granular technical threats. This artifact demonstrates my ability to synthesize complex risk data into client-friendly visual heatmaps while justifying strategic recommendations for business growth.
Pampered Pets Risk Identification Report
Unit 7: An Introduction to the Concepts of Quantitative Risk Modelling
In this unit, I moved beyond qualitative assessments to explore Quantitative Risk Modelling. The artifacts below demonstrate my application of two distinct probabilistic techniques. First, I utilized Monte Carlo simulations (Python) to model uncertainty in forecasting, running thousands of iterations to define risk boundaries. Second, I applied Bayesian inference (using the ‘Think Bayes 2’ framework) to demonstrate how risk probabilities should be mathematically updated as new evidence emerges. These exercises highlighted the strength of QRM in providing objective data for decision-making, while also revealing its dependency on the quality of input distributions.
Monte Carlo Simulation (Python) Based on Fizell (2022)
Bayesian Risk Update (Think Bayes 2) Based on Downey (2022)
Unit 8: Implementing Quantitative Risk Models
The workshop activity captures my critical analysis of applying Quantitative Risk Modelling (QRM) to human-centric threats. Reviewing the research by Aijaz and Nazir (2024), I examined how Attack Trees and Markov Chains can quantify ‘Social Engineering’, a field traditionally treated as qualitative. This exercise demonstrated that even unpredictable human behaviors, such as susceptibility to persuasion principles (e.g., Authority or Scarcity), can be modeled mathematically to estimate Attack Success Probability (ASP). This highlights my ability to select complex modelling techniques to derive actionable data for security policy frameworks.
Modelling Social Engineering Threats
Unit 10: Practical Applications and Issues in DR Implementations
I critically evaluated the strategic risks inherent in modern cloud-based Disaster Recovery (DRaaS). Analyzing Kumar (2024), I identifies Vendor Lock-in as a primary threat to long-term DR viability, where proprietary APIs and data gravity prevents agility. I contrasted this with Corbari et al. (2024), who argues that the complexity of modern systems often obscures critical dependencies. By applying their Mission Thread Analysis framework, I demonstrate that successful DR requires more than just data replication but also requires a precise mapping of ‘Mission Relevant Cyber Terrain’ to ensure that complex, interdependent business functions can actually be restored.
D R Solutions Design and Review
Unit 11: Future Trends in Security and Risk Management
This artifact represents my major individual project, where I applied advanced quantitative modelling to a ‘Future Trends’ scenario: the automation of a global supply chain. Moving beyond the qualitative heatmaps of Unit 6, I utilized Monte Carlo Simulations to forecast supply chain availability and Bayesian Belief Networks to estimate product quality degradation in an automated warehouse. This shift reflects the industry trend towards data-driven risk management. The report also addresses critical future infrastructure needs, specifically designing a Disaster Recovery (DR) solution with a sub-1-minute RPO/RTO to satisfy high-profile stakeholders
Pampered Pets Risk Management Executive Summary
Unit 12: The Great Debate: Future Trends in SRM
For the final ‘Great Debate,’ I championed Predictive Risk Intelligence (PRI) as the most influential trend for the next five years. My presentation argued that SRM must evolve from ‘reactive’ firefighting to ‘proactive’ forecasting using AI-driven analytics. A key moment of professional development occurred during the Q&A; when challenged by the tutor regarding specific industry applications, I successfully bridged the gap by detailing a real-world financial services use-case from my professional experience. This demonstrated my ability to apply theoretical concepts to practical business contexts and communicate complex risk strategies under pressure.
Professional Skills Matrix & Action Plan (PDP)
Professional Skills Matrix
| Skill Area | Proficiency | Evidence in Portfolio |
| Critical Thinking & Analysis | Advanced | Transitioned from accepting “gut feel” risk to questioning data validity (Unit 11 Monte Carlo). |
| IT and Digital Skills | Advanced | Successfully coded Python scripts for quantitative risk modelling (Unit 7 & 11). |
| Communication | Competent | Pivoted successfully during the Unit 12 Q&A; translated complex math into business logic in the Unit 6 Report. |
| Problem-Solving | Competent | Designed a specific DR solution for the “Pet Food” scenario to meet strict RPO/RTO constraints. |
| Teamwork & Leadership | Developing | Peer feedback (Unit 6) noted I was organized but sometimes dominated the solution phase. |
| Resilience | Competent | Overcame initial “coding anxiety” in Unit 7; handled pressure during the Unit 12 presentation Q&A. |
| Time Management | Competent | Delivered all artifacts and the major project on time; managed the trade-off between “perfect” and “done” in Unit 6. |
Personal Development Plan
Short Term (0–6 Months):
- Goal: Improve collaborative leadership style.
- Action: In future team meetings, I will implement a personal “speak last” rule to ensure I listen to divergent views before offering a solution. I will actively solicit input from quieter team members to avoid “Groupthink.”
- Measure: Positive feedback in future peer evaluations regarding “inclusivity.”
Medium Term (6–12 Months):
- Goal: Master quantitative risk modelling for human-centric risks.
- Action: I will undertake advanced training in Bayesian Belief Networks (BBN). I struggled to quantify “social engineering” risks in Unit 8, and BBNs are the industry standard for modelling such uncertain, human variables.
- Measure: Successful application of a BBN model to a live professional project (e.g., predicting insider threat likelihood).
Long Term (12+ Months):
- Goal: Champion “Ethical Security” at an organizational level.
- Action: I will move beyond technical risk management to strategic policy design, advocating for “Privacy by Design” frameworks. I aim to write a whitepaper or internal policy document on balancing surveillance with employee trust.
- Measure: Adoption of user-centric security policies in my organization.
Nikunj Bhalotia 