Skip to main content
sudoRunner
sudoRunner

SRA 311: Risk Analysis in a Security Context

Risk Analysis / GRC Case Study

This portfolio-safe case study summarizes selected SRA 311 Risk Analysis in a Security Context work focused on analytic confidence, source credibility, tangible and testimonial evidence, risk matrices, weighted ranking, organizational risk maturity, threat-risk modeling, cyber hygiene, and security risk treatment.

Course SRA 311
Project Type Risk Analysis / Security Context Case Study
Focus Risk Analysis · Decision Analysis · GRC · Threat Modeling
Methods Analytic Confidence · Risk Matrix · Weighted Ranking · Source Credibility
Team Project Cyber Risk Assessment for a Poor Cyber Hygiene Scenario
Publishing Level Portfolio-Safe / No Raw Submissions Published

Overview
#

SRA 311 focused on risk analysis in a security context. The course emphasized how analysts evaluate uncertainty, weigh evidence, assess credibility, compare risk methods, and translate threat scenarios into practical risk treatment plans.

This course is important to my portfolio because it strengthens the Governance, Risk & Privacy-analysis side of cybersecurity. It is not a technical tool lab. Instead, it demonstrates structured reasoning, uncertainty management, source credibility review, decision support, and risk communication.

The available coursework supports several major themes:

  • analytic confidence
  • source reliability
  • evidence credibility
  • tangible versus testimonial evidence
  • risk matrix use and limitations
  • weighted ranking
  • organizational risk maturity
  • quantitative threat-risk modeling
  • risk assessment methodology
  • cyber hygiene risk
  • phishing, malware, ransomware, and social engineering threat modeling
  • risk treatment planning
  • residual risk
  • monitoring plans
  • training and awareness
  • security audit programs

This page is intentionally written as a portfolio-safe summary. It does not publish raw assignments, full group submissions, private student identifiers, complete academic answers, or complete source materials.

Why This Project Matters
#

Cybersecurity is full of uncertainty.

Analysts and consultants often need to make recommendations when the available information is incomplete, ambiguous, or probabilistic. That requires more than technical knowledge. It requires a disciplined way to think about risk.

SRA 311 helped develop that discipline by asking questions such as:

  • How confident should an analyst be in an assessment?
  • What makes a source reliable?
  • How should tangible evidence be evaluated?
  • How should testimonial evidence be evaluated?
  • When do risk matrices help?
  • When can risk matrices mislead?
  • How should alternatives be ranked?
  • How do organizations mature in risk management?
  • How should a cyber threat scenario be scoped?
  • What controls reduce the likelihood or impact of a threat?
  • What residual risk remains after treatment?
  • How should risk be communicated to decision makers?

These questions are directly relevant to cybersecurity consulting, security operations, ServiceNow SecOps, vulnerability management, GRC, incident response, and risk-based prioritization.

Portfolio-Safe Publishing Approach
#

Security and academic integrity note: This case study summarizes risk analysis coursework without publishing raw assignments, full group reports, private student identifiers, full academic answers, or private source materials.

This page excludes:

  • raw academic submissions
  • full group reports
  • private student identifiers
  • complete assignment answers
  • full source evaluation worksheets
  • complete ranking tables
  • private course material
  • copy-paste-ready academic work

Instead, it presents:

  • risk analysis concepts
  • portfolio-safe summaries
  • analysis workflow
  • team project structure
  • methods used
  • professional lessons learned
  • relevance to GRC and cybersecurity work

Major Workstreams
#

Analytic Confidence
#

Explored how analysts express confidence in assessments based on evidence quality, source reliability, method use, collaboration, expertise, task complexity, and time pressure.

Uncertainty

Source Credibility
#

Analyzed tangible and testimonial evidence, chain of custody, authenticity, source competence, credibility, and the weight of evidence in decision-making.

Evidence Review

Risk Matrix Critique
#

Studied risk matrices, their use in likelihood-impact ranking, and limitations such as false precision, weak resource allocation support, and misleading prioritization.

Risk Methods

Weighted Ranking
#

Practiced pairwise and weighted ranking methods to compare positive opportunities and negative outcomes based on overall value or disutility.

Decision Analysis

Organizational Risk Maturity
#

Reviewed organizational risk maturity levels, security risk process maturity, and how organizational culture and structure affect risk management.

Risk Maturity

Cyber Risk Assessment
#

Completed a group risk assessment involving a fictional individual, credential assets, a cyber adversary, phishing, malware, social engineering, weak cyber hygiene, and risk treatment recommendations.

Threat Modeling

Team Risk Assessment Scenario
#

The group project analyzed a fictional cyber risk scenario involving:

  • a protector named Neo
  • critical online assets such as usernames, passwords, and security question answers
  • a cyber adversary named Agent Smith
  • phishing attacks
  • malware
  • ransomware
  • social engineering
  • weak cyber hygiene
  • lack of MFA
  • active use of online platforms
  • financial information exposure
  • personal information exposure
  • identity theft concerns
  • credential compromise risk

The project treated Neo’s credentials as the primary asset because compromised usernames, passwords, and security questions could unlock other services, expose financial information, enable identity theft, or support broader digital compromise.

The adversary was modeled as a skilled cybercriminal using phishing, malware, and social engineering. The risk assessment then considered how poor cyber hygiene increased likelihood and impact.

Risk Analysis Workflow
#

1

Define the Risk Context
#

Established the protector, asset, threat actor, situation, online behavior, and digital environment.

Context

2

Identify Threats and Vulnerabilities
#

Analyzed phishing, malware, ransomware, social engineering, weak cyber hygiene, weak authentication, and high online exposure.

Threat Review

3

Assess Likelihood and Consequence
#

Evaluated the likelihood of adverse events and the potential impact to credentials, personal data, financial information, and identity.

Risk Rating

4

Prioritize and Rank Risks
#

Used risk ranking and weighted ranking concepts to compare outcomes, opportunity value, and negative disutility.

Prioritization

5

Recommend Controls
#

Proposed practical risk treatment options such as MFA, audits, vulnerability assessments, secure browsing, training, monitoring, and expert consultation.

Treatment

6

Account for Residual Risk
#

Recognized that risk remains after controls are implemented and that continuous monitoring and adaptation are required.

Residual Risk

Analytic Confidence
#

Analytic confidence was a major theme in the course.

The coursework framed analytic confidence as the analyst’s degree of confidence in:

  • the information available
  • the quality of the evidence
  • the methods used
  • the reasoning process
  • the reliability of sources
  • the level of collaboration
  • the analyst’s expertise
  • the complexity of the task
  • time pressure
  • the final assessment

The professional lesson is that analysts should not only state what they believe, but also communicate how confident they are and why. This improves transparency, helps decision makers weigh conclusions, and creates a kind of accountability trail.

In cybersecurity, this matters because alerts, indicators, vulnerability scores, user reports, threat intelligence, and forensic findings often vary in reliability.

Source Credibility and Evidence Review
#

The course also emphasized competence and credibility of intelligence sources.

The evidence-related work distinguished between:

  • tangible evidence, such as documents, objects, images, logs, or other physical/digital artifacts
  • testimonial evidence, which depends on statements and the credibility or competence of the person providing information

Important evaluation factors included:

  • authenticity
  • chain of custody
  • source reliability
  • source competence
  • source credibility
  • whether evidence truly confirms a claim
  • how much inferential weight the evidence should receive

This maps directly to cybersecurity investigations where analysts must decide whether logs, screenshots, user reports, endpoint alerts, files, or threat intelligence are trustworthy enough to support action.

Risk Matrix Evaluation
#

The course included analysis of risk matrices and their limitations.

Risk matrices can help communicate risk by comparing likelihood and impact, but they should not be treated as perfect decision-making tools.

The coursework emphasized that risk matrices can be useful for visibility and communication, but they may also introduce problems such as:

  • false precision
  • misleading color-based interpretation
  • weak support for resource allocation
  • poor priority ranking
  • overconfidence in simplified categories
  • inconsistent interpretation across stakeholders

The professional lesson is that a risk matrix can help organize risk discussions, but analysts should not let the matrix replace judgment, evidence quality, or cost-benefit analysis.

Weighted Ranking and Decision Analysis
#

The weighted ranking assignment practiced structured comparison of alternatives.

The work included:

  • identifying possible opportunities
  • defining positive outcomes
  • comparing outcomes through pairwise ranking
  • considering possible scenarios
  • defining negative outcomes
  • comparing disutility
  • ranking by overall value and risk

The professional relevance is that cybersecurity leaders often need to compare imperfect options:

  • which control to implement first
  • which vulnerability to prioritize
  • which risk to accept
  • which project provides the most security value
  • which business impact matters most
  • which scenario produces the greatest negative consequence

Weighted ranking supports more transparent decision-making when resources are limited.

Organizational Risk Maturity
#

The organizational risk maturity work examined how security risk processes mature over time.

The course connected risk maturity to:

  • organizational structure
  • organizational culture
  • external versus internal process ownership
  • management process maturity
  • embedding security processes into operations
  • PDCA-style improvement
  • day-to-day security management
  • risk process independence
  • operational integration

The key lesson is that risk management is not just a document or assessment. Mature risk management becomes part of daily operations and organizational decision-making.

This is important for ServiceNow and GRC because platforms and workflows only work well when the organization has the maturity to use them consistently.

Risk Treatment and Controls
#

The group assessment recommended practical controls for reducing risk exposure.

Control Area
Risk Treatment Purpose
Risk Reduced
Multi-Factor Authentication
Reduce likelihood that stolen credentials alone can compromise accounts.
Identity Risk
Regular Security Audits
Review account security, software updates, device hygiene, and password practices on a recurring schedule.
Control Review
Risk Assessments
Identify and prioritize risk annually or when the environment changes.
Prioritization
Vulnerability Assessments
Scan for weaknesses and misconfigurations on a more frequent schedule.
Exposure Review
Penetration Testing
Use expert review to validate whether security controls are effective.
Validation
Secure Browsing Practices
Use safer browsing habits, privacy tools, and caution around links, attachments, and unknown platforms.
User Risk
Training and Awareness
Improve cyber hygiene, phishing recognition, password practices, and understanding of online threats.
Human Risk
Continuous Monitoring
Track behavior and risk indicators over time so controls can adapt to changing threats.
Residual Risk

Monitoring Plan
#

The group project recognized that risk treatment is not complete after controls are implemented.

The monitoring plan included concepts such as:

  • recurring security audits
  • digital footprint tracking
  • behavioral monitoring
  • training and awareness
  • reporting and feedback
  • adapting to new and emerging threats
  • continuing to reduce residual risk
  • reassessing controls as behavior and exposure change

This is a strong GRC lesson: risk management should be dynamic. Controls need ongoing review, not one-time deployment.

Capability-to-Evidence Map
#

Capability
Evidence from SRA 311
Status
Risk Analysis
Analyzed cyber risk scenarios involving assets, threats, vulnerabilities, likelihood, impact, treatment, residual risk, and monitoring.
Completed
Analytic Confidence
Explored how analysts express confidence in judgments based on evidence quality, source reliability, method use, expertise, and uncertainty.
Completed
Source Credibility
Evaluated tangible evidence, testimonial evidence, authenticity, chain of custody, competence, credibility, and evidentiary weight.
Completed
Decision Analysis
Used risk matrix critique, pairwise comparison, weighted ranking, and value/disutility thinking to support structured decision-making.
Completed
Threat Modeling
Modeled a cyber adversary using phishing, malware, ransomware, and social engineering against a protector with weak cyber hygiene.
Completed
Risk Treatment Planning
Recommended MFA, audits, risk assessments, vulnerability assessments, penetration testing, secure browsing, awareness training, and monitoring.
Completed

What I Learned
#

This course reinforced several lessons that matter in cybersecurity and GRC:

  • risk analysis must account for uncertainty
  • evidence quality matters as much as evidence quantity
  • source credibility affects the strength of an assessment
  • analytic confidence should be communicated clearly
  • risk matrices can help visualize risk but can also mislead
  • weighted ranking can make decision tradeoffs more explicit
  • security controls should be chosen based on risk treatment goals
  • residual risk remains even after controls are implemented
  • monitoring and reassessment are part of risk management
  • cyber hygiene is a major driver of individual and organizational risk
  • threat modeling helps connect adversary capability, target vulnerability, and potential impact
  • risk communication must be understandable to decision makers

Professional Relevance
#

This project supports roles involving:

  • GRC
  • risk analysis
  • vulnerability management
  • cybersecurity analysis
  • ServiceNow SecOps consulting
  • security operations
  • incident response planning
  • policy and control recommendations
  • threat modeling
  • executive risk communication
  • security awareness and cyber hygiene planning

It is especially relevant to ServiceNow SecOps and Vulnerability Response because risk-based prioritization is central to deciding what should be remediated first, what can be accepted, what needs escalation, and what evidence supports the decision.

Relationship to Other Portfolio Projects
#

SRA 311 complements several other portfolio areas.

Related Project
How It Connects
Angle
IST 456
IST 456 applies security risk management through SIEM investigations, ransomware, compromised credentials, data exfiltration, policy, and contingency planning.
Security Risk
IST 432
IST 432 connects cyber law, privacy, legal risk, digital governance, and compliance interpretation to cybersecurity decisions.
Cyber Law / GRC
CYBER 342W
CYBER 342W focuses on incident response planning, NIST lifecycle, CSIRT governance, communication, disaster recovery, and business continuity.
IR Planning
ServiceNow SecOps Lab Hub
ServiceNow SecOps connects risk analysis to workflow, vulnerable item prioritization, remediation ownership, validation, exception handling, and closure.
SecOps Workflow

Portfolio-Safe Redaction Notes
#

This case study intentionally excludes:

  • raw academic submissions
  • full group reports
  • complete ranking worksheets
  • private student identifiers
  • full assignment answers
  • private course materials
  • complete source evaluation responses
  • copy-paste-ready academic work

The goal is to show risk analysis, decision analysis, source evaluation, and GRC-style reasoning without publishing raw academic work.

Related Portfolio Areas#

Governance, Risk & Privacy Analysis
#

This course supports governance, risk, and compliance work through risk assessment, risk treatment, source credibility, analytic confidence, and monitoring concepts.

GRC

Vulnerability Management
#

Risk ranking, residual risk, and treatment planning are directly relevant to vulnerability prioritization and remediation decisions.

Vulnerability Risk

ServiceNow SecOps
#

Risk analysis supports assignment, prioritization, exception handling, remediation ownership, validation, and communication in SecOps workflows.

SecOps-Relevant

Security Operations
#

Evidence credibility, analytic confidence, and risk communication help analysts explain what they know, how confident they are, and what should happen next.

SOC-Relevant

Next Steps
#

This project can later be connected to:

  • a GRC capability section
  • a risk analysis review path
  • ServiceNow Vulnerability Response risk-prioritization notes
  • a risk matrix critique concept note
  • a residual risk and exception-handling concept
  • a threat modeling checklist
  • an analytic confidence checklist
  • an evidence credibility checklist

For now, this page serves as the main portfolio-safe summary of my SRA 311 Risk Analysis in a Security Context work.