The course will help build threat modelling concepts for an organization and will cover how to do security risk management using the AAMI TIR57 standard, the course will introduce a model manage the relations between cyber security risk management and safety management.

We will look at the threat models introduced in TIR57, orienting security observation from different pivoting perspectives, such as threat sources, asset management and known device vulnerabilities. The course will demonstrate these concepts through a case study for a fictious product which can be worked on in smaller groups of participants.

We will look at the ANSI/AAMI SW96:2023 conjunction standard for TIR 57 and TIR 97.

Outcome
Upon completion, you will: 

1. Understand the key concept of building a risk-based threat model
2. Construct a structured analytic approach to cyber security risk management
3. Become familiar with the content of AAMI TIR57 standard and practice working its toolsets
4. Expand on the cybersecurity framework component of risk management in your organization

Content

• Build a threat model for evidence-based risks and exploitability
• Analytically discover threat source, assess their likelihood of initiation, and compose their risks
• Structure and discover threat management, enumerate their associated threat and risks
• A structured way of looking at known vulnerabilities, documenting their threat and mitigations in your products
• How to document threat vectors, actors, and their motivations
• How to document cyber security risks analysis for the organization and provide deliverable in respects to regulatory requirements

The course comprises classroom presentations with opportunities for breakout sessions in smaller groups on a use-case example to practice use of the introduced tools.

Target group
The training is targeted at organizations new to cyber security risk management and organizations already in process with cyber security management but are looking for some inspiration. Suitable for newcomers or intermediate knowledge in cybersecurity. The course will focus on processes with some technical cybersecurity activities.

The course is relevant for: 

• Cybersecurity Quality Assurance / Quality Assurance Engineering
• Cybersecurity Regulatory Affairs
• Cybersecurity Product Responsible
• Cybersecurity System Engineer
• Cybersecurity Product Owner
• Cybersecurity Program Manager
• Security Champions in Development Department
• Cybersecurity/Software Engineers
• Cybersecurity Test and Verification

Trainer
Jens Schønberg, CEO, Founder and Principal Cybersecurity Specialist
JBS Consultancy