A tailored course, built for your situation
Audit-Tested Cyber Risk Quantification for Public-Sector Programs
A 12-module implementation-grade program for business and technology leaders advancing cyber risk maturity in public-sector environments
The situation this course is for
Public-sector initiatives face increasing scrutiny on cybersecurity accountability. Yet most risk assessments remain qualitative, inconsistent, or disconnected from audit requirements. Without a standardized, quantifiable approach, teams struggle to justify controls, prioritize investments, or demonstrate due diligence when under review.
Who this is for
A compliance officer, program manager, or technology leader in a public-sector or public-facing organization who must justify cyber risk decisions under audit conditions.
Who this is not for
This is not for entry-level IT staff, penetration testers, or vendors focused solely on tooling. It’s for decision-makers who own risk posture and must deliver audit-ready justification.
What you walk away with
- Apply a standardized methodology to quantify cyber risk in financial and operational terms
- Design risk registers that survive audit scrutiny and support decision-making
- Integrate quantified risk outputs into program planning and budget cycles
- Communicate cyber risk posture clearly to non-technical stakeholders and oversight bodies
- Build repeatable processes that scale across multiple public-sector initiatives
The 12 modules (with all 144 chapters)
- Defining cyber risk in public-sector contexts
- The evolution from qualitative to quantitative risk assessment
- Key standards influencing public-sector risk (NIST, ISO, COBIT)
- Distinguishing risk tolerance, appetite, and threshold
- The audit lifecycle and its impact on risk documentation
- Common pitfalls in early-stage risk quantification
- Aligning risk language across technical and non-technical teams
- The role of leadership in risk culture
- Baseline requirements for defensible risk models
- Introducing the FAIR framework in public programs
- Scenario: Building a risk-aware project kickoff
- Chapter exercise: Draft a risk charter for a sample initiative
- Understanding auditor priorities in public-sector reviews
- Mapping risk artifacts to compliance requirements
- Documentation standards for defensible risk claims
- How to anticipate and respond to audit findings
- Risk evidence packaging for transparency
- Version control and audit trails for risk models
- Common audit red flags and how to avoid them
- Working with internal vs. external auditors
- Integrating audit feedback into risk cycles
- Case study: Recovering from a non-conformance finding
- Checklist: Pre-audit risk documentation readiness
- Chapter exercise: Audit-proof a sample risk register
- Identifying high-value risk inputs
- Sourcing data from existing IT and security systems
- Interviewing stakeholders for loss event estimates
- Validating data credibility and recency
- Handling data gaps and uncertainty
- Minimizing collection burden on operational teams
- Data classification and sensitivity in risk contexts
- Using proxies when direct data is unavailable
- Documenting data sources for audit traceability
- Automating data pipelines for recurring assessments
- Case study: Data collection in a decentralized agency
- Chapter exercise: Build a data sourcing plan
- Public-sector threat actor profiles
- Adapting threat libraries (MITRE ATT&CK) for government use
- Estimating threat event frequency
- Differentiating opportunistic vs. targeted attacks
- Incorporating geopolitical and policy-driven threats
- Using historical incident data to inform threat models
- Scenario: Threat modeling for a citizen-facing portal
- Validating threat assumptions with peer review
- Updating threat models in response to new intelligence
- Balancing realism and conservatism in threat estimates
- Tools for visualizing threat landscapes
- Chapter exercise: Build a threat scenario matrix
- Translating CVSS scores into risk context
- Prioritizing vulnerabilities by exploitability and exposure
- Integrating vulnerability scan data into risk models
- Accounting for patching cycles and technical debt
- Human factors as vulnerabilities
- Third-party and supply chain exposure
- Environmental factors influencing vulnerability
- Using red team findings in quantification
- Documenting assumptions about exploit likelihood
- Case study: Vulnerability risk in legacy systems
- Checklist: Vulnerability-to-risk mapping
- Chapter exercise: Quantify impact of a known vulnerability
- Types of loss: productivity, response, replacement, fines
- Estimating downtime costs for public services
- Calculating regulatory penalty exposure
- Reputational damage modeling for public trust
- Intangible loss quantification techniques
- Multiplier effects in cascading failures
- Using benchmarks from public-sector incident reports
- Scenario: Estimating impact of data breach on citizen trust
- Sensitivity analysis for uncertain loss estimates
- Documenting loss assumptions for audit
- Tools for loss factor calculation
- Chapter exercise: Build a loss magnitude table
- Choosing a risk scoring methodology
- Calibrating risk scales for public-sector context
- Avoiding common scoring biases
- Normalizing risk across disparate programs
- Weighting risk by mission criticality
- Using heat maps and risk registers
- Setting risk thresholds for escalation
- Scenario: Prioritizing risks across three public programs
- Validating scoring with leadership judgment
- Updating scores dynamically
- Tools for risk scoring automation
- Chapter exercise: Score and rank sample risks
- Tailoring risk reports to different audiences
- Visualizing risk for non-technical decision-makers
- Telling a story with risk data
- Connecting risk to strategic objectives
- Reporting frequency and cadence
- Dashboards for ongoing risk monitoring
- Scenario: Presenting risk to a board committee
- Avoiding risk report fatigue
- Using benchmarks to show progress
- Documenting risk decisions over time
- Checklist: Executive risk briefing
- Chapter exercise: Draft a leadership risk summary
- Choosing between mitigate, transfer, accept, avoid
- Cost-benefit analysis of controls
- Integrating risk treatment into project plans
- Third-party risk transfer mechanisms
- Insurance considerations for public programs
- Building business case for security investments
- Scenario: Justifying a security upgrade to finance
- Tracking mitigation effectiveness
- Revisiting risk after controls are implemented
- Documenting risk acceptance decisions
- Tools for treatment planning
- Chapter exercise: Build a mitigation roadmap
- Integrating risk into project lifecycle gates
- Role of PMO in risk oversight
- Risk review meetings and cadence
- Linking risk to budget and procurement
- Training teams on risk quantification
- Maintaining risk artifacts over time
- Scenario: Risk integration in a multi-year program
- Auditing the risk process itself
- Scaling risk practice across agencies
- Checklist: Risk governance framework
- Chapter exercise: Design a risk integration plan
- Chapter exercise: Audit a sample risk process
- Designing risk indicators and triggers
- Automating data feeds for risk models
- Review cycles for risk assumptions
- Responding to changes in threat or environment
- Scenario: Adjusting risk after a policy change
- Using tabletop exercises to stress-test models
- Benchmarking against peer organizations
- Reporting risk trends over time
- Tools for continuous monitoring
- Documenting model updates for audit
- Checklist: Continuous risk review
- Chapter exercise: Simulate a risk model refresh
- Assembling audit packages for risk models
- Version control and change logs
- Documenting assumptions and rationale
- Preparing teams for audit interviews
- Scenario: Responding to an auditor’s request
- Common findings and how to preempt them
- Using templates to ensure consistency
- Third-party validation of risk models
- Post-audit improvement cycles
- Checklist: Audit readiness review
- Tools for evidence management
- Chapter exercise: Package a risk model for audit
How this maps to your situation
- Newly appointed risk lead in a public-sector program
- Compliance officer preparing for annual audit cycle
- IT director integrating cyber risk into capital planning
- Program manager justifying security budget in a constrained environment
Before vs. after
What's included with your purchase
- 12 modules with 12 chapters each (144 chapters)
- Downloadable templates and worked examples for every module
- Hand-built implementation playbook delivered alongside course access
- 30-day money-back guarantee
Delivery and format
- Course and learning environment access provisioned within 24 hours of purchase
- Hand-built implementation playbook delivered alongside course access
Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.
Time investment: Approximately 4-6 hours per module, designed for self-paced learning with implementation-focused exercises.
How this compares to the alternatives
Unlike generic cybersecurity courses, this program focuses exclusively on audit-tested quantification methods for public-sector programs. Compared to live workshops, it offers on-demand access with structured, repeatable content and practical tooling.
Frequently asked
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.