Course 2024-2025 a.y.

Classes: 25 (I sem.)

Instructors:
Class 25: PAOLO MACCARRONE

Technology Risk Governance comprises the set of strategies, operating models and tools that organizations put in place for understanding, assessing and managing existing and emerging technology-related risks. Technology-driven businesses are nowadays struggling to keep up with the rapid pace of technology innovation and change, as well as with the increasing complexity of modern socio-technical systems in the cyber age. In this context, the course aims at transferring to the students the theoretical and practical knowledge concerning the most relevant approaches, methods and organizational arrangements for technology risk governance and management of cyber-physical systems. Real cases discussed during the course cover a wide spectrum of industrial and service systems, ranging from manufacturing to infrastructure, which are of relevance for both business and institutional decision makers.

The course addresses all the relevant approaches, methods and models for supporting risk-informed decisions in managing complex socio-technical systems (e.g. technology selection, system design, and operations) from business and institutional perspectives:

• Risk governance of new and emerging technologies: Technology outlook and risk analysis methods for technology selection. Cases studies and industry seminar.

• System Safety Engineering of cyber-physical systems: Risk definition, modelling and reporting; Risk Engineering methods: Failure Mode Effects and Criticality Analysis (FMECA), Fault Tree Analysis (FTA), Event Tree Analysis (ETA); FMECA and FTA Exercises.

• Risk Analysis of Socio-Technical systems: Human and Organizational risk factors; Risk management of Organizational accidents (the Reason’s model); the HRO (High Reliability Organization) theory. Critical incident analysis technique.

• Organizational Resilience and Business Continuity Management. Table-top exercise on cyber incident management. Industry seminar.

• Risk Governance of Complex Socio-Technical Systems: theory of Complex Adaptive Systems (CAS) and system-of-systems; Risk analysis of cyber-physical networked infrastructure; Discussion of real disruption events.

At the end of the course student will be able to...

• Identify and categorize technology risks of established and emerging operating and digital technologies

• Describe and prioritize risk and resilience features of complex socio-technical cyber-physical systems exposed to cyber and physical threats

• Distinguish and compare approaches to and methods for technology risk management at different system life cycle stages

• Choose and applying the most appropriate risk assessment methods given the key features of the socio-technical system at stake and aim of the analysis

• Examine and evaluate the suitability of an organization’s technology risk governance model

• Prepare a strategic report on technology risk assessment or cyber incident investigation.

At the end of the course student will be able to...

• Identify and categorize technology risks of established and emerging operating and digital technologies

• Describe and prioritize risk and resilience features of complex socio-technical cyber-physical systems exposed to cyber and physical threats

• Distinguish and compare approaches to and methods for technology risk management at different system life cycle stages

• Choose and applying the most appropriate risk assessment methods given the key features of the socio-technical system at stake and aim of the analysis

• Examine and evaluate the suitability of an organization’s technology risk governance model

• Prepare a strategic report on technology risk assessment or cyber incident investigation.

• Lectures
• Practical Exercises
• Collaborative Works / Assignments
• Interaction/Gamification

	Continuous assessment	Partial exams	General exam
Written individual exam (traditional/online)			x
Individual Works/ Assignment (report, exercise, presentation, project work etc.)	x
Collaborative Works / Assignment (report, exercise, presentation, project work etc.)	x

With the purpose of measuring the acquisition of the above-mentioned learning outcomes the assessment of attending students is based on three components:

1.     One group major assignment (50% of the final grade) designed with the purpose of verifying the student’s ability to: i) choose and apply the most appropriate approach and methods given the key features of the complex socio-technical system at stake; ii) examine and assessing the suitability of an organization’s technology risk governance model; iii) preparing a technical report on technology risk governance. The deliverable consists of a final written report;

2.     Final oral exam (50% of the final grade), which aims to assess the student’s learning level of theories and models and their application to specific business contexts;

3.     In-class minor group assignments (non-compulsory), consisting in short reports covering the complete solution of two in-class exercises selected by the instructor (max 1 point will be added to the final grade)

Bedford, Tim & Cooke, Roger M., Probabilistic risk analysis: foundations and methods, Editore: Cambridge University Press, Anno edizione: 2001 

Reason J., Managing the risks of organizational accidents, Editore: Ashgate, Anno edizione: 1997