Cyber threats do not wait for organisations to get ready. But the organisations that have done the work — that have built the frameworks, trained the people, and stress-tested the processes — are the ones that survive.

Cyber Security Risk Management is the comprehensive, university-level course text for professionals and students who need more than a surface acquaintance with cybersecurity. It is for those who need to understand the discipline deeply enough to practise it — to make real decisions, implement real controls, and build organisations that are genuinely resilient in the face of an adversarial digital landscape.

Written by David Tuffley PhD, a Senior Lecturer in ICT at Griffith University with three decades of research and professional experience, this book draws on the most authoritative sources in the field — NIST, ISO, CIS, OWASP, GDPR, HIPAA, PCI DSS, ASD, and more — and synthesises them into a structured, ten-module learning programme that takes you from foundational principles to advanced operational practice.

The journey begins where it must: with standards and frameworks. NIST CSF, ISO 27001/27002, NIST SP 800-53, and the CIS Critical Security Controls are not just listed and described here — they are explained in terms of how they work together, why they differ, and how a practitioner chooses between them for a given organisational context. This is the kind of nuanced, applied understanding that no checklist can provide.

Risk management receives dedicated, rigorous treatment across multiple modules. The NIST Risk Management Framework's seven-step lifecycle, the ISO 31000 principles, qualitative and quantitative risk assessment methods, vulnerability management processes, and third-party risk management are all covered in the depth that operational practice demands. Because risk is not a one-time exercise — it is a continuous discipline, and this book treats it as such.

The modules on identity and access management, data protection and privacy, and network and application security address the operational core of most cybersecurity roles. You will work through authentication architectures, PKI and key management, GDPR and Privacy Act compliance, firewall and IDS/IPS design, network segmentation, the OWASP Top 10, and secure coding practices within the software development lifecycle.

Security operations — the SOC, SIEM systems, incident response planning, digital forensics, and continuous threat monitoring — receive a full module, as does sector-specific compliance: NERC CIP for energy, FISMA and HIPAA for healthcare, the ASD Essential 8 and ISM for defence and government, PCI DSS for financial transactions, and the Zero Trust model mandated under Executive Order 14028.

The book concludes with a forward-looking examination of cybersecurity maturity models — the C2M2 and the Essential Eight Maturity Model — alongside a practical guide to career pathways, professional certifications, ethical obligations, and codes of conduct in the cybersecurity profession.

Every module includes structured workshop exercises built around realistic scenarios, making this text equally suited to formal university study and professional development within an organisation. The exercises do not test recall — they build the analytical and strategic thinking that separates practitioners from technicians.

This is the book for the cybersecurity student who intends to be taken seriously, the practitioner seeking a comprehensive professional reference, and the organisation that understands that security is not a product you purchase but a capability you build.

Build it properly. This book shows you how.