Using Machine Learning for the design of effective risk mana…

Project Type: Group Project (4 students)

Deliverables: Technical report as primary file and source code as secondary resource (zip file)

Weight: 30% of course grade

>> Project Scenario

Your group will continue working with the same company or organization you selected in Assignment 2, where you analyzed governance and compliance posture (e.g., a bank, healthcare provider, fintech startup, or government agency). You are now members of the Governance, Risk, and Compliance (GRC) team at the same company you analyzed in Assignment 2. The companys leadership has asked your team to propose a data-driven risk management framework that uses machine learning to enhance the identification, assessment, and prioritization of risks. Your goal is to design an AI-assisted Risk Management System aligned with ISO 27001 family of Standards, NIST Cybersecurity Framework (CSF), and COBIT 2019, while demonstrating how data analytics and ML can enhance risk-based decision-making. The system should demonstrate how predictive analytics can help anticipate risks before they materialize and support better governance and compliance decisions.

>> Suggested Dataset (Kaggle)

Please search for each dataset title below on this URL

e.g. search for Cyber Security Breach Data should result in the following

and then select the dataset that suits you needs for the selected company.

– Cyber Security Breach Data 2004 to 2023 (Kaggle)

– Cybersecurity Attacks Dataset (Kaggle)

– Risk Assessment Data (Operational Risk Dataset)

– Credit Risk Data Financial Risk Analysis

– Malware Detection Dataset

– Phishing Websites Dataset

Each group may select the datasets from the above that best aligns with their companys risk domain (cyber, operational, or financial or may be all).

>> Project Overview

Your team will apply Machine Learning techniques to analyze risk data and design a framework that supports: Automated risk identification and classification, Quantitative risk scoring or prioritization, Integration of findings into a structured Risk Management Framework and the use of Governance, compliance, and ethical considerations in ML. Further, the framework shall:

• Identifies and prioritizes risks based on predicted incident likelihood or impact.
• Integrates outputs into a governance and compliance structure consistent with recognized standards.
• Demonstrates how ML models can support continuous monitoring and informed decision-making.

>> Project Structure and Deliverables

Part I: Framework Design and Governance Alignment

Objective: Connect risk governance principles and compliance frameworks with your proposed AI-based solution. Establish the organizational and regulatory foundation for the ML-based framework.

Tasks:

1.** Revisit the Company Context** Summarize the organizations mission, critical assets, and regulatory environment (e.g., financial sector compliance with PCI DSS, GDPR, etc.). 2. Select Applicable Frameworks Identify relevant standards (e.g., ISO 27001, NIST CSF, COBIT) and map their risk management controls to your companys environment e.g. use the NIST CSF Identify and Protect functions to map their framework controls before integrating ML solutions 3. Define Governance Model Describe how your ML-based risk management framework integrates into the companys governance and reporting structure. 4. Identify Key Risks Use a qualitative matrix (impact likelihood) to define top 510 cyber risks your company faces.

Part II Machine Learning Application for Risk Assessment

Objective: Use data-driven techniques to detect, predict, or prioritize cyber risks.

Tasks:

1.** Dataset Selection and Preprocessing** – Select one Kaggle dataset (or a subset) relevant to your companys threat profile. – Clean and preprocess data (remove duplicates, normalize, label features).

1. Model Development
   • Develop at least two ML models(e.g., Decision Tree, Random Forest, Logistic Regression, SVM, or Neural Network).
   • Evaluate model performance (accuracy, precision, recall, F1 score).
2. Risk Scoring Mechanism
   • Translate ML model outputs into risk scores or probabilities of incidents.
   • Categorize risks into High /Medium / Low tiers aligned with ISO 27005 risk treatment principles.
3. Integration into Governance Framework
   • Demonstrate how ML outputs would inform the companys risk register,** control selection**, and reporting to management or board committees (e.g. Illustrate this with a flowchart).

Part III Compliance, Reporting, and Continuous Improvement

Objective: Demonstrate compliance alignment, reporting, and future scalability.

Tasks:

1.** Compliance Mapping** – Map ML-enabled risk monitoring to compliance requirements (e.g., NIST CSF Detect and Respond functions, ISO 27001 Annex A.16 & A.17). – Show how the framework enhances audit readiness and regulatory reporting.

1. Incident Response and Feedback Loop
   • Propose how the ML system will trigger or support incident response workflows.
   • Integrate continuous learning how data from new incidents can retrain or refine models.
2. Ethical and Governance Considerations
   • Discuss potential risks of bias, data privacy issues (GDPR relevance), and accountability for automated risk decisions.
   • Suggest controls to ensure transparency and human oversight.

Final Deliverable

1. Technical Report (3,0004,000 words): Covers all three parts with analysis, visuals, and citations (50%)
2. Code Appendix (Secondary Resource): Clean, annotated Python notebook with dataset, preprocessing, model, and results (50%)

Assignment group

Assignment Information