Earn Continuing Professional Education (CPE) credits at no cost and receive a certificate upon completion.
Cybersecurity risk management is how organizations make smart, defensible security decisions in the face of uncertainty. This free course explains how threats, vulnerabilities, and exposures combine to create risk, how risk is prioritized and tracked, and how leaders and practitioners reduce risk through practical controls and clear communication.
Start the course now and complete the training at your own pace.
Module 1 introduces the concept of cybersecurity risk management and explains why managing risk—not eliminating it—is the core objective of security programs. It defines foundational risk terms and establishes how threats, vulnerabilities, and exposures interact to create risk. This module sets the baseline for understanding how organizations evaluate and make decisions about cybersecurity risk.
Module 2 explores the complexity of the modern cybersecurity environment and why managing cyber risk is increasingly challenging. It explains how factors such as interconnected systems, expanding attack surfaces, and organizational dependencies influence risk. This module helps learners understand why cybersecurity risk must be evaluated in context rather than in isolation.
Module 3 introduces the CIA triad—confidentiality, integrity, and availability—as the foundational model for understanding cybersecurity priorities. It explains how these three elements guide risk decisions and help organizations evaluate the potential impact of threats and vulnerabilities. This module provides a practical framework for thinking about tradeoffs and security objectives in real-world environments.
Module 4 explains how threats, vulnerabilities, and exposures interact to create cybersecurity risk. It clarifies the differences between these concepts and why confusing them can lead to poor risk decisions. This module helps learners understand how identifying and evaluating each element supports more accurate risk assessment and prioritization.
Module 5 focuses on vulnerability management as a core component of cybersecurity risk reduction. It explains why not all vulnerabilities represent equal risk and how patching, prioritization, and context influence decision-making. This module helps learners understand how vulnerability data should be evaluated as part of broader risk management—not treated as a standalone metric.
Module 6 focuses on assessing technology and cybersecurity risk in a structured, repeatable way. It explains how organizations evaluate systems, processes, and controls to understand risk exposure and inform prioritization. This module reinforces the role of assessments in supporting informed decision-making rather than serving as one-time compliance exercises.
Module 7 focuses on cybersecurity risk management strategies and the frameworks and tools used to manage risk over time. It explains common risk treatment options—such as mitigation, transfer, acceptance, and avoidance—and how frameworks help organizations apply them consistently. This module helps learners understand how structured approaches support repeatable, defensible risk decisions.
Module 8 focuses on enterprise risk management and the importance of communicating cybersecurity risk to leadership. It explains how cyber risk fits into broader organizational risk discussions and why clear, business-relevant communication is critical for effective oversight and decision-making. This module reinforces the role of cybersecurity professionals as translators between technical risk and executive priorities.
Cybersecurity risk management is about understanding tradeoffs and making informed decisions—not eliminating risk entirely. This course introduces the core concepts that help organizations identify, assess, and manage cyber risk in a structured, repeatable way.
By completing this course, you will learn how to:
Understand how threats, vulnerabilities, and exposures combine to create cybersecurity risk
Apply the CIA triad (confidentiality, integrity, and availability) to real-world risk decisions
Identify and prioritize cybersecurity risks using practical assessment approaches
Understand common risk treatment options, including mitigation, transfer, acceptance, and avoidance
Track and manage risk over time using tools such as risk registers and plans of action
Communicate cybersecurity risk clearly to leadership and stakeholders in business-relevant terms
Meet Your Instructor
MS, CAWFE, CEH, CFCE, CHFI, CISSP, CNDA, DFCP, GCFA, GCFR, GCIA, GIME, GSEC
Josh Moulin is a cybersecurity leader with over 20 years of experience protecting critical systems and advising organizations worldwide. He began his career in law enforcement, where he led a cybercrimes task force and a digital forensics lab, pioneering efforts to combat cyber crime. Later, Josh served as a CIO and CISO in the U.S. nuclear weapons complex and as Senior Vice President of Operations at the Center for Internet Security (CIS), where he collaborated with DHS and CISA to secure U.S. state, local, tribal, territorial (SLTT), and election organizations through the MS-ISAC and EI-ISAC. He also served as an Executive Partner at Gartner, advising federal and military leaders on strategic cybersecurity initiatives.
In addition to founding Natsar, LLC, a cybersecurity consulting firm, Josh is adjunct faculty teaching university courses on cybersecurity and digital forensics. With a Master’s in Information Security and Assurance and numerous certifications, Josh’s highly rated courses draw from real-world expertise to equip learners with the tools to navigate today’s complex cybersecurity landscape.
See our blog posts and insights on the topic of risk management and other cybersecurity-related topics.
You've got questions. We've got answers.
Yes. This is a no-cost course designed to provide practical training and help you earn Continuing Professional Education (CPE) credits.
Yes. After you complete the course, you’ll receive a completion certificate you can retain as documentation for CPE submission.
Yes. Natsar delivers customized training for individuals and organizations across a wide range of cybersecurity and digital forensics topics. If you’re interested, contact us at [email protected].