Module 3 Rubric#
Artifact#
cyber risk assessment package with scoring rationale, treatment plan, and executive dashboard focused on vulnerability prioritization: Prioritize vulnerabilities with contextual features.
Criterion |
Excellent |
Satisfactory |
Needs Revision |
|---|---|---|---|
Problem framing |
Decision, stakeholders, affected population, and constraints are explicit and coherent. |
Decision and stakeholders are named, but some constraints are thin. |
The work jumps to tools or conclusions without a clear decision frame. |
Evidence and method |
Uses lab evidence or equivalent analysis correctly; compares a baseline with an alternative; explains limits. |
Provides evidence and some comparison, but limits or assumptions are incomplete. |
Evidence is asserted without reproducible analysis or baseline comparison. |
Domain reasoning |
Connects results to AI for Risk Assessment with accurate terminology and realistic operational implications. |
Uses relevant terminology but misses some operational implications. |
Reasoning is generic and could apply to almost any AI course. |
Risk and governance |
Identifies technical, human, governance, and deployment risks with concrete mitigations. |
Identifies major risks but mitigations are vague. |
Risks are missing, generic, or treated as afterthoughts. |
Communication |
Recommendation is concise, defensible, and understandable to CISO, risk officer, system owner, auditor, and executive sponsor. |
Recommendation is understandable but not fully defended. |
Recommendation is unclear, unsupported, or overclaims what the evidence proves. |
Minimum Completion Standard#
A passing submission must include a runnable or inspectable evidence artifact, a baseline comparison, at least two failure modes, one mitigation per failure mode, and a specific next-action recommendation.