Bruce Schneier's blog commented recently on Teaching Risk Analysis in School
. He linked to a London Times article on teaching risk.
Actually, the article was more about teaching probability and statistics as a way to understand risk, which isn't exactly the same thing as what we call risk analysis
these days. In practice, risk analysis is a qualitative process in which we apply numerical estimates to risk factors. If you look at even the most applied statistics work, you find very little that's truly qualitative, except perhaps in the choice of survey questions, if you're doing a survey.
I've been trying to teach risk analysis to undergraduates. It is a very tricky topic. Some risk elements fit into a formal mathematical model, but others don't. Instead of ejecting the misfitting elements from the model, typical risk analyses incorporate estimates that try to match the structure and behavior of the formal elements. While it's important in some fields (like security) to understand and apply this technique, there's no way to prove the correctness of this type of model. It is, ultimately, an opinion.