What do Tom Jones’ chest hair, alien abductions, and Tylenol’s brand recognition have in common? An actuary – somewhere in the world – determined the probability and impact of a loss event and reduced enough uncertainty to issue an insurance policy. Yet, in the field of risk management, we hear that this is impossible: we can’t measure intangibles; we can’t determine the probability of an event that’s never happened, and oftentimes, measuring probability itself is not possible. The insurance industry shows us that this just isn’t true, and they have the money to prove it. Insurance is a thriving business with excellent margins, built on uncertainty reduction.

Stiff statistics, prismatic pie charts, and questionable survey results drown the Information Security space in a sea of never-ending numbers that can be difficult to sift through. Have you ever finished reading a research institution’s annual security report and felt your Spidey sense begin to tingle with doubt or disbelief? What you are probably sensing is a manipulation of statistics, an age-old hoodwink that has been occurring as long as numbers have been used to convey information.

Probability estimates are the cornerstone of any good risk assessment in which data is sparse or expensive to come by, and are often thought of as one of the best ways to supplement existing information with subject matter expertise. Many risk analysts, however, can run into issues when trying to integrate the opinions of many subject matter experts into a risk management program. Some of these problems are: seemingly contradictory probability estimates, bias that can creep into results and the challenge of collecting and using large amounts of data. 

Are you currently performing or interested in implementing quantitative risk management in your organization? This is your chance to meet other risk managers in the information security field, trade tips, methodologies and discuss advanced techniques. Attendance is strictly limited to allow for a small group experience.

Identity and access management (IAM) has been a longtime domain for information security. How much energy should we be investing in these programs? How much risk is there for managing identities? This session will feature top risk professionals to get their approaches and understanding of the issues involved.

We make estimates every day in the field of information security. We regularly estimate the probability of a data breach, effectiveness of awareness training or projected staffing levels for the next 5 years.

Here’s the problem: humans are horrible at making estimates! All sorts of bias cloud our judgement, making it difficult to make good security decisions. Here’s the good news: it is possible to overcome some of these inherent biases with many of the same techniques that professional bookmakers use to set odds when placing and taking bets.

Expert Panel and Q&A on quantitative risk analysis with FAIR.

Many companies are considering blockchain technologies to make transactions faster, more secure and cost effective. If you are performing risk analysis on these emerging technologies, you ask be asking yourself: how do I even start to analyze risk when there are so many unknowns? A successful analysis requires a paradigm shift in thinking into two areas: casting aside the defense-in-depth metaphor to describe security controls; and, how we assess and analyze risk of new and emerging technologies that have a high degree of uncertainty.

Probability estimates are the cornerstone of any good risk assessment in which data is sparse or expensive to come by, and are often thought of as one of the best ways to supplement existing information with subject matter expertise. Many risk analysts, however, can run into issues when trying to integrate the opinions of many subject matter experts into a risk management program.

What do the San Francisco Giants, Cryptolocker and nuclear war all have in common? They all involve conflicts in which incentives, payouts and winning strategies can be analyzed with game theory. Game theory is a branch of mathematics that models conflict and cooperation between parties and is used in many real-world decision making scenarios, inside and outside the Information Security field. Game theory is particularly useful in analyzing the extortionist / victim dynamic present in ransomware infection scenarios.

A step-by-step walkthrough of performing a quantitative risk assessment based on FAIR on DDoS attacks.

Stiff statistics, prismatic pie charts, and stodgy survey results drown the Information Security space in a sea of never-ending numbers that can be difficult to sift through and find the relevant information contained within. Have you ever finished reading a vendor whitepaper or a research institution’s annual security report and felt your Spidey sense begin to tingle with doubt or disbelief? What you are probably sensing is a manipulation of statistics, an age-old hoodwink that has been occurring as long as numbers have been used to convey information.

CISO’s and risk analysts alike often get caught up in checking boxes on a list of control objectives in order to satisfy compliance and regulatory requirements. However, companies that only view risk through a narrow, regulatory or compliance-focused lens have the potential to overlook a myriad of threats that could impact business continuity, customer privacy and security and financial solvency. The last several high-profile data breaches prove that compliance does not equal security.