SiRAcon ’25 Highlights and Recap: Day 2

From Zero to Quant to ERM

SiRAcon ’25 took place last week Sep. 9-11, 2025 at the Boston Federal Reserve in Boston, MA, which marks the second year that SiRAcon has occurred at this venue.

The event theme this year was From Zero to Quant to ERM, building on last year’s theme of From Zero to Quant and emphasizing the need to have conversations about cybersecurity risk as part of broader enterprise risk management decisions. Presentations reinforced this theme and brought in considerations for AI, industry standards to aid adoption, and steps for continued growth based on learnings from the past.

The event saw more than 100 attendees between in-person and virtual attendees, and the SiRA Slack and Zoom chat allowed for lively and energizing discussion and debate across the event. As always, the SiRA community was engaged and thought-provoking throughout the week, with excellent conversations taking place during breaks across the event. The sense of community at this conference is always amazing!

If you happened to miss this year’s SiRAcon but registered, you can still access session recordings through the event site. If you did not register, the recordings will soon be added to the Members’ Area of www.societyinforisk.org and you can access them (as well as recordings from previous SiRAcons and past webinars) by becoming a Member of SiRA: https://societyinforisk.org/join.

Day 2: Tuesday, Sep. 10, 2025

The State of SiRA

• Darrell Waurio, SiRA Board President

Darrel Waurio got day 2 started with a brief session focused on the vision and goals of SiRA for the near future. Darrell highlighted the five strategic priorities of the SiRA Board: member community development, sponsor relationships, strategic partnerships, Board strategic direction and oversight, and financial sustainability. Darrell included a call for volunteers to help SiRA meet these goals.

(For more details, please read the SiRA President’s Letter: https://societyinforisk.org/Presidents-Letter)

Keynote: Is AI the Biggest Risk to Risk Analysis – Or its Future?

• Lonnie Chrisman

Lonnie Chrisman was the keynote presenter for day 2 and dove straight into an engaging presentation focused on AI. Lonnie emphasized the impacts of AI on information risk analysis, highlighting increases in the ability to perform multi-step tasks and tying this to a movement from reactive risk management to proactive strategic planning. Lonnie noted that future (and current!) risk analysts can make great use of AI to provide improvements to modeling efforts and helping to fill a gap where there is missing expertise. Lonnie advised that risk analysts should adopt AI tools to increase performance and efficiency.

Surfing the Risk Sine Wave

• Tyler Britton and Taylor Maze

Presenting remotely, Tyler Britton began his session developed with Taylor Maze by noting the limitations of traditional risk reporting: risk burn-down charts show consistent downward trends, but they create an unrealistic expectation that risk approaches zero. In reality, a net risk approach provides a better insight into risk oscillation and allows better risk management, based on risk tolerance and appetite and with allowances for variation built in.

Student Research Competition Winners

Day 2 featured the Inaugural SiRA Research Competition Winners Isaac Teuscher and Philip Akekudaga, who gave brief presentations on their research.

Automating the RMF: Lessons from the FedRAMP® 20x Pilot

• Isaac Teuscher

Isaac Teuscher’s presentation focused on FedRAMP, which is the process to authorize cloud-based software for use by U.S. federal agencies and changes coming with FedRAMP 20x. Isaac provided insights into these changes based on a case study involving first-hand experience, tying in the NIST Risk Management Framework (RMF) and addressing evidence and documentation considerations.

Quantifying Systemic Risk in Critical Power Infrastructure Using FDNA: From Single-Node Failure to Grid-Wide Cascades

• Philip Akekudaga

Philip Akekudaga’s presentation focused on function dependency network analysis (FDNA, which is a graph‑based methodology for identifying, representing, and quantifying dependencies. Philip applied FDNA to a simulation to understand and improve the resilience of electric power grids, noting possible tie-ins to dynamic models to capture real-time varying shocks as well as enterprise portfolio planning to prevent cascading failures through capability chains.

Quantifying the Cost of Cyber Risk

• Scott Stransky

Following the presentations by the SiRA Research Competition winners, Scott Stransky used cyber insurance data to dive into the history of insurance risk modeling, cyber data types, correlation studies, and academic research. Scott highlighted the advantages offered by using insurance data, notably that there is high fidelity in incident details (including remediation efforts). Scott also noted that there is no statistically significant increase in ransomware incidents after buying cyber insurance.

A Quant-a-Be’s Journey to Integrate CRQ at an Enterprise Scale

• Sean Atkinson

Sean Atkinson offered insight into lessons learned from implementing a risk quantification program, offering open and honest lessons learned from attempts and resistance met. Sean noted his various failed attempts and what was learned at each stage, providing attendees with clear ways to improve communication within an organization and improve adoption efforts. Sean stressed the need to meet each department where they are in understanding (i.e., don’t present deep analytics to someone new to quantification) and to use current methodologies as a bridge to quantification.

Adversarial Machine Learning and AI Forensics

• Paul Starrett

Paul Starrett kicked off his presentation by ensuring common understanding of AI forensics, which is the process of collecting, analyzing, interpreting evidence to prove/disprove legal disputes involving AI systems. Paul used his experience throughout his career to provide real-world examples and emphasize the need to plan for adoption beforehand, rather than after.

Quantifying in the Age of Hallucination: How I Learned to Stop Worrying and Trust the AI (Sometimes)

• Tony Martin-Vegue

Rounding out day 2 was Tony Martin-Vegue, who offered some clear guidance on safe AI adoption:

1. Accelerate don’t outsource – use AI for tasks you already understand
2. Assume wrong until proven right – verify all sources and claims from AI
3. Keep humans at the wheel – never let AI make final risk decisions

Tony concluded his presentation by noting that AI fluency paired with human judgment will differentiate successful analysts.

_____________________________________________________________

During SiRAcon ’25, the SiRAcon Planning Committee also announced exciting news: SiRAcon ’26 will take place from Apr. 21-23, 2026 at the Boston Federal Reserve in Boston, MA. Full event details, including the event theme, presentation proposal deadlines, and registration, will be announced in coming weeks.

Thank you to everyone who made SiRAcon ’25 a success, particularly the keynote presenters and speakers, SiRA Board Members and SiRAcon Planning Committee Members, and attendees alike!

Thank you, too, to the sponsors of SiRA and SiRAcon ’25:

• SiRA Organizational Sponsors

• • Marsh McClennan

  • Ostrich Cyber-Risk

• SiRAcon ’25 Gold Sponsor

• • Marsh McClennan

• SiRAcon ’25 Bronze Sponsors

• • Empirical Security

  • Ostrich Cyber-Risk

  • The Open Group

Finally, thank you to the Boston Federal Reserve for acting as a phenomenal host yet again and to the YOTEL Boston for providing fantastic accommodations and space for attendees.