SiRAcon ’25 Highlights

From Zero to Quant to ERM

SiRAcon ’25 took place last week Sep. 9-11, 2025 at the Boston Federal Reserve in Boston, MA, which marks the second year that SiRAcon has occurred at this venue.

The event theme this year was “From Zero to Quant to ERM,” building on last year’s theme of “From Zero to Quant” and emphasizing the need to have conversations about cybersecurity risk as part of broader enterprise risk management decisions. Presentations reinforced this theme and brought in considerations for AI, industry standards to aid adoption, and steps for continued growth based on learnings from the past. 

The event saw more than 100 attendees between in-person and virtual attendees, and the SiRA Slack and Zoom chat allowed for lively and energizing discussion and debate across the event. As always, the SiRA community was engaged and thought-provoking throughout the week, with excellent conversations taking place during breaks across the event. The sense of community at this conference is always amazing!

If you happened to miss this year’s SiRAcon but registered, you can still access session recordings through the event site. If you did not register, the recordings will soon be added to the Members’ Area of www.societyinforisk.org and you can access them (as well as recordings from previous SiRAcons and past webinars) by becoming a Member of SiRA: https://societyinforisk.org/join.

Day 3: Thursday, Sep. 11, 2025

Keynote: The Evolving Landscape of Risk Quantification: Past, Present, and Future

• Jack Jones

The final keynote presenter of SiRAcon ’25 was Jack Jones, who provided a historical perspective of cybersecurity risk management. Jack connected the world of cyber risk to the medical industry, bringing in the notion of “Cybersecurity 2.0,” which will be characterized by consistent terminology and causal probabilistic models, quantitative ranges and distributions, and empirical data focus with forecasting evaluation. Jack also touched on AI, highlighting its potential value in scenario engineering and threat modeling.

Cross-Industry Lessons in Risk Quantification: Medical, Aviation, and Shipping Perspectives

• Didier Jourdain

Continuing the trend of looking at other industries for lesson to be learned, Didier Jourdain utilized examples from the medical, aviation, and shipping industries to suggest an efficient approach to decision making. Didier noted the use of ordinal scales in these industries when rapid decision-making is required, noting the familiarity of these scales to these practitioners, but that more in-depth analysis can be used when time allows and requires.

Moving Toward Risk-Based Compliance: PCI DSS 4.0 Targeted Risk Analysis

• Jim Lipkis

Jim Lipkis, with input from Aaron Arutunian, dove into target risk analysis (TRA) for specific control criteria. Jim noted that compliance does not necessarily mean security, but he posited whether compliance requirements might support stronger security postures. Jim advocated for conducting high-level assessments first to identify what’s actually important before performing deeper analysis to allocate resources to focus on truly critical controls.

Insecure at Any Speed: Why Secure by Design is Not Enough

• John Benninghoff

Beginning with a historical overview of the auto industry and factors resulting in improved safety, John Benninghoff made connections to the CISA “Secure by Design” initiative. John noted the potential externalities from security incidents, notably that third-party breaches affect numerous interconnected companies. John ended with a call to action to professionalize the software engineering profession with proper tools and moral obligations.

Keeping Score: Using Real Breach Data to Evaluate Control Effectiveness

• Matt Berninger

The final presentation of SiRAcon ’25 was from Matt Berninger, who went into the latest cybersecurity controls report from Marsh McClennan that analyzed the relationship between control attestations and breach performance. Matt concluded that the controls that mattered in 2023 still matter, but he noted that it is harder to differentiate due to high adoption rates (such as 98-99% MFA adoption). Matt also highlighted that using the Exploit Prediction Scoring System (EPSS) and contextual scoring frameworks is recommended over CVSS scores alone.

_____________________________________________________________

During SiRAcon ’25, the SiRAcon Planning Committee also announced exciting news: SiRAcon ’26 will take place from Apr. 21-23, 2026 at the Boston Federal Reserve in Boston, MA. Full event details, including the event theme, presentation proposal deadlines, and registration, will be announced in coming weeks.

Thank you to everyone who made SiRAcon ’25 a success, particularly the keynote presenters and speakers, SiRA Board Members and SiRAcon Planning Committee Members, and attendees alike!

Thank you, too, to the sponsors of SiRA and SiRAcon ’25:

• SiRA Organizational Sponsors

• • Marsh McClennan

  • Ostrich Cyber-Risk

• SiRAcon ’25 Gold Sponsor

• • Marsh McClennan

• SiRAcon ’25 Bronze Sponsors

• • Empirical Security

  • Ostrich Cyber-Risk

  • The Open Group

Finally, thank you to the Boston Federal Reserve for acting as a phenomenal host yet again and to the YOTEL Boston for providing fantastic accommodations and space for attendees.