Free Recordings
Here is a small sample of the great talks available to SIRA members. Become a paid SIRA member for only $120/year to support for our mission and get access to the full library of past SIRAcon and webinar recordings.
SIRAcon Presentations
Webinar Recordings
Videos
SiRAcon '25 - Quantifying in the Age of Hallucination: How I Learned to Stop Worrying and Trust the AI (Sometimes)
Tony Martin-Vegue | Security Engineer, Netflix
Skip the traditional learning curve! I reveal how to build or enhance a quantitative risk program using GenAI with battle-tested prompts for every step of the process, all through real-world war stories. AI won’t replace risk analysts, but risk analysts using AI will replace those who don’t.
SiRAcon '24 - Warships and risk quantification: common themes and lessons
Mike Woodward | Vice President Data Science, Axio
Warship modeling is strikingly similar to CRQ, from terminology, to problems, to simulation methods. There are decades of warship modeling research the CRQ community can use to kick-start their analysis. In this talk, I'll lay out the similarities and point to ways of using this research.
SiRAcon '21 - A Probabilistic Approach to Improved Third Party Risk Management
Nick Corzine
Business objectives are often dependent on third-party services and this dependency undoubtedly comes with a uncertainty. Organizations large and small face similar challenges of effectively and efficiently identifying which vendors and suppliers to keep an eye on. Out-of-the-box turnkey solutions are limited in their ability to identify the risks of each uniquely associated business-to-vendor relationship. Risk Analysts play “Whac-A-Mole” with lengthy surveys and piles of third-party artifacts. Business owners grow impatient when the assessment process takes too long. Is there a better way businesses can reduce uncertainty and gain risk insights about third-parties? Can risk analysts do more with less in their day-to-day operations? We’ll propose a probabilistic, portable approach to operationally and quantitatively assess third-party risk at scale. This approach can offer risk management teams, audit teams, compliance teams, and other functional business areas improved third-party risk prioritization, resource management, communication, and risk assessment effectiveness. Hear how one organization is measurably improving the efficacy of its risk assessment processes using less data and fewer resources all while adding fidelity in risk reporting, opening communication channels with business stakeholders, and delivering valuable, objective business intelligence leadership can act on.
SiRAcon '18 - Down the open source rabbit hole
Kymberlee Price | Open Source Program Management Lead, Microsoft
Does your organization use open source software? Do you understand the risks inherent in these dependencies and how they are being managed in your environment? After watching Equifax be compromised by an OSS vulnerability, how are you sleeping at night?
Presentation Slides: Down the open source rabbit hole.pptx
SiRAcon '18 - Evaluator - Open source quantitative risk
David Severski | Lead Risk Data Scientist, Starbucks
Many risk assessments use qualitative approaches which are resistant to detailed analysis. This session introduces an open source library for the R language for performing a repeatable quantitative risk management at a strategic level which organizations can use to start making real progress in increasing their risk management capabilities.
Presentation Slides: Severski - Evaluator.pptx
SiRAcon '18 - Measuring What Matters
Lisa Young | VP Cyber Risk Engineering, Axio
It is critical to measure the right things in order to make better-informed management decisions, take the appropriate actions, and change behaviors. But how do managers figure out what those right things are? Questions will be posed to help you set objectives for measurement in your organization.
Presentation Slides: Measuring what Matters.pptx
SiRAcon '18 - Data is everywhere
Jay Jacobs | Chief Data Scientist, Cyentia Institute
One of the classic complaints in performing risk analysis is the lack of data, or worse, the lack of "actuarial-quality data". This talk will explore data sources and walk through use cases of gathering the data, parsing and aggregating disparate data sources and continue through extracting and applying the information into your next risk analysis.
Presentation Slides: Data is everywhere.pdf
SiRAcon '18 - Crowdsourced probability
Tony Martin-Vegue | Director, Technology Risk, Lending Club
Probability estimates are the cornerstone of any good risk assessment in which data is sparse or expensive to come by, and are often thought of as one of the best ways to supplement existing information with subject matter expertise. Many risk analysts, however, can run into issues when trying to integrate the opinions of many subject matter experts into a risk management program. Some of these problems are: seemingly contradictory probability estimates, bias that can creep into results and the challenge of collecting and using large amounts of data.
Presentation Slides: Crowdsourced probability estimates.pptx
SiRAcon '21 - What the heck is Bayesian Risk Modeling and how do I do it?
Ben Edwards & David Severski
A primordial cybersecurity question facing organizations is “What is an incident going to cost me?”. Many people with a quantitative bent have zero-ed in on Bayesian Modeling as an appropriate methodology for dealing with the uncertainty inherent in cyber risk. Despite the age of the question and the relative consensus (at least at SIRA) around the approach there still exists considerable confusion about exactly how to deploy this methodology.
In this talk we’re going to try to clear up the confusion, and show, in clear simple terms, how to do some basic Bayesian risk analysis. This will include answers to questions like:
“What the heck is probability?”
“Ok, what the heck is ‘Bayesian’ probability?”
“Ah that makes sense, but how do we use those definitions for modeling?”
“Do I need to understand Bayes theorem?” We’ll answer this one now: No.
“But Priors and Posteriors are important right?” Usually, no.
After we clear up the answers to these questions, we’ll take the audience through two basic risk models. First, we’ll use public data (courtesy of the Cyentia IRIS Risk Retina data set) to build a simple Monte Carlo simulation of the losses an organization might experience in a year. Next we’ll do just a little bit of Bayesian inference to show a FAIR-compatible alternative approach. We’ll even include some basic code in a variety of platforms (R, Python and Excel). We’ll end with a call to arms: Stop arguing about frameworks and how you might assess risk. Get out there with the tools you have now and do risk! Give your organization the assessment it needs.
SiRAcon '21 - Baby Steps: Easing your company into a quantitative cyber risk program
Tony Martin-Vegue
Risk managers tasked with integrating quantitative methods into their risk programs - or even those just curious about it - may be wondering, Where do I start? Where do I get the mountain of data I need? What if my key stakeholders want to see risk communicated in colors?
Attendees will learn about common myths and misconceptions, learn how to get a program started, and receive tips on integrating analysis rigor into risk culture. When it comes to quant risk, ripping the Band-Aid off is a recipe for failure. Focusing on small wins in the beginning, building support from within, and a positive bedside manner is the key to long-term success.
SiRAcon '21 - Who owns the information, owns the world
Jacinthe Galpin
Information is the heartbeat of our human existence. Protecting information a necessity. But has it always been this way? Why is information – and its protection – so critical for humans as a species? And, in a rapidly shifting world, how do we evolve and keep up? Join Jacinthe A Galpin, host of the popular Risktory podcast, on an interactive journey through the history of information security, why it matters, and the critical challenges we will all face in a world of disruption.
SiRAcon '22 - The Future of Cyber Insurance
Steven Schwartz
May 11th, 2022
SiRAcon '22 - The Risky World of Whisk(e)y: The Geopolitics, Economics, and Technology Behind Every Golden Dram
Milena Rodban
May 13th, 2022
SiRAcon '23 - Impact-Oriented Risk Quantification
Brendan Fitzpatrick and Kelly Felder
May 18th, 2023
Incentivizing Better Risk Decisions: Lessons from Rogue Actuaries
Tony Martin-Vegue
June 27, 2019
What do Tom Jones’ chest hair, alien abductions, and Tylenol’s brand recognition have in common? An actuary – somewhere in the world – determined the probability and impact of a loss event and reduced enough uncertainty to issue an insurance policy.
Yet, in the field of risk management, we hear that this is impossible: we can’t measure intangibles; we can’t determine the probability of an event that’s never happened, and oftentimes, measuring probability itself is not possible. The insurance industry shows us that this just isn’t true, and they have the money to prove it. Insurance is a thriving business with excellent margins, built on uncertainty reduction.
Why? The answer lies in incentives. Insurance is based on making uncertainty reduction profitable. With very few exceptions, cyber risk is set up to disincentivize good decisions. Using superstition and gut checks as a cheap replacement for data and utilizing debunked risk models are deemed “good enough” at best, and “really good!” at worst. Attendees will learn about how actuaries have historically tackled these challenges and receive practical tips on how companies and risk managers alike can be incentivized toward better risk decisions.
Tony Martin-Vegue is a writer, speaker and risk expert with a passion for data driven decision making. He brings his expertise in economics, cyber risk quantification and information security to advise senior operational and security leaders on how to integrate evidence-based risk analysis into business strategy. He has led risk teams for several Bay Area financial institutions and in the words of his eight-year-old son, has spent much of the last 20 years “Fighting criminals on the internet.” Tony is also the chair of the San Francisco chapter of the FAIR Institute – a professional organization dedicated to advancing risk quantification.
IRIS 20/20 Deep Dive
Jay Jacobs and David Severski
May 29, 2020
The 2020 Information Risk Insights Study (IRIS 20/20) helps clear the fog of uncertainty surrounding cyber risk and helps managers see their way to better data-driven decisions. This ground-breaking study leverages a large dataset from Advisen Ltd. spanning tens of thousands of public breaches over the last decade.
In this SIRA-specific webinar with the Cyentia team, you will gain an understanding of the key findings, how the IRIS 20/20 results can inform quantitative risk practices, and get a special deep dive into some of the models that are possible with this research. Whether you are just wanting to make better quick risk decisions based on possible losses or looking for better baselines for quantitative assessments, IRIS has something for you!
After viewing this session, you will be able to identify data patterns and gain actionable insights for better decision-making.
80/20 Cyber Risk Management
Apolonio Garcia
December 18, 2020
In IT security, there is a universal truth: we will always have more issues to deal with than we have time, people, and money. This perpetual shortage of resources means security leaders and their teams must continuously prioritize their risks and decide where to apply their limited resources.
This webinar will explore some of the challenges that make prioritizing issues difficult and how a simple principle introduced by 1900-century economist, Vilfredo Pareto, can be used to design an effective risk management process.
Learn how applying the Pareto principle can help your organization achieve better outcomes with fewer resources.
All Roads Lead to Risk
Lisa Young
March 26, 2021
Enterprise organizations exist to provide products, services, and value to the communities they serve. Whether public or private, government or military, non-profit or profit-making, all enterprises need to deliver on their goals and objectives. Risk can impede the enterprise’s ability to be successful in meeting their mission.
Today, more than ever, our dependence on the intangible digital domain, information and technology assets, and virtual connectivity makes managing risk of all types critically important.
This session will guide you through the complexities of risk in the modern enterprise.
Communicating Quantitative Risk Results to the Board
Lisa Young (plus special guests)
July 30th, 2021
Enterprise organizations exist to provide products, services, and value to the communities they serve. Whether public or private, government or military, non-profit or profit-making, all enterprises need to deliver on their goals and objectives. Risk can impede the enterprise’s ability to be successful in meeting their mission.
Today, more than ever, our dependence on the intangible digital domain, information and technology assets, and virtual connectivity makes managing risk of all types critically important.
This session will guide you through the complexities of risk in the modern enterprise.
Quantifying Qualitative Factors
Joe Breen & Daniel Brown
January 26, 2024
The SEC's new cybersecurity disclosure rules require companies to assess and report the material impacts of security events. For years, companies have been doing this around events with clear and concise financial impacts.
In this webinar, we talk about how the use of research combined with risk quantification can give companies a good idea of financial and material impacts for qualitative events.
Understand the intersection of qualitative data and risk analysis with this in-depth webinar.