IRIS 20/20 Deep Dive

SPEAKER: Jay Jacobs and David Severski

DATE: May 29th, 2020

The 2020 Information Risk Insights Study (IRIS 20/20) helps clear the fog of uncertainty surrounding cyber risk and helps managers see their way to better data-driven decisions. This ground-breaking study leverages a large dataset from Advisen Ltd. spanning tens of thousands of public breaches over the last decade. Cyentia’s extensive analysis of that dataset yields valuable insights about the frequency and financial impact of cyber incidents to organizations of all types and sizes.

In this SIRA-specific webinar with the Cyentia team you will gain an understanding of the key findings, how the IRIS 20/20 results can inform quantitative risk practices, and get a special deep dive into some of the models that are possible with this research. Whether you are just wanting to make better quick risk decisions based on possible losses or looking for better baselines for quantitative assessments, IRIS has something for you!

80/20 Cyber Risk Management: Prioritizing Issues that Matter Most

SPEAKER: Apolonio Garcia

DATE: December 18, 2020

In IT security, there is a universal truth: we will always have more issues to deal with than we have time, people, and money. This perpetual shortage of resources means security leaders and their teams must continuously prioritize their risks and decide where to apply their limited resources. During this session, we will explore some of the challenges that make prioritizing issues difficult and how a simple principle introduced by 1900 century economist, Vilfredo Pareto, can be used to design an effective risk management process.

All Roads Lead to Risk

SPEAKER: Lisa Young

DATE: March 26th, 2021

Enterprise organizations exist to provide products, services and value to the communities they serve. Whether public or private, government or military, non-profit or profit making, all enterprises need to deliver on their goals and objectives. Risk can impede the enterprise’s ability to be successful in meeting their mission.

Today, more than ever, our dependence on the intangible digital domain, information and technology assets, and virtual connectivity makes managing risk of all types critically important.

To view the slides, click here

 SIRACon2018 Presentation: Down the open source rabbit hole

Speaker: Kymberlee Price  

Open Source Program Management Lead, Microsoft

Does your organization use open source software? Do you understand the risks inherent in these dependencies and how they are being managed in your environment? After watching Equifax be compromised by an OSS vulnerability, how are you sleeping at night?

Presentation Slides: Down the open source rabbit hole.pptx

SIRACon2018 Presentation: Evaluator - Open source quantitative risk
Speaker: David Severski

Lead Risk Data Scientist, Starbucks

Many risk assessments use qualitative approaches which are resistant to detailed analysis. This session introduces an open source library for the R language for performing a repeatable quantitative risk management at a strategic level which organizations can use to start making real progress in increasing their risk management capabilities.

Presentation Slides: Severski - Evaluator.pptx

SIRACon2018 Presentation: Data is everywhere
Presenter: Jay Jacobs

Chief Data Scientist, Cyentia Institute

Presentation Slides: Data is everywhere.pdf

Presentation Slides: Crowdsourced probability estimates.pptx

A primordial cybersecurity question facing organizations is “What is an incident going to cost me?”. Many people with a quantitative bent have zero-ed in on Bayesian Modeling as an appropriate methodology for dealing with the uncertainty inherent in cyber risk. Despite the age of the question and the relative consensus (at least at SIRA) around the approach there still exists considerable confusion about exactly how to deploy this methodology.

In this talk we’re going to try to clear up the confusion, and show, in clear simple terms, how to do some basic Bayesian risk analysis. This will include answers to questions like:

“What the heck is probability?”

“Ok, what the heck is ‘Bayesian’ probability?”

“Ah that makes sense, but how do we use those definitions for modeling?”

“Do I need to understand Bayes theorem?” We’ll answer this one now: No.

“But Priors and Posteriors are important right?” Usually, no.

After we clear up the answers to these questions, we’ll take the audience through two basic risk models. First, we’ll use public data (courtesy of the Cyentia IRIS Risk Retina data set) to build a simple Monte Carlo simulation of the losses an organization might experience in a year. Next we’ll do just a little bit of Bayesian inference to show a FAIR-compatible alternative approach. We’ll even include some basic code in a variety of platforms (R, Python and Excel). We’ll end with a call to arms: Stop arguing about frameworks and how you might assess risk. Get out there with the tools you have now and do risk! Give your organization the assessment it needs.

Risk managers tasked with integrating quantitative methods into their risk programs - or even those just curious about it - may be wondering, Where do I start? Where do I get the mountain of data I need? What if my key stakeholders want to see risk communicated in colors?

Attendees will learn about common myths and misconceptions, learn how to get a program started, and receive tips on integrating analysis rigor into risk culture. When it comes to quant risk, ripping the Band-Aid off is a recipe for failure. Focusing on small wins in the beginning, building support from within, and a positive bedside manner is the key to long-term success.

Information is the heartbeat of our human existence. Protecting information a necessity. But has it always been this way? Why is information – and its protection – so critical for humans as a species? And, in a rapidly shifting world, how do we evolve and keep up? Join Jacinthe A Galpin, host of the popular Risktory podcast, on an interactive journey through the history of information security, why it matters, and the critical challenges we will all face in a world of disruption.

Communicating Quantitative Risk Results to the Board

SPEAKER: Lisa Young (plus special guests)

DATE: July 30th, 2021

Risk managers often struggle with reporting risk to senior leadership and the Board of Directors. Often the fidelity of risk analysis is not easily consumable, lacks rigor, and does not support informed decision-making. Furthermore, everyone consumes data differently so what works for one audience may not work for another.

Reports are often complex, encompassing cyber threats, unavailability of the workforce, natural disasters, pandemics and many other risk types. How can organizations demonstrate the effectiveness of a risk management program to leadership? Join the July SIRA webinar to learn tips, tricks and techniques to take your reporting to the next level and focus on what matters to leadership.