Speaker: Matt Karnas
Abstract: Is it fair to compare cybersecurity risk to a quote Socrates made at his death trial in which he stated, "the unexamined life is not worth living"? Probably not, but maybe there is a parallel. Too often, information security and risk professionals are working day-in-and-out in reactionary environments. With never-ending lists of tasks, fully utilized staff, and budget constraints, the workload in front of us needs to be prioritized based on protecting the organization's mission at hand. When it comes to risk, too often, the risk isn't a risk, the risk isn't relevant to the organization's mission, or the risk was never examined through threat modeling. Whether measurement of risk is performed in a qualitative or quantitative manner, there has always been more focus on the calculation method over the examination method. Let's re-examine cyber risk through threat modeling: what it is, how to use it, and what the future holds.