|Organizers||Phil Huggins, Ben Schofield|
|Participants||Ben Schofield Ben Schofield , Chris Allen Chris Allen , Daniel Kefer Daniel Kefer , Dave Snowden Dave Snowden , Tony Richards Tony Richards|
|Remote Participants||Senen Garcia Senen Garcia|
Phil brings his extensive experience to a discussion on modelling (general) risk and comparing security risk modelling maturity to other markets (finance, insurance, medical..). This also involves attribution of $ value to risk and how security teams can talk the language of the business
Current Security Risk Management is Broken
There is a lot of complexity and uncertainty in cyber risk. Current practice tends to hide uncertainty and present certainty.
We use Ordinal Scales (Red, Amber, Green / High, Medium, Low / 1,2,3,4,5 etc) rather than Cardinal measures (£ or %). Is a red x red risk a really red risk? Twice as bad? Three times as bad? We then assign numerical values to support ‘risk arithmetic’ (5 x 5 = 25 /2.5 = risk score) OWASP Risk Rating Methodology (Risk Factors / Ordinal Scales)
We then use risk matrices that arbitrarily identify an ordinal boundary as the ‘risk appetite’. (Amber =Good, red = Bad).
By assigning a single value to probability and impact we are communicating a level of certainty about the outcome we don’t really have.
People are individually poor at prediction Hedgehogs / Foxes / Superpredictors
We are awash with data about cyber events but few documented robust statistical methods deployed.
The solutions are well known by other risk professions
Quantitative Risk Approaches
Probability of event Range of outcomes (lognormal distribution) Monte Carlo Simulation Loss Exceedance Curves <- Business understands these FAIR / OpenFAIR
Prediction Approaches Risk Panels Averaged predictions Feedback !!!!!!!!! Brier Scores Base Rate Data Calibration
References: Dan Geer Doug Hubbard Philip Tetlock Jack Jones Ryan Huber
Register as participant
To register as participant add
Cyber Risk Modeling to either:
sessionsmetadata field from your participant's page (find your participant page and look for the edit link).
- or the
participantsmetadata field from this git session page
Back to list of all Working Sessions