Overview
Explore a data-driven approach to cyber-risk analysis in this 49-minute RSA Conference talk. Delve into the evolution of risk assessment practices, moving beyond qualitative models to embrace quantitative methodologies. Compare two data-confidentiality scenarios that appear similar on the surface but reveal meaningful differences through quantitative analysis. Learn to debunk myths about the impossibility of applying quantitative analysis to cybersecurity, and gain insights from real-world examples that demonstrate how common risk models can obscure important distinctions between scenarios. Acquire practical tools for analyzing similar use cases in your own environment. The talk covers risk management goals, NIST Risk Matrix, qualitative drawbacks, quantitative assumptions, scenario analysis approach, and practical applications such as estimating the frequency and magnitude of accidental disclosures. Gain valuable knowledge on risk treatment strategies and implementing ongoing reporting methodologies for effective cyber-risk management.
Syllabus
Intro
Risk Management Goals
NIST Risk Matrix
Qualitative Drawbacks
Quantitative Assumptions
Scenario Analysis Approach
Scenario Assumptions
Choosing a Scenario - Accidental Disclosure
What am I worth on the dark web?
1 Estimate the Frequency
2 Estimate the Magnitude
Risk Treatment
Sample On-Going Reporting
Initial Methodology Rollout
Taught by
RSA Conference