Have you ever thought to yourself, if only there were an easy way of aggregating the numerical estimates of experts to use in a risk analysis... then this post is for you. My previous post on this topic, Aggregating Expert Opinion in Risk Analysis: An Overview of Methods covered the basics of expert opinion and the two main methods of aggregation, behavioral and mathematical. While each method has pros and cons, the resulting single distribution is a representation of all the estimates provided by the group and can be used in a risk analysis. This post focuses one, of several, mathematical methods - simple averaging in ExcelRead More
Dumping sewage and toxic waste into public waterways and paying cyberextortionists to get data back are examples of negative externalities. In the case of the Chicago River, business was booming, but people downstream suffered unintended consequences. “Negative externality” is a term used in the field of economics that describes an “uncompensated harm to others in society that is generated as a by-product of production and exchange.”Read More
Expert elicitation is simple to define, but difficult to effectively use given its complexities. Most of us already use some form of expert elicitation while performing a risk analysis whenever we ask someone their opinion on a particular data point. The importance of using a structured methodology for collecting and aggregating expert opinion is understated in risk analysis, especially in cyber risk where this topic in common frameworks is barely touched upon, if at all.Read More
Whew! Just wrapped up my two sessions at SIRAcon 2019. I’m posting my decks here and abstracts for attendees (or people that wish they attended) to reference. I realize that they may not make a ton of sense without the narration - I’m going to publish a videos and/or transcripts at a later date.
My first session was at the SIRAcon 2019 Pre-Conference Skills Workshop Day. I was joined by Lisa Young, Jay Jacobs, Richard Seiersen and David Severski to teach attendees modeling in R, the fundamentals of risk and pooling the opinions of experts. Here’s my session information:Read More
At the annual RSA conference in San Francisco, I facilitated a Peer2Peer session titled Getting Started with a Quantitative Cyber-Risk Program. Peer2Peer sessions are sessions designed for like-minded people to come together and discuss common problems and develop solutions in a friendly environment. I had a great time hosting this year. Below is a recap of the session.Read More
I’m thrilled to announce that my talk, “Incentivizing Better Risk Decisions: Lessons from Rogue Actuaries” has been accepted at the Society of Information Risk Analysis (SIRA) annual conference (SIRAcon 2019).
If you are interested in learning about or advancing risk management techniques, I highly recommend joining SIRA and attending the conference. It’s one of two quant-focused risk conferences (the other being (FAIRcon) in the information/technology/cyber spaces. SIRAcon is vendor neutral and model-neutral - you will find many different points of view and ways of modeling risk.Read More
Woot, my Peer2Peer proposal was accepted at RSA 2019. Peer2Peer sessions are not presentations, but rather facilitated discussions among a small group of participants. I think these are a great way to spark interesting discussion in a friendly atmosphere. I always learn just as much from participants as they learn from me.
Getting Started with a Quantitative Cyber-Risk Program
Join a discussion on implementing a quantitative cyber-risk program, such as Factor Analysis of Information Risk (FAIR), at your company. This discussion will address common questions, such as, where to get data, obtaining management support and the nuts and bolts of performing an analysis.Read More
I am always losing or damaging my mobile phone. I have two small children, so my damage statistics would be familiar to parents and shocking to those without kids. Over the last 5 years I've lost my phone, cracked the screen several times, had it dunked in water (don't ask me where), and several other mishaps. The costs definitely started to add up over time. When it was time to re-up my contract with my mobile phone provider, Verizon, I decided to consider an upgraded type of insurance called Total Mobile Protection. The insurance covers events such as lost/stolen devices, cracked screens, and out-of-warranty problems.Read More
In February 2018, I wrote a chapter in a Risk.net book, titled Fintech: Growth and Deregulation. The book is edited by Jack Freund, who most of you will recognize as the co-author of Measuring and Managing Information Risk.
I happy to announce that I’m now able to re-post my book chapter, titled “Cyber-risk Quantification of Financial Technology” here. If you are interested in blockchain tech, Fintech, risk quantification and emerging risks, you may find it interesting. It’s also a primer to Factor Analysis of Information Risk (FAIR), one of many risk quantification models. It’s not the only one I use, but the one I use most frequently.Read More
Our minds are instruments of measurement. We may not be as accurate as a tape measure, which is not as accurate as a laser distance measurer, which is not as accurate as an interferometer. All instruments of measurement of have error bars. When determining the level of precision needed in a measurement, we always need to consider the cost of obtaining new information, if it’s relevant and if we need additional uncertainty reduction to make a decision.Read More
What do paying cyber extortionists and dumping toxic sludge into the Chicago River have in common? A lot, actually! Decipher recently interviewed me on some of the research I’ve published and talks I’ve given on ransomware, incentives, negative externalities and how we, the defenders, can influence decisions.Read More
Improving defender decision making when responding to ransomware infections and other forms of cyber extortion has been a research topic of mine for several years now. It was sparked by the fairly common advice I heard, and continue to hear, from experts, law enforcement and security vendors: don't ever pay the ransom.Read More
There seems to be two different types of risk managers in the world: those who are perfectly satisfied with the status quo, and those who think current techniques are vague and do more harm than good. Doug Hubbard is firmly in the latter camp. His highly influential and groundbreaking 2009 book titled The Failure of Risk Management: Why it’s Broken and How to Fix It takes readers on a journey through the history of risk, why some methods fail to enable better decision making and – most importantly – how to improve. Since 2009, however, much has happened in the world of forecasting and risk management: the Fukushima Daiichi Nuclear Disaster in 2011, the Deepwater Horizon Offshore Oil Spill in 2019, multiple large data breaches (Equifax, Anthem, Target), and many more. It makes one wonder; in the last 10 years, have we “fixed” risk?Read More
The very first security related item I authored was a piece for "2600: The Hacker Quarterly." I was a very young, angry Microsoft Exchange 5.5 sysadmin (who wouldn't be angry working on that tech all day) and put together an article on all the ways Exchange can be misconfigured to allow an attacker to exploit the system. It showed up in the Winter 1999 issue. When I gave it a re-read nearly 20 years later, I was surprisingly proud of it.Read More
Out of all the ways to lie with statistics and manipulate peoples’ perceptions, the semi-attached figure may be the most prevalent. It’s hard to spot unless you are really looking for it because it’s sneaky, subtle and takes a fair bit of concentrative analysis to identify. A semi-attached figure occurs when proof is given for a claim, but when the reader looks at it closely, the proof and the claim are not related. It’s called “semi-attached” because the proof seemsto support a claim, but upon inspection, it doesn't. Marketing and advertising professionals are absolute masters of the semi-attached figure.Read More
The San Francisco Chapter of the FAIR Institute had its latest meeting on June 21, 2018, generously hosted by Twilio at their company headquarters. It was a well-attended event and featured two great speakers; Jack Jones, Chairman of the FAIR Institute and Calvin Liu, Director of Operations at Ventura Enterprise Risk Management. Both talks elaborated on specific use cases of FAIR, quantitative risk analysis and techniques, with ample time to network and ask questions. As with all local FAIR chapters, the San Francisco meetings are a fantastic opportunity to hear great speakers, get tips on how to integrate quantitative risk into your risk program and meet new people — from newcomers to FAIR, to those with broad experience.Read More
Have you ever finished reading a vendor whitepaper or a research institution’s annual security report and felt your Spidey sense begin to tingle with doubt or disbelief after reading some of the conclusions or research methodology? What you are probably sensing is a manipulation of statistics, an age-old hoodwink that has been occurring as long as numbers have been used to convey information.Read More