Whew! Just wrapped up my two sessions at SIRAcon 2019. I’m posting my decks here and abstracts for attendees (or people that wish they attended) to reference. I realize that they may not make a ton of sense without the narration - I’m going to publish a videos and/or transcripts at a later date.
My first session was at the SIRAcon 2019 Pre-Conference Skills Workshop Day. I was joined by Lisa Young, Jay Jacobs, Richard Seiersen and David Severski to teach attendees modeling in R, the fundamentals of risk and pooling the opinions of experts. Here’s my session information:
Expert Estimation and Calibration Training
We make estimates every day in the process of performing risk assessments. We regularly estimate the probability of a data breach, effectiveness of awareness training or projected staffing levels for the next 5 years.
Here’s the problem: humans are horrible at making estimates! All sorts of bias cloud our judgement, making it difficult to make good security decisions. Here’s the good news: it is possible to overcome some of these inherent biases with many of the same techniques that professional bookmakers use to set odds when placing and taking bets. Attend this hands-on session to learn how to overcome your bias and become a better estimator. All attendees will take a test to determine estimation skills and will receive personalized feedback on what kind of bias is present. Bring a $20 bill to place bets – don’t worry, you’ll get it back!
Prerequisites: Computer, tablet or phone (and the aforementioned $20 for betting)
My second session was during the main conference:
Incentivizing Better Risk Decisions- Lessons from Rogue Actuaries
What do Tom Jones’ chest hair, alien abductions, and Tylenol’s brand recognition have in common? An actuary – somewhere in the world – determined the probability and impact of a loss event and reduced enough uncertainty to issue an insurance policy. Yet, in the field of risk management, we hear that this is impossible: we can’t measure intangibles; we can’t determine the probability of an event that’s never happened, and oftentimes, measuring probability itself is not possible. The insurance industry shows us that this just isn’t true, and they have the money to prove it. Insurance is a thriving business with excellent margins, built on uncertainty reduction.
Why? The answer lies in incentives. Insurance is based on making uncertainty reduction profitable. With very few exceptions, cyber risk is set up to disincentivize good decisions. Using superstition and gut checks as a cheap replacement for data and utilizing debunked risk models are deemed “good enough” at best, and “really good!” at worst. Attendees will learn about how actuaries have historically tackled these challenges and receive practical tips on how companies and risk managers alike can be incentivized toward better risk decisions.