RSA Peer2Peer Session: Getting Started with a Quantitative Cyber-Risk Program

January 19, 2019 by Tony MartinVegue in Conferences

Woot, my Peer2Peer proposal was accepted at RSA 2019. Peer2Peer sessions are not presentations, but rather facilitated discussions among a small group of participants. I think these are a great way to spark interesting discussion in a friendly atmosphere. I always learn just as much from participants as they learn from me.

Session details:

Getting Started with a Quantitative Cyber-Risk Program

Join a discussion on implementing a quantitative cyber-risk program, such as Factor Analysis of Information Risk (FAIR), at your company. This discussion will address common questions, such as, where to get data, obtaining management support and the nuts and bolts of performing an analysis.

Should I buy mobile phone insurance? A Quantitative Risk Analysis

December 27, 2018 by Tony MartinVegue in Quantitative Risk

I am always losing or damaging my mobile phone. I have two small children, so my damage statistics would be familiar to parents and shocking to those without kids. Over the last 5 years I've lost my phone, cracked the screen several times, had it dunked in water (don't ask me where), and several other mishaps. The costs definitely started to add up over time. When it was time to re-up my contract with my mobile phone provider, Verizon, I decided to consider an upgraded type of insurance called Total Mobile Protection. The insurance covers events such as lost/stolen devices, cracked screens, and out-of-warranty problems.

Book Chapter: Cyber Risk Quantification of Financial Technology

November 22, 2018 by Tony MartinVegue in Quantitative Risk

In February 2018, I wrote a chapter in a Risk.net book, titled Fintech: Growth and Deregulation. The book is edited by Jack Freund, who most of you will recognize as the co-author of Measuring and Managing Information Risk.

I happy to announce that I’m now able to re-post my book chapter, titled “Cyber-risk Quantification of Financial Technology” here. If you are interested in blockchain tech, Fintech, risk quantification and emerging risks, you may find it interesting. It’s also a primer to Factor Analysis of Information Risk (FAIR), one of many risk quantification models. It’s not the only one I use, but the one I use most frequently.

Bring Uncertainty Back

November 21, 2018 by Tony MartinVegue in Decision Analysis

Our minds are instruments of measurement. We may not be as accurate as a tape measure, which is not as accurate as a laser distance measurer, which is not as accurate as an interferometer. All instruments of measurement of have error bars. When determining the level of precision needed in a measurement, we always need to consider the cost of obtaining new information, if it’s relevant and if we need additional uncertainty reduction to make a decision.

What do paying cyber extortionists and dumping toxic sludge into the Chicago River have in common?

November 07, 2018 by Tony MartinVegue in Decision Analysis

What do paying cyber extortionists and dumping toxic sludge into the Chicago River have in common? A lot, actually! Decipher recently interviewed me on some of the research I’ve published and talks I’ve given on ransomware, incentives, negative externalities and how we, the defenders, can influence decisions.

Improving Defender Decision Making

October 29, 2018 by Tony MartinVegue in Decision Analysis

Improving defender decision making when responding to ransomware infections and other forms of cyber extortion has been a research topic of mine for several years now. It was sparked by the fairly common advice I heard, and continue to hear, from experts, law enforcement and security vendors: don't ever pay the ransom.

How Many Lottery Tickets Should I Buy?

October 23, 2018 by Tony MartinVegue in Decision Analysis

When lottery jackpots are at record highs, as they are this week at $1.6 billion, I’m usually asked by friends, family, and colleagues for the same advice – should I buy a lottery ticket, and if yes, how many should I buy?

An Evening with Doug Hubbard: The Failure of Risk Management: Why it's Still Broken and How to Fix It

October 01, 2018 by Tony MartinVegue in Metrics

There seems to be two different types of risk managers in the world: those who are perfectly satisfied with the status quo, and those who think current techniques are vague and do more harm than good. Doug Hubbard is firmly in the latter camp. His highly influential and groundbreaking 2009 book titled The Failure of Risk Management: Why it’s Broken and How to Fix It takes readers on a journey through the history of risk, why some methods fail to enable better decision making and – most importantly – how to improve. Since 2009, however, much has happened in the world of forecasting and risk management: the Fukushima Daiichi Nuclear Disaster in 2011, the Deepwater Horizon Offshore Oil Spill in 2019, multiple large data breaches (Equifax, Anthem, Target), and many more. It makes one wonder; in the last 10 years, have we “fixed” risk?

20 years ago... I was published in "2600: The Hacker Quarterly"

September 13, 2018 by Tony MartinVegue in Information Security

The very first security related item I authored was a piece for "2600: The Hacker Quarterly." I was a very young, angry Microsoft Exchange 5.5 sysadmin (who wouldn't be angry working on that tech all day) and put together an article on all the ways Exchange can be misconfigured to allow an attacker to exploit the system. It showed up in the Winter 1999 issue. When I gave it a re-read nearly 20 years later, I was surprisingly proud of it.

The Semi-Attached Figure: How to spot manipulative security advertising claims

August 07, 2018 by Tony MartinVegue in Cognitive Bias

Out of all the ways to lie with statistics and manipulate peoples’ perceptions, the semi-attached figure may be the most prevalent. It’s hard to spot unless you are really looking for it because it’s sneaky, subtle and takes a fair bit of concentrative analysis to identify. A semi-attached figure occurs when proof is given for a claim, but when the reader looks at it closely, the proof and the claim are not related. It’s called “semi-attached” because the proof seemsto support a claim, but upon inspection, it doesn't. Marketing and advertising professionals are absolute masters of the semi-attached figure.

Videos from Quantitative Cyber Risk Talks & Events: RSA Week 2018

July 31, 2018 by Tony MartinVegue in Quantitative Risk

Here's an update of a previous post. This is a list of all talk videos or slides on the subject of quantitative risk or by people active in that space talks during RSA week.

The Mad Men of Cyber Security Advertising

July 22, 2018 by Tony MartinVegue in Cognitive Bias

The framing effect is used in many places, intentionally and unintentionally, but is most present in advertising. It's a very effective way to frame perceptions.

FAIR Institute, San Francisco Chapter June Meeting Recap

July 15, 2018 by Tony MartinVegue in Quantitative Risk

The San Francisco Chapter of the FAIR Institute had its latest meeting on June 21, 2018, generously hosted by Twilio at their company headquarters. It was a well-attended event and featured two great speakers; Jack Jones, Chairman of the FAIR Institute and Calvin Liu, Director of Operations at Ventura Enterprise Risk Management. Both talks elaborated on specific use cases of FAIR, quantitative risk analysis and techniques, with ample time to network and ask questions. As with all local FAIR chapters, the San Francisco meetings are a fantastic opportunity to hear great speakers, get tips on how to integrate quantitative risk into your risk program and meet new people — from newcomers to FAIR, to those with broad experience.

How to Lie with Statistics, Information Security Edition

July 09, 2018 by Tony MartinVegue in Statistics

Have you ever finished reading a vendor whitepaper or a research institution’s annual security report and felt your Spidey sense begin to tingle with doubt or disbelief after reading some of the conclusions or research methodology? What you are probably sensing is a manipulation of statistics, an age-old hoodwink that has been occurring as long as numbers have been used to convey information.

CircleCityCon 5.0 | How to Lie with Statistics, Information Security Edition

June 02, 2018 by Tony MartinVegue in Presentations

Stiff statistics, prismatic pie charts, and questionable survey results drown the Information Security space in a sea of never-ending numbers that can be difficult to sift through. Have you ever finished reading a research institution’s annual security report and felt your Spidey sense begin to tingle with doubt or disbelief? What you are probably sensing is a manipulation of statistics, an age-old hoodwink that has been occurring as long as numbers have been used to convey information.

FAIR Institute | Crowdsourced Probability Estimates: A Field Guide

May 11, 2018 by Tony MartinVegue in Presentations

Probability estimates are the cornerstone of any good risk assessment in which data is sparse or expensive to come by, and are often thought of as one of the best ways to supplement existing information with subject matter expertise. Many risk analysts, however, can run into issues when trying to integrate the opinions of many subject matter experts into a risk management program. Some of these problems are: seemingly contradictory probability estimates, bias that can creep into results and the challenge of collecting and using large amounts of data.

RSA 2018 | Birds of a Feather: Quantitative Information Security Risk Management

April 19, 2018 by Tony MartinVegue in Presentations

Are you currently performing or interested in implementing quantitative risk management in your organization? This is your chance to meet other risk managers in the information security field, trade tips, methodologies and discuss advanced techniques. Attendance is strictly limited to allow for a small group experience.

RSA 2018 | Issues of Quantifying Risk around Identity and Access Management

April 18, 2018 by Tony MartinVegue in Presentations

Identity and access management (IAM) has been a longtime domain for information security. How much energy should we be investing in these programs? How much risk is there for managing identities? This session will feature top risk professionals to get their approaches and understanding of the issues involved.

Peerlyst Live | Becoming a security bookie: Improving your estimations with calibration

April 18, 2018 by Tony MartinVegue in Presentations

We make estimates every day in the field of information security. We regularly estimate the probability of a data breach, effectiveness of awareness training or projected staffing levels for the next 5 years.

Here’s the problem: humans are horrible at making estimates! All sorts of bias cloud our judgement, making it difficult to make good security decisions. Here’s the good news: it is possible to overcome some of these inherent biases with many of the same techniques that professional bookmakers use to set odds when placing and taking bets.