The Society of Information Risk Analysts, established in 2011, is the go-to resource for decision makers & practitioners of information risk management.
As an emerging discipline, information risk management benefits from open dialogue and exchange of ideas; SIRA provides a forum where members can build meaningful, professional relationships that keep them at the top of their profession, explore the most important risk management challenges facing their organizations, & discover how methods from other risk management disciplines can help them meet information risk challenges. Welcome!
SIRA December 2015 Webinar - Real World Reconnaisance Costs: A metricThu 03 December 2015 by SIRA
Real World Reconnaisance Costs: A metric
Friday, December 11, 2015 - 12:00EDT
featuring Eireann Leverett
This talk is for you if:
- You measure what you can, and don’t beg for data anymore.
- You are already interested in security economics.
- You want to support a hacker who is trying to quant better.
- You need a way to get vulnerability at scale across to policy people.
- You want a new tool in the toolbox, and you like finding use cases for new tools.
Webinar seating is limited and paid members get dibbs if it gets full. The session will be recorded for future viewing by SIRA paid members. You can find out more about SIRA memberships over at the SIRA website.
Use the following link to register. You will receive a confirmation after your SIRA membership has been verified.
Eireann Leverett is a risk researcher at the University of Cambridge Centre for Risk Studies has studied psychology, philosophy, artificial intelligence, software engineering, and computer security at various times in his life. He holds a BEng from Edinburgh Univesity and an MPhil from the University of Cambridge in Advanced Computer Science. He still enjoys punting at Darwin College when he has the time.
At the Centre for Risk Studies his research focuses upon technological disasters and the economic impacts of computer security failures or accidents. He has experience of compromising the security of organisations, and assisting them to improve their security postures through a variety of short and long term methods. He is interested in computer security at scale, security economics, systems security, incident response, critical infrastructure protection, safety, firmware signing, exploit markets, vulnerability management, quality assurance, indicators of compromise, modelling, networks, risk, visualisations, and zero knowledge proofs. He is a frequent public speaker on these subjects.
SIRAcon 2015 live tweet stream
Refresh (if it doesn’t auto-refresh like it should) to catch the latest tweets from SIRAcon 2015 or just use this Twitter combined hashtag live stream search URL.read more
Social Media Risk Metrics
Social media and online interaction are dramatically changing the way our companies and employees interface with society at large. Recent examples of people tweeting or posting something silly or offensive and being responded to by doxxing or even threats of physical abuse are, unfortunately, becoming more common.
Today we (SIRA member Alex Hutton and Ian Amit) are publicly announcing an open (free as in speech, free as in beer) project to help security departments identify social media presences that are more “at risk” to negative reactions. This framework of indicators is a little something we’re calling “Social Media Risk Metrics” (catchy, right?). SMRM is being introduced at Derbycon today complete with a demonstration, worksheet tool, and suggestions for further development.
To find out more
To help out: Speak up on the SIRA mailing list or on The SIRA Discourse!read more
Save the date for SIRAcon 2015!
Hey SIRAnauts, just wanted to give you the scoop: we’re taking the best conference in Information Risk on the road to the Rock City…Detroit, here we come! Our awesome co-chairs, David Musselwhite and Lisa Leet will be providing more info soon, but wanted to make sure you block-off 2015-10-08 & 2015-10-09 and start revving your engines & risk models now—the CFP is going to open soon!read more
SIRA May 2015 Webinar - Understanding Asset Risk via Vulnerability Prioritization
Understanding Asset Risk via Vulnerability Prioriitization
Friday, May 15, 2015 - 12:00EDT
featuring Risk I/O’s Chief Data Scientist, Michael Roytman
You must be a paid member to attend and webinar seating is limited (100 seats for paid members so register today). The session will be recorded for future viewing by SIRA paid members. You can find out more about SIRA memberships over at the SIRA website.
Use the following link to register. You will receive a confirmation after your SIRA membership has been verified.
Michael Roytman is responsible for building out Risk I/O’s analytics functionality, and has been selected to speak at BSides, Metricon, SIRACon and more. His work at Risk I/O focuses on security metrics, risk measurement, and vulnerability management and his work has been published in USENIX. He formerly worked in fraud detection in the finance industry, and holds an M.S. in Operations Research from Georgia Tech. His home in Chicago contains a small fleet of broken-down drones.read more
New Member’s Only Discussion Forum
We’re happy to announce the launch of the SIRA Discourse, our all new member’s only discussion forum. While we’re keeping the general e-mail list going, we wanted to create a place where members could have rich collaboration and foster communication through a community-moderated platform.
The SIRA Discourse features:
- general posting
- threaded replies
- file linking and content embedding, and
- will still work with plain ol’ e-mail if you still want to use that as your primary way of engaging with the member community.
There are plenty of starter topics to jump in on and members are encouraged to start new ones and join in the discussion on them all. For all the lurkers out there, now’s your chance to become part of the conversation.
As an extra bonus, we’ve added all the content from SIRAcon 2014 and the inaugural webinar featuring Jack Jones & Jack Freund.
There are plenty of places in the SIRA Discourse to leave feedback and engage directly with the Board.
We encourage folks to help us kick the tyres, suggest new features and file bug reports as you come across things that just don’t look right.read more
SIRAnauts Launch Risky Ideas at RSA 2015
This week, San Francisco’s Moscone center and surrounding neighborhood will be bursting at the seams, full of security professionals from around the world. That’s right, RSA 2015 and BSides SF are right around the corner, and leaders from the Society of Information Risk Analysts (SIRA) will be on hand to give their perspective on the current workings and future opportunities in risk management, data-driven security, and leveraging analytics, metrics, and machine learning to improve defenses.
Alex Hutton (SIRA co-founder, @alexhutton) and David Mortman (SIRA member, @mortman) will be unveiling the results of their recent project in “Cookin’ Up Metrics With Alex and David: A Recipe For Success!“. Today’s information security pros know that being able to measure performance is key to being successful; and while effective metrics are a critical tool, badly designed metrics can become the bane of your existence. Alex and David will share their experience about the ingredients in useful, usable metrics and how to pull together a great scorecard that helps tell and sell the right story back into your organization. As SIRA inspiration Galileo Galilei said, information risk professionals need to “…measure what is measurable, and make measurable what is not so.” Tasting menu (aka preview of their slides) is available here.
Fresh off the release of this year’s Verizon Data Breach Investigations Report, SIRA Directors Bob Rudis (SIRA Director of R Evangelism/Technology, @hrbrmstr) and Jay Jacobs (SIRA Vice President - @jayjacobs) will share their experiences working as data scientists in ...read more
SIRA March 2015 Webinar - Measuring & Managing Information Risk
Measuring & Managing Information Risk
Friday, March 20, 2015 - 12:00EDT
featuring best-selling authors Jack Jones & Jack Freund
You must be a paid member to attend and webinar seating is limited (25 seats for paid members so register today). The session will be recorded for future viewing by SIRA paid members. You can find out more about SIRA memberships over at the SIRA website.
Use the form below or head on over to the EventBrite Page.
Jack Jones has worked in technology for thirty years, and information security and risk management for twenty-four years. He has over nine years of experience as a CISO with three different companies, including five years at Nationwide Insurance. His work there was recognized in 2006 when he received the ISSA Excellence in the Field of Security Practices award at that year’s RSA conference. In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012 was honored with the CSO Compass award for leadership in risk management. He is also the creator of the Factor Analysis of Information Risk (FAIR) framework.
Dr. Jack Freund is an expert in IT risk management specializing in analyzing and communicating complex IT risk scenarios in plain language to business executives. He currently leads a team of risk analysts at TIAA-CREF. Jack has over ...read more
Open Group + SIRA Survey
The Open Group Security Forum and the Society of Information Risk Analysts are doing a collaborative survey that aims to determine the current state of risk management practices in enterprises. If you are involved with risk management, we’d appreciate you taking the time to complete the survey, which may be accessed here.
This survey will remain open until October 15, and we’d appreciate your help in promoting it to others in the risk community. If there are others in your organization who are involved in risk management, we’d greatly appreciate you forwarding this to them for completion.
The output of this survey will be a free whitepaper published jointly by The Open Group and SIRA that describes risk management practices in enterprise organizations.
SIRACon 2014 Lineup
Recognized globally as a thought leader in the risk management space, Ali’s provocative articles and white papers have served as a catalyst for change in the way organizations manage risk. For his pioneering work in this field, Ali was named “one of the 100 most influential people in finance” by Treasury & Risk Management magazine. Ali is also a charter member of Who’s Who in Risk Management.
Prior to founding Stamford Risk Analytics, Ali was a Principal in the ERM Practice at Towers Perrin (now Towers Watson), where was also Global Head of Operational Risk Management Consulting. Previously, Ali was Founder and President of OpRisk Analytics LLC, a software and data provider, which was acquired by SAS. Before that Ali worked at PricewaterhouseCoopers in New York, where he headed the Operational Risk Group within the Financial Risk Management Practice. Previously, he led the Strategic Risk Initiatives Group in the Operational Risk Management Department at Bankers Trust. He ...
SIRAcon 2014 Travel/Hotel Information
We are pleased to announce that SIRACon 2014 will be hosted by Ameriprise Financial, at their global headquarters conference facility in downtown Minneapolis, MN. A number of you have asked about hotels. The answer is, there are several in the neighborhood including:
We found out there is another conference in town that week, and rooms are filling fast. We recommend you book your accommodations now.
The Grand Hotel has extended us a courtesy block on a limited number of rooms if you book between now and September 3rd. These are run-of-house rooms, mostly single king, at a rate of $299 per night. Additional details:
- Guests may call 1-800-KIMPTON for reservations and ask for the Society of Information Risk Analysts block
- Guests can book online using use rate code: SOCIET1008
- Credit card required at the time of reservation and upon check in
- All guests entitled to complimentary wifi, use of LifeTime Athletic Club, wine hour from 5-6pm and coffee/tea service until 9am each morning.
Many downtown hotels are within walking distance of the venue, so feel free to let your budget and points preferences and such help you find appropriate accommodations.
As a reminder: the conference dates are Thursday and Friday, October 9th-10th, 2014.
For map-checkers, the venue is located at 901 3rd Avenue South, Minneapolis, MN 55402.
See you in October!read more
SIRAcon 2014 Call for Papers!
The third annual SIRAcon will be held in Minneapolis, Minnesota on Thursday and Friday, October 9th and 10th, 2014. We invite you to share your expertise!
WHY SHOULD I PRESENT AT SIRACON?
If you have attended past SIRACons then you already know - SIRACon is unlike any other security or privacy conference. Information Risk Management is all we do.
It’s what we think about, talk about, and like to hear about.
It’s what we are striving to do better.
Once a year, SIRACon gives us an opportunity to get together and share our ideas and experiences with the rest of the SIRA community.
If you haven’t yet attended a SIRACon, make 2014 your year. We want to meet you in person.
More than that, we want to learn from you. If you are an information risk analyst, security practitioner, risk manager, researcher or any other risk specialist, we encourage you to submit a topic and present at the conference.
WHAT SHOULD I PRESENT?
Submitted topics should represent original works and be of interest to the SIRA membership. Topics from the “front lines” are generally preferred over more theoretical discussions but all topics will be considered. Established and new presenters are all encouraged to respond.
Suggested topics include (but are not limited to):
- Building a risk management program
- Successes/challenges with a risk assessment framework
- Regulations and standards within risk analysis
- Risk communication/perception
- The joy of using math to analyze risk
- The pitfalls of not using math to ...
SIRAcon 2014 Tickets!
Tickes are now on sale for SIRAcon 2014! Discounts are available for SIRA Paid Members & early bird’s. Space is limited so act now!
New SIRA Website!
If you’re reading this and have been involved with SIRA for any length of time, you’ll notice that we’ve given the old website (and logo) a bit of a facelift.
The new site should be responsive across all your devices and we would appreciate any feedback, suggestions or bug-reports you may have, which you can leave via our new feedback form.
For those who want some of the gory, technical details, we moved off of Drupal and are using a Python-based static website generator called (Pelican), which is backed by content managed on github. That means no more logins for folks (at least on the web site), but it also means even more flexibility and greater security (no more PHP!). We’ve moved about 50% of the older content over to the new format and are continuing to convert the remaining posts to the new site format. The old Drupal site/database is around if anyone needs any content from it. Ping Bob Rudis if you need anything.
Community Risk Blog
One new component of the site is the aggregated “Risk Blog”. If you maintain a blog that has an Atom/RSS feed of “risk-oriented” posts, head on over to https://www.societyinforisk.org/pages/blog.html and register it! We’ll re-blog all your risky content on the SIRA site, giving you greater exposure and providing a one-stop-resource for some of the best information risk content on the internet. More info on “re-blogging” at the aforementioned ...read more
Mark your calendars! SIRAcon 2014 will be held October 9th-10th in Minneapolis, MN!
Stay tuned for CFP & registration details!read more
SIRA 2014 Election Results!
Thank you, again, to those who took the time to nominate folks for the 2014 SIRA elections.
The election closed at 23:59 PST Monday, February 10, 2014 and the results are in!
Please join us in welcoming the following new members to the SIRA Board of Directors:
- Chris Hayes
- Lisa Leet
- Jeff Lowder
- David Severski
And, a final huge thank you to Chris, Lisa, Jeff & David for their willingness to serve the SIRA community.
Bob, Jay & Allyread more
Dr. Norman Fenton to Present at SIRA’s Nov 14 Webinar
SIRA is extremely honored to announce that Dr. Norman Fenton will be our guest speaker for our November 2013 webinar. This is one very special webinar you won't want to miss!read more
SIRA Webinar: 4/14/2011- 12:00pm EDT - Jack Jones - Effective Risk Managment
SIRA’s April monthly webinar is tomorrow, April 14th, at 12:00pm EDT/10:00am PDT. We are excited to have Mr. Jack Jones, formerly of Risk Management Insight, talk to us about effectively managing risk. Block off your calendars now and keep an eye open for the webinar connection details in the coming days!
Modeling “how much risk” is only part of the challenge. In fact it’s just one input to the broader challenge of managing risk effectively over time. In this session, Jack will provide a FAIR view of this broader risk landscape context.
Mr. Jones has been employed in technology for the past twenty-seven years, and has specialized in information security and risk management for nineteen years. During this time, he’s worked in the United States military, government intelligence, consulting, as well as the financial and insurance industries. Mr. Jones has over seven years of experience as a CISO, with five of those years at a Fortune 100 financial services company. His work there was recognized in 2006 when he received the 2006 ISSA Excellence in the Field of Security Practices award at that year’s RSA conference. He is also the author and creator of the Factor Analysis of Information Risk (FAIR) framework.
In 2007, Mr. Jones was selected as a finalist for the Information Security Executive of the Year, Central United States, and judged the national Information Security Executive of the Year competition. From 2008 to 2009 he was an invited ...read more
SIRA Webinar: Jeff Lowder
Apologies for the late post on this, but don’t forget that today, January 13th, at 12:00 EST/9:00PST we have a SIRA Webcast.
Jeff Lowder will be leading a discussion on several risk management topics.
Jeff Lowder, CISSP, is an independent consultant who helps organizations balance information security with business agility using evidence-based governance, risk, and compliance (GRC) methods. His previous roles include infosec leadership positions at the U.S. Air Force Academy, United Online, and Disney.
Here is the url the WebEx.
The password for the WebEx is
-SIRA Management Teamread more