The Society of Information Risk Analysts, established in 2011, is the go-to resource for decision makers & practitioners of information risk management.

As an emerging discipline, information risk management benefits from open dialogue and exchange of ideas; SIRA provides a forum where members can build meaningful, professional relationships that keep them at the top of their profession, explore the most important risk management challenges facing their organizations, & discover how methods from other risk management disciplines can help them meet information risk challenges. Welcome!

SIRAcon 2015 live tweet stream

Thu 08 October 2015 by SIRA

Refresh (if it doesn’t auto-refresh like it should) to catch the latest tweets from SIRAcon 2015 or just use this Twitter combined hashtag live stream search URL.

Social Media Risk Metrics

Sat 26 September 2015 by Alex Hutton

Social media and online interaction are dramatically changing the way our companies and employees interface with society at large. Recent examples of people tweeting or posting something silly or offensive and being responded to by doxxing or even threats of physical abuse are, unfortunately, becoming more common.

Today we (SIRA member Alex Hutton and Ian Amit) are publicly announcing an open (free as in speech, free as in beer) project to help security departments identify social media presences that are more “at risk” to negative reactions. This framework of indicators is a little something we’re calling “Social Media Risk Metrics” (catchy, right?). SMRM is being introduced at Derbycon today complete with a demonstration, worksheet tool, and suggestions for further development.

To find out more

To help out: Speak up on the SIRA mailing list or on The SIRA Discourse!

read more

Save the date for SIRAcon 2015!

Wed 10 June 2015 by Allison Miller

Hey SIRAnauts, just wanted to give you the scoop: we’re taking the best conference in Information Risk on the road to the Rock City…Detroit, here we come! Our awesome co-chairs, David Musselwhite and Lisa Leet will be providing more info soon, but wanted to make sure you block-off 2015-10-08 & 2015-10-09 and start revving your engines & risk models now—the CFP is going to open soon!

read more

SIRA May 2015 Webinar - Understanding Asset Risk via Vulnerability Prioritization

Mon 04 May 2015 by SIRA

SIRA Paid Members are invited to attend our next 2015 webinar on

Understanding Asset Risk via Vulnerability Prioriitization

Friday, May 15, 2015 - 12:00EDT

featuring Risk I/O’s Chief Data Scientist, Michael Roytman

You must be a paid member to attend and webinar seating is limited (100 seats for paid members so register today). The session will be recorded for future viewing by SIRA paid members. You can find out more about SIRA memberships over at the SIRA website.

Use the following link to register. You will receive a confirmation after your SIRA membership has been verified.

Contact Bob Rudis (bob dot rudis at societyinforisk dot org) with any questions/inquiries.

Michael Roytman is responsible for building out Risk I/O’s analytics functionality, and has been selected to speak at BSides, Metricon, SIRACon and more. His work at Risk I/O focuses on security metrics, risk measurement, and vulnerability management and his work has been published in USENIX. He formerly worked in fraud detection in the finance industry, and holds an M.S. in Operations Research from Georgia Tech. His home in Chicago contains a small fleet of broken-down drones.

read more

New Member’s Only Discussion Forum

Fri 01 May 2015 by SIRA

We’re happy to announce the launch of the SIRA Discourse, our all new member’s only discussion forum. While we’re keeping the general e-mail list going, we wanted to create a place where members could have rich collaboration and foster communication through a community-moderated platform.

The SIRA Discourse features:

  • general posting
  • threaded replies
  • file linking and content embedding, and
  • will still work with plain ol’ e-mail if you still want to use that as your primary way of engaging with the member community.

There are plenty of starter topics to jump in on and members are encouraged to start new ones and join in the discussion on them all. For all the lurkers out there, now’s your chance to become part of the conversation.

As an extra bonus, we’ve added all the content from SIRAcon 2014 and the inaugural webinar featuring Jack Jones & Jack Freund.

There are plenty of places in the SIRA Discourse to leave feedback and engage directly with the Board.

We encourage folks to help us kick the tyres, suggest new features and file bug reports as you come across things that just don’t look right.

read more

SIRAnauts Launch Risky Ideas at RSA 2015

Sun 19 April 2015 by SIRA

This week, San Francisco’s Moscone center and surrounding neighborhood will be bursting at the seams, full of security professionals from around the world. That’s right, RSA 2015 and BSides SF are right around the corner, and leaders from the Society of Information Risk Analysts (SIRA) will be on hand to give their perspective on the current workings and future opportunities in risk management, data-driven security, and leveraging analytics, metrics, and machine learning to improve defenses.

Alex Hutton (SIRA co-founder, @alexhutton) and David Mortman (SIRA member, @mortman) will be unveiling the results of their recent project in “Cookin’ Up Metrics With Alex and David: A Recipe For Success!“. Today’s information security pros know that being able to measure performance is key to being successful; and while effective metrics are a critical tool, badly designed metrics can become the bane of your existence. Alex and David will share their experience about the ingredients in useful, usable metrics and how to pull together a great scorecard that helps tell and sell the right story back into your organization. As SIRA inspiration Galileo Galilei said, information risk professionals need to “…measure what is measurable, and make measurable what is not so.” Tasting menu (aka preview of their slides) is available here.

Fresh off the release of this year’s Verizon Data Breach Investigations Report, SIRA Directors Bob Rudis (SIRA Director of R Evangelism/Technology, @hrbrmstr) and Jay Jacobs (SIRA Vice President - @jayjacobs) will share their experiences working as data scientists in ...

read more

SIRA March 2015 Webinar - Measuring & Managing Information Risk

Tue 10 March 2015 by SIRA

SIRA Paid Members are invited to attend our inaugural 2015 webinar on

Measuring & Managing Information Risk

Friday, March 20, 2015 - 12:00EDT

featuring best-selling authors Jack Jones & Jack Freund

You must be a paid member to attend and webinar seating is limited (25 seats for paid members so register today). The session will be recorded for future viewing by SIRA paid members. You can find out more about SIRA memberships over at the SIRA website.

Use the form below or head on over to the EventBrite Page.

Contact Bob Rudis (bob at rudis dot net) with any questions/inquiries.

Jack Jones has worked in technology for thirty years, and information security and risk management for twenty-four years. He has over nine years of experience as a CISO with three different companies, including five years at Nationwide Insurance. His work there was recognized in 2006 when he received the ISSA Excellence in the Field of Security Practices award at that year’s RSA conference. In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012 was honored with the CSO Compass award for leadership in risk management. He is also the creator of the Factor Analysis of Information Risk (FAIR) framework.

Dr. Jack Freund is an expert in IT risk management specializing in analyzing and communicating complex IT risk scenarios in plain language to business executives. He currently leads a team of risk analysts at TIAA-CREF. Jack has over ...

read more

Open Group + SIRA Survey

Tue 30 September 2014 by SIRA

The Open Group Security Forum and the Society of Information Risk Analysts are doing a collaborative survey that aims to determine the current state of risk management practices in enterprises. If you are involved with risk management, we’d appreciate you taking the time to complete the survey, which may be accessed here.

This survey will remain open until October 15, and we’d appreciate your help in promoting it to others in the risk community. If there are others in your organization who are involved in risk management, we’d greatly appreciate you forwarding this to them for completion.

The output of this survey will be a free whitepaper published jointly by The Open Group and SIRA that describes risk management practices in enterprise organizations.

read more

SIRACon 2014 Lineup

Sat 06 September 2014 by SIRA


Tickets, Travel/Hotel Information


Thursday, October 9 - 8:00 AM
Ali Samad-Khan is Founder and President of Stamford Risk Analytics. He has over fifteen years experience in risk management and more than twenty-five years experience in financial services and consulting. Ali has advised more than 100 of the world’s leading banks, insurance, energy, technology and transportation companies, multi-lateral organizations and bank regulators on a full range of risk measurement and management issues. Key elements of his Modern ORM/ERM framework/methodology have been adopted by leading institutions around the world.

Recognized globally as a thought leader in the risk management space, Ali’s provocative articles and white papers have served as a catalyst for change in the way organizations manage risk. For his pioneering work in this field, Ali was named “one of the 100 most influential people in finance” by Treasury & Risk Management magazine. Ali is also a charter member of Who’s Who in Risk Management.

Prior to founding Stamford Risk Analytics, Ali was a Principal in the ERM Practice at Towers Perrin (now Towers Watson), where was also Global Head of Operational Risk Management Consulting. Previously, Ali was Founder and President of OpRisk Analytics LLC, a software and data provider, which was acquired by SAS. Before that Ali worked at PricewaterhouseCoopers in New York, where he headed the Operational Risk Group within the Financial Risk Management Practice. Previously, he led the Strategic Risk Initiatives Group in the Operational Risk Management Department at Bankers Trust. He ...

read more

SIRAcon 2014 Travel/Hotel Information

Wed 13 August 2014 by Lisa Leet

We are pleased to announce that SIRACon 2014 will be hosted by Ameriprise Financial, at their global headquarters conference facility in downtown Minneapolis, MN. A number of you have asked about hotels. The answer is, there are several in the neighborhood including:

We found out there is another conference in town that week, and rooms are filling fast. We recommend you book your accommodations now.

The Grand Hotel has extended us a courtesy block on a limited number of rooms if you book between now and September 3rd. These are run-of-house rooms, mostly single king, at a rate of $299 per night. Additional details:

  • Guests may call 1-800-KIMPTON for reservations and ask for the Society of Information Risk Analysts block
  • Guests can book online using use rate code: SOCIET1008
  • Credit card required at the time of reservation and upon check in
  • All guests entitled to complimentary wifi, use of LifeTime Athletic Club, wine hour from 5-6pm and coffee/tea service until 9am each morning.

Many downtown hotels are within walking distance of the venue, so feel free to let your budget and points preferences and such help you find appropriate accommodations.

As a reminder: the conference dates are Thursday and Friday, October 9th-10th, 2014.

For map-checkers, the venue is located at 901 3rd Avenue South, Minneapolis, MN 55402.

See you in October!

read more

SIRAcon 2014 Call for Papers!

Wed 30 July 2014 by Lisa Leet

The third annual SIRAcon will be held in Minneapolis, Minnesota on Thursday and Friday, October 9th and 10th, 2014. We invite you to share your expertise!


If you have attended past SIRACons then you already know - SIRACon is unlike any other security or privacy conference. Information Risk Management is all we do.

It’s what we think about, talk about, and like to hear about.

It’s what we are striving to do better.

Once a year, SIRACon gives us an opportunity to get together and share our ideas and experiences with the rest of the SIRA community.

If you haven’t yet attended a SIRACon, make 2014 your year. We want to meet you in person.

More than that, we want to learn from you. If you are an information risk analyst, security practitioner, risk manager, researcher or any other risk specialist, we encourage you to submit a topic and present at the conference.


Submitted topics should represent original works and be of interest to the SIRA membership. Topics from the “front lines” are generally preferred over more theoretical discussions but all topics will be considered. Established and new presenters are all encouraged to respond.

Suggested topics include (but are not limited to):

  • Building a risk management program
  • Successes/challenges with a risk assessment framework
  • Regulations and standards within risk analysis
  • Risk communication/perception
  • The joy of using math to analyze risk
  • The pitfalls of not using math to ...
read more

SIRAcon 2014 Tickets!

Thu 10 July 2014 by SIRA

Tickes are now on sale for SIRAcon 2014! Discounts are available for SIRA Paid Members & early bird’s. Space is limited so act now!

read more

New SIRA Website!

Wed 21 May 2014 by SIRA

If you’re reading this and have been involved with SIRA for any length of time, you’ll notice that we’ve given the old website (and logo) a bit of a facelift.

The new site should be responsive across all your devices and we would appreciate any feedback, suggestions or bug-reports you may have, which you can leave via our new feedback form.

For those who want some of the gory, technical details, we moved off of Drupal and are using a Python-based static website generator called (Pelican), which is backed by content managed on github. That means no more logins for folks (at least on the web site), but it also means even more flexibility and greater security (no more PHP!). We’ve moved about 50% of the older content over to the new format and are continuing to convert the remaining posts to the new site format. The old Drupal site/database is around if anyone needs any content from it. Ping Bob Rudis if you need anything.

Community Risk Blog

One new component of the site is the aggregated “Risk Blog”. If you maintain a blog that has an Atom/RSS feed of “risk-oriented” posts, head on over to and register it! We’ll re-blog all your risky content on the SIRA site, giving you greater exposure and providing a one-stop-resource for some of the best information risk content on the internet. More info on “re-blogging” at the aforementioned ...

read more

SIRAcon 2014!

Wed 21 May 2014 by SIRA

Mark your calendars! SIRAcon 2014 will be held October 9th-10th in Minneapolis, MN!

Stay tuned for CFP & registration details!

read more

SIRA 2014 Election Results!

Tue 11 February 2014 by Bob Rudis (@hrbrmstr)

Thank you, again, to those who took the time to nominate folks for the 2014 SIRA elections.

The election closed at 23:59 PST Monday, February 10, 2014 and the results are in!

Please join us in welcoming the following new members to the SIRA Board of Directors:

  • Chris Hayes
  • Lisa Leet
  • Jeff Lowder
  • David Severski

And, a final huge thank you to Chris, Lisa, Jeff & David for their willingness to serve the SIRA community.

Bob, Jay & Ally

read more

Dr. Norman Fenton to Present at SIRA’s Nov 14 Webinar

Wed 06 November 2013 by Jeff Lowder

SIRA is extremely honored to announce that Dr. Norman Fenton will be our guest speaker for our November 2013 webinar. This is one very special webinar you won't want to miss!

read more

SIRA Webinar: 4/14/2011- 12:00pm EDT - Jack Jones - Effective Risk Managment

Wed 13 April 2011 by Jeff Lowder (@aglierisk)

SIRA’s April monthly webinar is tomorrow, April 14th, at 12:00pm EDT/10:00am PDT. We are excited to have Mr. Jack Jones, formerly of Risk Management Insight, talk to us about effectively managing risk. Block off your calendars now and keep an eye open for the webinar connection details in the coming days!

Presentation abstract:

Modeling “how much risk” is only part of the challenge. In fact it’s just one input to the broader challenge of managing risk effectively over time. In this session, Jack will provide a FAIR view of this broader risk landscape context.

Mr. Jones has been employed in technology for the past twenty-seven years, and has specialized in information security and risk management for nineteen years. During this time, he’s worked in the United States military, government intelligence, consulting, as well as the financial and insurance industries. Mr. Jones has over seven years of experience as a CISO, with five of those years at a Fortune 100 financial services company. His work there was recognized in 2006 when he received the 2006 ISSA Excellence in the Field of Security Practices award at that year’s RSA conference. He is also the author and creator of the Factor Analysis of Information Risk (FAIR) framework.

In 2007, Mr. Jones was selected as a finalist for the Information Security Executive of the Year, Central United States, and judged the national Information Security Executive of the Year competition. From 2008 to 2009 he was an invited ...

read more

SIRA Webinar: Jeff Lowder

Thu 13 January 2011 by Jeff Lowder (@aglierisk)

Apologies for the late post on this, but don’t forget that today, January 13th, at 12:00 EST/9:00PST we have a SIRA Webcast.

Jeff Lowder will be leading a discussion on several risk management topics.

Jeff Lowder, CISSP, is an independent consultant who helps organizations balance information security with business agility using evidence-based governance, risk, and compliance (GRC) methods. His previous roles include infosec leadership positions at the U.S. Air Force Academy, United Online, and Disney.

WebEx details:

Here is the url the WebEx.

The password for the WebEx is riskrules

-SIRA Management Team

read more