Society of Information Risk Analysts

Blog

<< First  < Prev   1   2   Next >  Last >> 
  • 08/06/2020 2:14 PM | Tony Martin-Vegue (Administrator)

    The Society for Information Risk Analysts (SIRA) Board wants to do our part in inspiring and educating the next generation of information risk analysts. For this reason, we are offering scholarships for our two biggest events of the year: SIRAcon 2020 (August 25-27, 2020) and the SIRA Quantitative Risk Skills Seminar (September 23-24, 2020).

    Both scholarships are needs-based, meaning you want to attend but the cost of the ticket would create financial hardship for you. We especially encourage people from underrepresented groups - people of color, women, LGBTQ people, and people with disabilities to apply. It is our hope that this enables people to network, collaborate with peers, hear presentations from industry leaders, and learn quantitative risk techniques when they may not otherwise have had the opportunity.

    The number of scholarships is limited and will be given to those who qualify on a first-come, first-served basis. All applications that are not selected will automatically be placed on a waitlist.

    SIRAcon Scholarship

    SIRAcon 2020 is virtual this year and features 14 speakers covering a wide range of topics in the information risk management profession.

    Apply for the SIRAcon 2020 scholarship here.

    SIRA Quantitative Risk Skills Seminar

    The second annual SIRA Quantitative Risk Skills Seminar is returning this year, and it’s virtual. This year, we’ve added a second day, much more content, and a focus on risk fundamentals. All skill levels are welcome. More information can be found here.

    Apply for the SIRA Quantitative Risk Skills Seminar scholarship here.


    The SIRA Board extends our deepest gratitude to our sponsors and our members for making this financially possible.




  • 01/22/2020 5:06 PM | Apolonio Garcia (Administrator)


    We have a fantastic lineup of speakers and topics scheduled this year. Be sure to register today before it is sold out! 

    Speaker  Topic
    John Sturgis, Cyber Risk Mgr University of South Carolina Quantitative(ish) Risk Management on a Budget: One Scrappy EDU's Story 
    Leila, Powell, Lead Data Scientist, Panaseer Continuous Controls Monitoring as an Ingredient for Risk

    Markus De Shon

    Easy Risk Quantification in Python 
    Paul Phillips, Technical Research Manager, ISACA

     ISACA's Updated Risk IT Framework & Practitioners Guide

    Jay Jacobs, Partner and Chief Data Scientist, Cyentia Institute, and David Severski, Sr. Data Scientist, Cyentia Institute

     What Cyber Loss Data Teaches Us About Risk
    Jack Whitsitt, Sr VP, FAIR Program Lead, Bank of America

    Notes from the field: Building out from risk analysis to risk management

    Max Henrion, CEO, Lumina Decision Systems Keynote: What's the value of information (risk) and decision analysis?
    Ben Smith, Field CTO, RSA Too Many Books, Not Enough Time: a Metrics Maelstrom

     Jack Freund, Head of Cyber Risk Methodology, Cyber Assessments Inc. (Moody's/Team8 JV)

    Engineering Economic Externalities: Methods for determining material cyber security fines

    Panel of information risk experts What's the holdup? An exploratory discussion of best practices to improve the state of information security risk analysis and management

    Register

  • 12/11/2019 5:52 AM | Apolonio Garcia (Administrator)

    We have a number of exciting announcements:

    1. SIRAcon '20 - date, place, and pricing
    2. December Webinar  
    3. SIRAcon '20 CFP 
    4. SIRAcon '20 sponsorship opportunities
    5. SIRA website improvements  

    SIRAcon '20 date, place & pricing

    As you may have heard, SIRAcon '20 has been scheduled for April 21 - 23 in sunny Tampa, FL. From the great attendance and positive feedback we got from this year's conference in Cincinnati, we will be bringing back the pre-conference training day, but it will be completely revamped. Stay tuned for details.

    Registration is open and the early bird pricing is as follows:

    Preconference training (1-day): $199 members / $249 non-members

    General conference (2 days): $299 members / $349 non-members

    Early bird pricing ends February 1, but don't want to wait to register. We have a limited amount of tickets available this year and we are expecting a sold-out event. You can find registration information on our home page: https://societyinforisk.org/ 

    Note: we expect to publish the initial selection of speakers and abstracts late December / early January.

    December Webinar: Unholy Concoction of Risk Management Practices - FAIR/CSF/MSSP 

    Our next webinar is scheduled for December 19th at 11 AM PT / 2 PM ET. Our speaker will be Ian Amit, Chief Security Officer at Cimpress. His talk: Unholy Concoction of Risk Management Practices - FAIR/CSF/MSSP, explores leveraging the NIST CSF with FAIR, and creating a close-feedback loop of visibility into security posture, risk tolerance, and the ability to self-adjust for both by the businesses themselves. You can visit our events page for more information and register: https://societyinforisk.org/events

    SIRAcon '20 CFP

    The Call for Proposal is open, with an early deadline of Dec 13 and a final deadline of Jan 13. We have already received a few great proposals, so we expect another great lineup of speakers/topics. You can find the CFP guide, submission link and a few awesome talks from SIRAcon '18 on our home page. https://societyinforisk.org/

    Tip: Submissions will have a better shot at being selected if you submit by the early deadline because we will be filling as many slots as we can in December, and filling in the remaining slots in January.   

    SIRAcon'20 sponsorship opportunities

    While we will always remain a completely vendor-agnostic and a model neutral organization, a critical piece to our ability to sustain our mission and keep our conference prices down is the generous support of sponsors. We are currently seeking sponsors and underwriters for SIRAcon '20. If your organization (or anyone that you know) is interested in supporting the cause, we would love to hear from you. You can find sponsorship prospectus on our home page:  https://societyinforisk.org/

    SIRA Website improvements

    In an effort to make it a little easier to navigate and find stuff, we have made a number of structural and cosmetic updates to our website. For members, we moved all of the member's content a Members Area (available once you log in). We will be updating the landing pages for the SIRAcon videos and continuing to make minor improvements over the upcoming weeks and months. Check it out and let us know what you think. https://societyinforisk.org/

    If you have any questions or comments, we would love to hear from you. You can reply to me or send a message to the SIRA Board of Directors at board@societyinforisk.org



  • 10/26/2017 12:14 AM | SIRA Communications

    Editor: This blog entry was originally written by John Hoffoss, and posted at the old SIRA website.

    Mairtin contacted the board in November of 2011 with a question about sharing his thesis:

    A bit over a year ago I did my MSc thesis on optimizing Information Security Investment, which effectively turned into looking primarily at quantitative risk assessment using the usual FAIR/Monte Carlo type approach. 

    While the conclusions aren’t anything new to people involved in SIRA, I thought it might be a good introduction read for those who are interested in the area but haven’t a clue where to start. 

    I was wondering if you’d be interested in linking to it or including it on the SIRA site? It’s mainly just sitting in my folders doing nothing so if it was helpful to others, I’d be thrilled.

    This is the writeup he created for us that we’re finally getting published here.

    -jth

    If anyone has been following the SIRA mailing list for the last few months, you have seen some fantastic debate over the approaches to dealing with information security risk. While there is obviously a lot of incredibly talented people on the list, the common information security guy in the trenches may often be scared off by a lack of understanding of what on earth everyone is talking about! So I thought I’d share my brief story of how an information security guy like myself, who was originally more at home with penetration testing and reviewing tcpdump packet captures, ended up in the world of Monte Carlo simulations, aggregated risk and statistics!

    Like most information security professionals, ever since I studied for my CISSP, I’ve read about Annual Loss Expectancy (ALE) and how it can be used to estimate the amount you should be spending on security controls. I subsequently saw references to ALE time and time again in other information security books and exams such as the CISM. As I came from a highly technical background, I just accepted this as management type material that was interesting but wasn’t all that relevant to what I did day-to-day.

    However, as I started moving more towards management positions and started to help client companies (I work in consultancy) with information security management challenges, I started to ask a very simple question. If ALE is being referenced in the majority of books and certificates tailored to information security professionals, why haven’t I ever seen anyone actually use it? That started me thinking, and around five years ago I started digging for books that could help me understand why this was.

    My first area of research was in metrics, particularly kickstarted by reading one book: Security Metrics by Andrew Jaquith. Straight away this book showed me what the key flaws were within ALE, although at the time I had no idea what on earth an “outlier” was! By the way, Andrew highlights the following problems with ALE: the inherent difficulty in modelling outliers, the lack of data for estimating probabilities of occurrence or loss expectancies, and sensitivity of the ALE model to small changes in assumptions. Read the book for more info!

    The next key book for me came the following year and it was probably the most important book I’ve ever read in information security. That book was The New School of Information Security by Adam Shostack and Andrew Stewart. In this book, Adam and Andrew highlighted the need for evidence-based information security decisions and raised ideas around economics, physiology and even sociology and how they apply to information security. Now at this stage I knew I was starting to stray far from my usual comfort zone!

    Following on from the areas of economics of information security highlighted in The New School of Information Security, I started doing more research in this area and came across the great research what Ross Anderson and his team were doing in the University of Cambridge. This started me thinking that perhaps the answer actually lied in more academic research that may not always make it into the mainstream of information security books and magazines. So I started reading, leading me to many very detailed papers that outlined models around security risk and optimising investment written by mathematicians and economics throughout the world’s universities.

    Trying to understand these quickly became almost impossible due to my lack of statistics and deep mathematical background. A shame, but unfortunately I just simply didn’t understand what was going on, and didn’t have the time with work to dedicate to learning yet another new area!

    And that’s where I left it, until I started to think about topics that I would like to write my MSc thesis on when completing my part time MSc in Information Security at Royal Holloway, University of London. Straight away I thought that this was the perfect time for me to spend time exploring this area in more detail, with the support of people who understand the academic area and would be capable of providing me further assistance in how to interpret it all! And that’s exactly what I did.

    My basic objective for the thesis was not necessarily to find any ground-breaking new discoveries, but very simply to compile all the different types of research I could find in the area of optimising information security spending and try to make it understandable to someone with a background like myself; not an economist, not a mathematician, not a professor but a simple information security professional.

    During this journey I came across many hugely interesting books and research that changed my outlook on information risk by people such as Doug Hubbard, Dylan Evans, Sam Savage, Jack Jones and a plethora of academic research by too many people to mention!

    I looked at work done in the areas of risk management, corporate finance, economics and reliability to try and identify how other disciplines are dealing with similar challenges and found that a number of problems existed in the area of optimising information security investment, namely education, concept of return, lack of information, rating systems and ordinal scales, uncertainty and risk appetite.

    Using these as a starter, I then went on to review each of these in order to further explain the problems I saw, and attempt to identify some high level solutions to these problems.

    Now I don’t for a second claim that I’ve identified every possible bit of literature, nor that my analysis is flawless, but what I do hope is that if you’re working in information security and you’re interested in SIRAbut don’t have a clue what people are talking about, then my thesis might help out in giving a bit of background to what these guys are talking about.

    What’s most interesting for me is that when I wrote this thesis around two years ago, SIRA didn’t exist and getting information around of information risk management was difficult to say the least! Now we haveSIRA with daily running discussions on almost everything I’ve covered in my thesis! It’s great to see how far things have advanced in terms of discussion and availability of information in such a short time.

    Now, if only SIRA had existed three years ago before I started so I could have gone a lot further in my thesis!

    Máirtín

    Thesis: Optimising Information Security Investment

      

  • 06/09/2013 2:53 AM | SIRA Communications

    The SIRA Board of Directors passed a resolution at their most recent meeting to start a new paid membership tier based upon the results of this year’s membership survey and the desire to create the foundation for a more formal professional organization. As a result, we are formally announcing the introduction of the SIRA Professional Membership (SPM).

    The cost for SPM will be $50.00USD. SIRA will maintain current and historical records of your membership in the event you reference SPM on your CV/bio. Benefits to membership include:

    • Reduced registration to SIRAcon ($50.00 off total price)
    • Membership through 2014
    • Proceedings of 2013 SIRAcon
    • SIRAcon journal subscription carried through 2014
    • Free access to SIRA-sponsored webinars

    Future webinars will be restricted to SPM or those paying to attend.

  • 04/14/2013 2:59 AM | SIRA Communications

    This blog entry was originally written by Mark Chaplinm (@markachaplin)

    Note: This post is not complete yet, the actual resource list is too long to be posted in a single entry on this website.

    I recently posted a list of IRM resources on the SIRA mailing list, and Bob Rudis asked me to add it as a blog. So here it is (with Anglo-spelling and a couple shameless plugs with collaboration in mind). The list is based on material I have come across over the last couple of years as part of my own personal research activities and my work at the Information Security Forum. I tend to share most resources and links on Twitter as @markachaplin when I come across them and then consolidate later. I am always on the lookout for useful material and contacts (hint).

    The purpose of listing the resources, for me, is to act as a reference for helping in various aspects of information risk management and information security, including:

    setting up an information risk management framework to align with operational risk management (eg as part of ERM), focus at a business process / business environment level, establish supporting material to facilitate effective information risk analysis and shape the information risk analysis methodology (eg communication, decision making and reporting)
    establishing an information risk analysis methodology, following a complete end-to-end information risk analysis process (including preparation, business impact assessment, threat assessment, vulnerability assessment, risk evaluation, risk treatment) and considering the complete lifecycle of information that supports critical business processes
    treating information risks, particularly implementing security controls and arrangements for mitigating risks, such as those associated with policy, privacy, legal and regulatory compliance, application and infrastructure protection, business environments, mobile computing, supply chain, systems development, physical security, business continuity and security audit.
    Those of you who are Members of the ISF will recognise a number of things above.

    The resources listed below are structured around rudimentary categories because I haven’t had time to determine how best they should be grouped. I welcome any suggestions from SIRA members on extending and improving it (eg including more material for other disciplines and from geographical regions other than the usual culprits). Some resources are suited to more than one category and you may find duplicate entries.

    Finally, there are three important points I need to make before you read the list:

    I do not endorse anything on the list - it is purely a collection of material I have come across
    I have not included anything from my employer, but if you are interested in what we do at the Information Security Forum you can get an idea (and some free sample material) at https://www.securityforum.org/downloadresearch
    I don’t just regurgitate other people’s work. I am also a research analyst and report author (amongst other things) so understand the pain involved in producing quality reports (or equivalent) to help organisations manage information risk effectively.
    I hope you find it useful, and please share any other resources you are aware of. There’s plenty out there.

    Current categories used for the list

    Business Focused Resources (that may influence information risk)
    Risk Management
    Threats
    Vulnerability / Exploit
    Incidents, Breaches, Compromises…
    Cyber-related
    Supply Chain Risk Management
    Systems / Software Development
    Security Testing
    Mobile
    Surveys, studies and reports from Vendors
    Surveys, studies and reports from non-Vendors
    Legislation and regulation
    Trends
    Fraud and Identity Theft
    Analysis
    Vendor Resources
    Practices and controls
    Glossaries
    Access Control
    Malware Protection
    Guidance
    Tools
    Miscellaneous
    Publications
    CERTs, Bulletins and Mailing Lists
     

  • 08/06/2012 3:07 AM | SIRA Communications

    This blog entry was originally written by Alex Hutton

    So I’ve been working on something for a while, with the intent to have it be a SIRA work of art - available to the community via SIRA for IRAs to use and abuse.

    The idea is relatively simple - take a “Fish” or Ishikawa Diagram for root cause analysis - and apply it to information risk.

    So instead of production/manufacturing’s categories of People, Methods, Machines, Materials and so forth, all I did was apply VERIS categories of incident classification - and added a “Controls” tree.

    You can grab the PDF version, Visio version or OmniGraffle version. I’ve been using it personally for a while, and while it’s not really earth-shattering, perspective-changing, risk model-arama - I have found that it can be really useful, almost a risk analyst’s swiss army knife.

    Please let me know what you think. With this post I give it to you, the Society. If we find it useful - then I hope you’ll encourage others to come to the Society to learn more.

    With that - it’s very 1.0. The control branch especially, I’m not proud of. Other considerations (frequency, strength or amount) aren’t quite there for all the trees. But I’d like and appreciate your help if you want to give it.

    Google Docs version by Brian Livingston
     

  • 06/11/2012 11:32 PM | Marcin Antkiewicz (Administrator)

    This blog entry was originally written by John Hoffoss, I am just migrating the post to the new SIRA site.

    Mairtin contacted the board in November of 2011 with a question about sharing his thesis:

    A bit over a year ago I did my MSc thesis on optimizing Information Security Investment, which effectively turned into looking primarily at quantitative risk assessment using the usual FAIR/Monte Carlo type approach. 

    While the conclusions aren’t anything new to people involved in SIRA, I thought it might be a good introduction read for those who are interested in the area but haven’t a clue where to start. 

    I was wondering if you’d be interested in linking to it or including it on the SIRA site? It’s mainly just sitting in my folders doing nothing so if it was helpful to others, I’d be thrilled.

    This is the writeup he created for us that we’re finally getting published here.

    -jth

    If anyone has been following the SIRA mailing list for the last few months, you have seen some fantastic debate over the approaches to dealing with information security risk. While there is obviously a lot of incredibly talented people on the list, the common information security guy in the trenches may often be scared off by a lack of understanding of what on earth everyone is talking about! So I thought I’d share my brief story of how an information security guy like myself, who was originally more at home with penetration testing and reviewing tcpdump packet captures, ended up in the world of Monte Carlo simulations, aggregated risk and statistics!

    Like most information security professionals, ever since I studied for my CISSP, I’ve read about Annual Loss Expectancy (ALE) and how it can be used to estimate the amount you should be spending on security controls. I subsequently saw references to ALE time and time again in other information security books and exams such as the CISM. As I came from a highly technical background, I just accepted this as management type material that was interesting but wasn’t all that relevant to what I did day-to-day.

    However, as I started moving more towards management positions and started to help client companies (I work in consultancy) with information security management challenges, I started to ask a very simple question. If ALE is being referenced in the majority of books and certificates tailored to information security professionals, why haven’t I ever seen anyone actually use it? That started me thinking, and around five years ago I started digging for books that could help me understand why this was.

    My first area of research was in metrics, particularly kickstarted by reading one book: Security Metrics by Andrew Jaquith. Straight away this book showed me what the key flaws were within ALE, although at the time I had no idea what on earth an “outlier” was! By the way, Andrew highlights the following problems with ALE: the inherent difficulty in modelling outliers, the lack of data for estimating probabilities of occurrence or loss expectancies, and sensitivity of the ALE model to small changes in assumptions. Read the book for more info!

    The next key book for me came the following year and it was probably the most important book I’ve ever read in information security. That book was The New School of Information Security by Adam Shostack and Andrew Stewart. In this book, Adam and Andrew highlighted the need for evidence-based information security decisions and raised ideas around economics, physiology and even sociology and how they apply to information security. Now at this stage I knew I was starting to stray far from my usual comfort zone!

    Following on from the areas of economics of information security highlighted in The New School of Information Security, I started doing more research in this area and came across the great research what Ross Anderson and his team were doing in the University of Cambridge. This started me thinking that perhaps the answer actually lied in more academic research that may not always make it into the mainstream of information security books and magazines. So I started reading, leading me to many very detailed papers that outlined models around security risk and optimising investment written by mathematicians and economics throughout the world’s universities.

    Trying to understand these quickly became almost impossible due to my lack of statistics and deep mathematical background. A shame, but unfortunately I just simply didn’t understand what was going on, and didn’t have the time with work to dedicate to learning yet another new area!

    And that’s where I left it, until I started to think about topics that I would like to write my MSc thesis on when completing my part time MSc in Information Security at Royal Holloway, University of London. Straight away I thought that this was the perfect time for me to spend time exploring this area in more detail, with the support of people who understand the academic area and would be capable of providing me further assistance in how to interpret it all! And that’s exactly what I did.

    My basic objective for the thesis was not necessarily to find any ground-breaking new discoveries, but very simply to compile all the different types of research I could find in the area of optimising information security spending and try to make it understandable to someone with a background like myself; not an economist, not a mathematician, not a professor but a simple information security professional.

    During this journey I came across many hugely interesting books and research that changed my outlook on information risk by people such as Doug Hubbard, Dylan Evans, Sam Savage, Jack Jones and a plethora of academic research by too many people to mention!

    I looked at work done in the areas of risk management, corporate finance, economics and reliability to try and identify how other disciplines are dealing with similar challenges and found that a number of problems existed in the area of optimising information security investment, namely education, concept of return, lack of information, rating systems and ordinal scales, uncertainty and risk appetite.

    Using these as a starter, I then went on to review each of these in order to further explain the problems I saw, and attempt to identify some high level solutions to these problems.

    Now I don’t for a second claim that I’ve identified every possible bit of literature, nor that my analysis is flawless, but what I do hope is that if you’re working in information security and you’re interested in SIRAbut don’t have a clue what people are talking about, then my thesis might help out in giving a bit of background to what these guys are talking about.

    What’s most interesting for me is that when I wrote this thesis around two years ago, SIRA didn’t exist and getting information around of information risk management was difficult to say the least! Now we haveSIRA with daily running discussions on almost everything I’ve covered in my thesis! It’s great to see how far things have advanced in terms of discussion and availability of information in such a short time.

    Now, if only SIRA had existed three years ago before I started so I could have gone a lot further in my thesis!

    Máirtín

    Thesis: Optimising Information Security Investment


  • 03/22/2012 10:37 PM | Marcin Antkiewicz (Administrator)

    This blog entry was originally written by Jeff Lowder (@agilesecurity), I am just migrating the post to the new SIRA site. 


    This is not breaking news, but I’m posting this announcement here just in case interested parties had not already heard the news. As explained on the Department of Energy's website:

    The Department of Energy, in partnership with the Department of Homeland Security, is leading a new White House initiative to create a more comprehensive and consistent approach to protecting the nation’s electric grid against cyber attacks. The Electric Sector Cybersecurity Risk Management Maturity initiative will combine elements from existing cybersecurity efforts to develop a maturity model that allows electric utilities and grid operators to assess their own cyber strengths and weaknesses and prioritize their investments. This initiative is the next logical step in a continued effort by public and private stakeholders to identify steps to improve the cybersecurity of the electric grid and will leverage years of work and lessons learned from both the private and public sector.

    Officials from the Energy Department, the White House and DHS met with leaders in the electric sector, research organizations, industry associations, academia and other government agencies from across the electric sector on January 5, 2012 to launch the initiative and request their expertise and participation in the public-private partnership. Since then, there has been a huge response from industry, with numerous utilities indicating they are interested in offering their expertise in developing and/or piloting the model. For the pilot, we want a group that is representative of the industry so we expect participants to include utilities such as public power companies, ISOs/RTOs, IOUs, and coops. The pilot will be conducted in April, and the model should be available to the electric sector this summer.

    Maturity models begin as works in progress and mature as lessons learned and best practices evolve and the model is refined. We expect to see this model refined over time as the model is used and more lessons learned and best practices are incorporated

    As we saw at the launch of this initiative and have seen in the days since, there is a sense of urgency and willingness in the industry and among our public partners to move forward quickly. We are now capitalizing on that momentum to develop a useful tool that can be used effectively across the entire electric sector.

    As we move forward with the initiative, we will post periodic updates on the Office of Electricity Delivery and Energy Reliability website. If your organization is interested in receiving updates via email, please contact us at oe-escyberpilot@hq.doe.gov.


  • 03/06/2012 1:20 AM | Marcin Antkiewicz (Administrator)

    This blog entry was originally written by Jeff Lowder (@agilesecurity), I am just migrating the post to the new SIRA site. 

    If you’d like to influence the direction of the Information Risk Management (IRM) profession, please consider joining our IRM Body of Knowledge (IRMBOK) working group, which aims to develop an IRMBOK.

    To participate, please join the IRMBOK mailing list, which requires a separate subscription from the main mailing list. To subscribe, please go to the following webpage and follow the instructions there.

    http://lists.societyinforisk.org/mailman/listinfo/sira-cbk



<< First  < Prev   1   2   Next >  Last >> 

©2017-2020 Society of Information Risk Analystsa 501(c)(6) non-profit organization. Our Privacy Policy.

Powered by Wild Apricot Membership Software