Society of Information Risk Analysts

How Effective Are Your Controls?

2025-09-03 09:01 | Joseph Breen (Administrator)

From Control Checklists to Measurable Confidence

Controls are the backbone of any risk program. Firewalls, access controls, backups & MFA are just a few examples. Many organizations are packed with them. But here’s the question: how do you really know if those controls are working? And more importantly, how effective are they compared to the cost of maintaining them?

The “How Effective Are Your Controls?” track at SIRAcon ’25 is about moving beyond assumptions and audits to measurable evidence. Instead of treating controls as a binary measure of either “in place” or “not in place”, we’ll explore how quantification can reveal the actual risk reduction they deliver. That means better investment decisions, sharper communication with leadership, and less reliance on gut feel.

We oftentimes think ROI is the right way to go about it, but executives might not look at it that way - we are investing, but technically speaking, we aren’t getting returns. It’s time we start looking at it from the perspective of risk reduction rather than a return.

This track is for anyone who’s ever struggled to prove the value of security spend or wondered if compliance checkboxes are actually reducing risk. By applying quantitative approaches, you’ll leave with tools to measure, compare, and optimize the controls that make up your security (and enterprise) defense posture.

Quantifying Control Effectiveness

Controls aren’t perfect, they’re probabilistic. A phishing filter doesn’t block every malicious email. Backups don’t guarantee flawless recovery. But by treating controls as measurable (rather than assumed) risk mitigators, you can bring clarity to messy questions:

  • What’s the actual likelihood reduction from multi-factor authentication?

  • How do patching frequencies shift your risk curve?

  • Which of your overlapping tools are duplicative—and which are essential?

Sessions in this track will showcase methods to estimate control performance with real-world data, benchmarks, and expert judgment, helping you move from vague confidence to evidence-based decision-making.

The RROI (Risk Reduction on Investment) of Security Spend

Budgets are tight, risks are rising, and boards want proof. This part of the track will help you connect control effectiveness directly to dollars and cents. You’ll see how to calculate the risk reduction per dollar spent, prioritize investments based on quantified impact, and identify diminishing returns when layering controls.

Expect to walk away with frameworks for answering the age-old CFO question: “If I give you another million dollars, how much risk does that take off the table?”

Modeling Controls in a System, Not a Vacuum

Controls don’t exist in isolation, they work in layers with overlaps and gaps. A single vulnerability scan might not stop a breach, but combined with patch management, incident response, and endpoint detection, it forms a defense-in-depth system.

This track will show you how to model control performance as part of a broader ecosystem. Think: Monte Carlo simulations showing defense layers, scenario analysis that tests controls against realistic attack paths, and system-level views that reveal where a single weak link undermines the whole chain.

Beyond Cyber: Controls Everywhere

Although security controls may take the spotlight, the same thinking applies outside of cyber. Internal financial controls, environmental safeguards, safety systems - these are all “controls” that deserve measurement. Sessions may highlight how techniques developed in risk quant can be applied across domains, reinforcing enterprise-wide control confidence.

Sample Use Cases:

  • Cyber: Measuring MFA effectiveness in reducing credential theft incidents.

  • Operational: Estimating the reduction in workplace accidents from a new safety training program.

  • Financial: Quantifying how a segregation-of-duties control reduces fraud risk.

From Assurance to Influence

Ultimately, this track isn’t just about proving that controls exist, it’s about showing how they perform, in language that resonates with executives and boards. Attendees will learn to communicate control effectiveness in terms of risk reduction, business outcomes, and strategic priorities.

Sessions may explore:

  • Approaches for benchmarking controls against peers

  • How to incorporate control uncertainty into quant models

  • Linking control effectiveness to enterprise risk appetite

  • Telling a compelling control story to leadership

Controls as Measurable, Not Assumed

The “How Effective Are Your Controls?” track is about replacing blind trust with measurable assurance. You’ll leave with strategies to make your control program more transparent, defensible, and impactful - armed with the evidence you need to prove that your controls aren’t just there, they’re working. At SIRAcon ’25, we’re not just asking if you have controls in place. We’re asking how much they matter, how much they reduce risk, and how you can prove it.