Society of Information Risk Analysts SiRA Blog

ROI of Security Investments: A Quantitative Approach

Joseph Breen — Thu, 09 Apr 2026 20:39:49 GMT

In the previous post, we looked at how Cyber Risk Quantification (CRQ) helps organizations right‑size cyber insurance by grounding coverage decisions in quantified loss scenarios. Once risks are expressed in financial terms, a natural follow‑on question emerges:

How do we know whether our security investments are actually worth it?

Security leaders are constantly asked to justify spend. They need to present some way to measure the return on things like new tools, additional headcount, control improvements, etc., and without the right data, these answers tend to be qualitative. Investments are described as “necessary,” “best practice,” or “industry standard,” rather than evaluated as financial decisions. CRQ provides a way to change that. We can’t necessarily call it ROI, because unless the security spend can be marketed to customers as a selling point, there isn’t a real return. Spending money on cyber protections like tooling or headcounts does not provide a return, it provides a reduction in potential losses. In the same way we buy property insurance to prevent major financial losses on fires and storms, we invest in cyber programs to reduce financial losses on cyber events.

By quantifying how controls affect loss exposure, organizations can evaluate security investments using the same economic logic applied elsewhere in the business.

Why security ROI is so hard to articulate
Security ROI is difficult not because value doesn’t exist, but because it is rarely measured in the right units.

Most organizations evaluate security investments using proxies:

Number of vulnerabilities closed
Control maturity scores
Audit findings
Benchmark comparisons

These measures can be useful for operational management, but they do not answer the question executives care about:

What is the financial impact? In dollars and cents, please!

How am I supposed to justify a $500,000 spend to move our company from G3 to G5 Microsoft licenses without looking at how the additional security capabilities will reduce exposure? At that point, the perceived benefit is nothing more than optics. This way of pitching the investment turns these conversations into subjective debates rather than financial trade-offs.

CRQ reframes security spend as loss reduction
As we said above, security investment is about reducing expected loss. Controls do not create revenue; they reduce the likelihood or magnitude of adverse outcomes.

CRQ makes financial outcomes tangible by tying controls directly to quantified loss scenarios in the risk register. Instead of asking whether a control is “good,” leaders can ask:

Which loss scenarios does this control affect?
How does it change loss frequency or magnitude?
How much expected loss does it reduce?

This reframing turns security spend into a risk‑reduction investment, comparable to decisions made in insurance, safety, or operational resilience.

Establishing a baseline before investing
Meaningful ROI analysis requires a baseline. CRQ provides that baseline by quantifying current loss exposure across defined scenarios. This establishes:

Expected annual loss
Loss distributions across scenarios
Key drivers of frequency and magnitude

Without this starting point, any claim about improvement is speculative. With it, control changes can be evaluated relative to a known exposure profile rather than an abstract notion of “better security.”

Modeling control impact on loss exposure
Once baseline exposure is quantified, proposed security investments can be modeled as changes to the underlying risk factors. For example, a control might:

Reduce the probability of successful phishing
Lower the expected duration of a ransomware outage
Limit the scope of data exfiltration
Reduce regulatory response costs

CRQ allows these changes to be reflected directly in the loss model. The result is a revised loss distribution that can be compared to the baseline. The difference between the two distributions represents the expected risk reduction attributable to the control. From this perspective, security ROI becomes a straightforward comparison, dollar for dollar:

How much expected loss does this investment reduce relative to its cost?

Comparing investments, not just justifying them
One of the most powerful benefits of a quantitative approach is the ability to compare competing investments. Rather than evaluating controls in isolation, organizations can assess:

Which investment reduces the most risk per dollar?
Where do diminishing returns set in?
Which controls address the largest drivers of loss?

This often leads to unintuitive but valuable insights. In many cases, modest investments in detection, response, or resilience reduce expected loss more effectively than expensive preventive controls. CRQ makes these trade‑offs visible. We can ignore how “flashy” something might be, and choose based on dollar for dollar, what brings a company the most bang for their buck.

Avoiding the illusion of “high ROI” controls
Quantification also helps avoid a common pitfall: overstating ROI based on worst‑case thinking. This is not to say that worst-case thinking isn’t important—it absolutely is. But in the case of justifying spending, we want to avoid using Fear, Uncertainty, and Doubt (FUD) as a way of getting a board to approve a budget increase.

Why not…try? In theory, it is easy to justify almost any security investment by pointing to a catastrophic breach scenario. I’ll walk in and tell my board that a ransomware attack will shut our operations down for 6 months, and we will never financially recover. Easy! But not all extreme losses are equally likely, and not all controls meaningfully reduce those outcomes.

By focusing on expected loss rather than anecdotes, CRQ keeps ROI analysis grounded. Controls that sound compelling but have little impact on modeled exposure are revealed as low‑return investments, regardless of how alarming the threat narrative may be.

Using ROI to inform, not replace, judgment
A quantitative approach does not eliminate judgment. It structures it. CRQ does not dictate which controls must be funded, but it provides a disciplined way to understand the economic implications of those choices. Leaders still weigh qualitative factors like regulatory expectations, strategic priorities, and risk appetite… but they do so with a clearer understanding of the financial stakes. Quantitative analysis does not eliminate the need for qualitative inputs; it enhances them. Critically, ROI analysis can help explain why some risks are intentionally accepted. Not every exposure is cost‑effective to mitigate, and CRQ provides a defensible rationale for those decisions.

Keeping ROI aligned as the environment changes
Just as with insurance, security ROI is not static. As threat patterns evolve, new technologies are introduced, or the business changes, the effectiveness of controls shifts. CRQ allows ROI assumptions to be revisited as part of an ongoing risk management process rather than treated as one‑time justifications. Over time, this creates a feedback loop where investments are evaluated, adjusted, and prioritized based on observed changes in exposure.

Why this matters
Security leaders are increasingly expected to operate as stewards of financial risk, not just technical defenses. Being able to explain how investments reduce loss and how much they reduce it changes the conversation.

CRQ allows security ROI to move from narrative to analysis. If done properly, decisions are explainable and comparable. All that time spent showing my work on my 5th grade math tests is now paying off. Forcing me to show my work set me up to make it in the CRQ big leagues! I learned that just presenting an answer without showing any work, even if it’s correct, raises concerns. Did I cheat and use a calculator? Did I just happen to make a really good guess? Successful budget requests backed by CRQ are defendable. The audience should be able to see what the inputs are, how they were used, and how they got to the final answer. This isn’t a magic trick.

And for the moment we’ve all been waiting for…
In my last few blogs, I’ve covered all the wonderful things that CRQ can do. And while it’s easy to get caught up in the adrenaline rush of monte carlo simulations and loss exceedance curves, we’re not just doing this for fun! All of this work is done so cyber teams earn their spot on the Avenger’s Squad (Enterprise Risk Management Teams). And in the next (final) blog in this series, I will walk through how that can be done successfully.

Cyber Insurance: Using Quantification to Right-Size Coverage

Joseph Breen — Thu, 26 Mar 2026 16:35:12 GMT

In the previous post, we looked at how a cyber risk register with quantified loss magnitudes transforms cybersecurity from a list of concerns into a decision-support tool. One of the most immediate places that transformation shows up is cyber insurance.

Cyber insurance is often purchased in the dark. Organizations buy coverage limits based on benchmarks, broker recommendations, or what “feels reasonable,” rather than on a clear understanding of their actual financial exposure. The result is predictable: some firms are materially underinsured, while others overpay for coverage that provides little incremental value.

Cyber Risk Quantification (CRQ) changes this dynamic. By grounding insurance decisions in quantified loss scenarios, organizations can right-size coverage to match their true risk profile.

Why cyber insurance decisions are so often misaligned

Many organizations approach cyber insurance as a compliance checkbox or a market norm. Questions tend to sound like:

“What limit do companies our size usually buy?”
“What did we carry last year?”
“What does the broker recommend?”

While these inputs are not useless, they are indirect. None of them answer the core question insurance is meant to address:

What financial loss are we trying to transfer?

Without quantified loss information, coverage limits are essentially guesses. Even worse, those guesses are rarely revisited as the business, threat landscape, or control environment changes.

Reframing insurance as loss transfer

At its core, cyber insurance is a financial instrument. Its purpose is not to “cover cyber risk” in the abstract, but to transfer specific loss outcomes from the organization to an insurer.

CRQ makes this explicit by tying insurance decisions directly to loss scenarios already defined in the risk register. Instead of asking how much coverage to buy in general, leaders can ask:

Which loss scenarios are insurable?
How large could those losses reasonably be?
Which portions of that loss do we want to retain versus transfer?

This reframing moves insurance out of the realm of guesswork and into the same financial logic used for other risk transfer decisions.

Using quantified loss distributions to set limits

One of the most powerful applications of CRQ is comparing insurance limits to quantified loss distributions.

Rather than relying on a single “worst-case” number, CRQ produces a range of potential losses with associated probabilities. This allows organizations to see, for example:

Losses they expect to absorb regularly
Losses that are unlikely but plausible
Extreme tail events that could threaten financial stability

Insurance can then be aligned to specific parts of that distribution. For instance:

Retain frequent, low-severity losses through deductibles or self-insurance
Transfer low-frequency, high-severity losses that would materially impact the business

This approach ensures that insurance is focused where it actually adds value.

Avoiding the trap of over-buying

Over-buying cyber insurance is less visible than under-buying, but it is just as costly.

When coverage limits significantly exceed plausible loss magnitudes, organizations pay premiums for protection they are unlikely to ever use. Quantification helps reveal when additional layers of coverage provide diminishing returns.

CRQ enables questions like:

How much incremental risk reduction does this additional layer actually provide?
Are we insuring losses we would already tolerate?
Would that premium be better spent reducing the underlying exposure instead?

In many cases, quantification shows that modest improvements in controls reduce expected loss more effectively than purchasing ever-higher limits.

Understanding gaps, exclusions, and sublimits

Another benefit of a quantified approach is clarity around what insurance does not cover.

Policies often include exclusions, sublimits, and conditions that significantly constrain payouts. Without a quantified view of loss components, these limitations can go unnoticed.

By mapping loss magnitude components (for example, business interruption, regulatory fines, or incident response) against policy terms, organizations can see:

Which losses are meaningfully transferred
Which losses remain largely retained
Where coverage appears adequate in name but not in practice

This analysis often leads to more productive discussions with brokers and underwriters, grounded in specifics rather than generalities.

Supporting negotiations with data, not anecdotes

Insurance negotiations are more effective when buyers can articulate their risk profile clearly.

A quantified risk register provides:

Documented assumptions
Transparent methodology
Clear links between controls and reduced loss

This positions the organization as a disciplined risk buyer rather than a passive purchaser. Over time, this can support better pricing, more appropriate limits, and more tailored coverage structures.

Keeping insurance aligned as risk evolves

Cyber risk is not static, and neither should insurance be.

As organizations implement new controls, migrate systems, acquire companies, or change operating models, their loss distributions shift. CRQ allows insurance decisions to evolve alongside those changes.

Instead of renewing last year’s policy by default, leaders can revisit coverage based on updated exposure, ensuring continued alignment between retained risk, transferred risk, and overall risk appetite.

Why this matters

Right-sizing cyber insurance is not about minimizing premiums or maximizing limits. It is about making intentional, financially grounded decisions about which losses the organization is willing to bear and which it is not.

By using quantified loss information, cyber insurance becomes a strategic tool rather than a blunt instrument. Coverage decisions are explainable, defensible, and aligned with the broader risk management strategy.

In the next post, we’ll turn to another common question leaders ask once risks are quantified: how to evaluate the return on security investments, and how CRQ enables a more rigorous, financially grounded view of cybersecurity ROI.

Building a Cyber Risk Register with Quantified Loss Magnitudes

Joseph Breen — Fri, 06 Mar 2026 18:09:48 GMT

In the previous post, we explored why Cyber Risk Quantification (CRQ) matters to the business: it translates cyber risk into financial terms that leaders can actually use. But translation alone isn’t enough. That insight needs a place to live, evolve, and inform decisions over time.

For most organizations, that place is the risk register. Making decisions without a quantified risk register is like a lender assessing credit using color-coded impressions instead of financial statements.

Traditionally, cyber risk registers have been lists of technical concerns scored using qualitative labels or heat maps. CRQ doesn’t replace the risk register; it redefines its purpose. Instead of being a static catalog of issues, the register becomes a living view of the organization’s financial cyber risk exposure.

Why traditional cyber risk registers fall short

A typical cyber risk register might include entries like “Ransomware,” “Third‑party risk,” or “Data breach,” each scored as high, medium, or low. While this format can be useful for tracking issues, it often breaks down when the register reaches executive or board audiences.

A “high” risk label doesn’t answer the questions leaders actually have:

How much financial exposure does this represent?
Is this risk material to the organization?
How does it compare to other enterprise risks?
What would reducing it actually buy us?

Without quantified loss information, the risk register becomes descriptive rather than decision‑supportive. It tells leaders what exists, but not what matters most.

Reframing the register around loss scenarios

A CRQ‑enabled risk register starts with a shift in how risks are defined. Instead of listing abstract categories or control gaps, each entry is framed as a loss scenario.

A loss scenario describes:

What happens (the event)
Why it happens (the threat or failure)
What the business loses as a result

For example, rather than “Cloud misconfiguration,” a quantified risk register might describe:

A cloud access control failure leads to unauthorized access to sensitive customer data, resulting in regulatory fines, incident response costs, and customer churn.

This framing matters because businesses don’t experience “risks”, they experience losses. The clearer the loss scenario, the easier it is to reason about impact.

Introducing quantified loss magnitudes

Once risks are framed as loss scenarios, CRQ adds the missing dimension: financial magnitude.

Loss magnitude represents the range of financial impact that could reasonably result if the scenario occurs. Importantly, this is not a single number. It reflects uncertainty and variability, acknowledging that no two incidents unfold the same way.

Loss magnitude typically considers multiple cost components, such as:

Incident response and recovery
Business interruption
Legal, regulatory, and compliance costs
Downstream impacts like reputational harm or customer loss

By capturing these components, the risk register begins to show why certain risks are more significant than others, not just that they feel concerning.

Separating frequency from severity

One of the most valuable conceptual shifts in a quantified risk register is the separation of how often something might happen from how severe it could be.

Traditional registers often blur these concepts together. A risk might be rated “high” because it’s frequent, severe, or both - but the distinction matters for decision‑making.

CRQ forces clarity:

Some risks occur often but have relatively limited financial impact.
Others occur rarely but carry the potential for outsized losses.

A register that captures quantified loss magnitudes allows organizations to see these differences clearly and avoid prioritizing the wrong problems simply because they are more visible or familiar.

From ranking risks to comparing exposure

When risks are expressed in financial terms, the risk register evolves from a ranking exercise into a portfolio view of exposure.

This enables new, more productive conversations:

Which scenarios contribute most to our expected annual loss?
Where are we most exposed to tail risk or extreme outcomes?
Are multiple risks driven by the same underlying weaknesses?
Which risks are already well within our risk appetite?

Instead of asking which risks are “red,” leaders can ask which risks are material.This can even support the SEC’s reporting requirements around material cyber events, because they can define “material” in financial terms before an incident occurs..

Embracing uncertainty without losing credibility

A common concern with quantified risk registers is accuracy. Estimating future cyber losses can feel uncomfortable, especially to technical teams accustomed to precision.

CRQ addresses this by being explicit about uncertainty:

Estimates are ranges, not point values
Assumptions are documented and revisited
Outputs are probabilistic, not deterministic

This approach mirrors how other enterprise risks are managed. Forecasts, reserves, and capital models are never perfect, but they are still essential for disciplined decision‑making. Cyber risk is no different.

Keeping the register actionable

A quantified cyber risk register is only valuable if it remains connected to action. To do that, organizations should ensure the register:

Reflects real business processes and assets
Is updated as controls, technology, and threats change
Links risk reduction efforts to expected loss reduction
Feeds directly into budgeting, insurance, and ERM discussions

When a proposed control can be evaluated in terms of how much financial exposure it reduces, prioritization becomes far more rational, and far easier to explain.

Why this matters

A cyber risk register with quantified loss magnitudes changes the role of cybersecurity in the organization. It moves the function from reporting concerns to supporting decisions through explainable records that can be easily analyzed.

Instead of asking leaders to trust subjective scores or intuition, it provides a structured, transparent view of cyber risk as a business problem. One that can be compared, debated, and managed alongside every other risk the organization faces.

In the next post, we’ll look at how this same quantified approach helps organizations right‑size cyber insurance coverage: avoiding both under- and over‑buying by grounding decisions in actual exposure.

Why Cyber Risk Quantification Matters to the Business

Joseph Breen — Thu, 12 Feb 2026 17:07:21 GMT

Why Cyber Risk Quantification Matters to the Business

As cyber risk has become more visible, more costly, and more central to business operations, organizations are under increasing pressure to explain it clearly and manage it deliberately. Yet despite widespread agreement that cyber risk matters, many leaders still struggle to compare it to other enterprise risks or use it to inform real decisions. This post is part of a broader exploration of Cyber Risk Quantification (CRQ). Not as a technical exercise, but as a way to translate cyber risk into decision-ready business insight.

Most executives already agree on one thing: cyber risk is important.

What’s far less clear is how important it is, how it compares to other risks the organization faces, and what they should do differently as a result. That uncertainty isn’t a failure of awareness; it’s a failure of translation. It’s the difference between knowing there’s a pretty bad storm somewhere ahead and having the coordinates to steer around it.

Cybersecurity has traditionally been discussed in technical language: vulnerabilities, controls, maturity levels, threat actors, etc. While this concepts matter operationally, they rarely align with how business leaders are trained to think and decide. Boards and executives don’t manage risks in red, yellow, and green. They manage them in terms of financial exposure, trade-offs, and opportunit cost.

This is where Cyber Risk Quantification (CRQ) becomes essential.

CRQ translates cyber risk into financial terms that business leaders already use every day. Instead of asking leaders to interpret abstract scores or heat maps, it frames cyber risk in the same language as market risk, operational risk, and legal risk: potential loss, probability, and uncertainty. When cyber risk is expressed this way, it stops being a mysterious technical concern and starts behaving like a normal business problem. It’s one that can be discussed, compared, and managed.

The limits of traditional cyber risk conversations

For many organizations, cyber risk reporting still centers on compliance status, control maturity, or qualitative risk ratings. These approaches are not inherently wrong, but they tend to break down at the executive level.

A heat map might tell a board that ransomware risk is “high,” but it doesn’t explain what that actually means for the business. Does “high” imply a minor operational disruption or a material earnings event? Is it more significant than a supply‑chain interruption or a regulatory fine? And perhaps most importantly, is the organization already spending too much, or too little, to manage it?

Without financial context, these questions are almost impossible to answer. As a result, cyber risk discussions often become reactive. Funding decisions are driven by the latest incident in the news, a regulatory finding, or a sense of unease rather than a clear understanding of exposure and trade‑offs.

CRQ exists to close that gap.

What changes when cyber risk is quantified

At its core, CRQ reframes cyber risk as a question of economic impact under uncertainty. Rather than assigning a label to a risk, it estimates how often a loss event might occur and what the financial consequences could reasonably look like. Importantly, this is done using ranges and probabilities, not single “magic numbers.”

The difference may sound subtle, but it fundamentally changes the conversation.

Instead of hearing that a risk is “high,” executives hear that there is a realistic chance of a multi‑million‑dollar loss in a given year, with identifiable drivers that influence both likelihood and severity. Suddenly, cyber risk becomes comparable to other enterprise risks. It can be discussed in risk committees, weighed against strategic initiatives, and aligned with the organization’s risk appetite.

This doesn’t make cyber risk predictable, but it does make it intelligible.

Why executives and boards care

From a leadership perspective, the value of CRQ is not in mathematical elegance; it’s in decision support.

Executives are constantly making resource allocation decisions under uncertainty. They decide how much to invest in resilience, insurance, compliance, and growth without perfect information. CRQ gives them a clearer basis for those decisions by showing how cybersecurity investments influence potential financial outcomes.

It also helps answer one of the most persistent and uncomfortable questions in cybersecurity: Are we spending the right amount?

Without quantification, security budgets are difficult to defend. Spending increases can feel arbitrary, and reductions can feel reckless. CRQ provides a way to link investment levels to expected risk reduction, allowing leaders to see not just what they are spending, but what they are buying in terms of reduced exposure.

For boards, this clarity is increasingly critical. Regulatory expectations and fiduciary scrutiny around cyber oversight are rising, and boards are expected to demonstrate informed judgment, not just awareness. CRQ helps boards show that cyber risk is being evaluated with the same rigor applied to other material risks.

CRQ and enterprise risk management

Another reason CRQ matters to the business is that it enables cyber risk to be fully integrated into enterprise risk management (ERM).

Most ERM programs already rely on financial modeling and loss estimates to evaluate risks like litigation, credit exposure, or operational disruption. Cyber risk has often sat outside this framework, discussed separately and scored differently. This separation makes it harder to prioritize risks across the enterprise and harder to align cyber decisions with broader business objectives.

By expressing cyber risk in financial terms, CRQ allows it to be evaluated alongside other enterprise risks. It becomes easier to see where cyber scenarios rank relative to non‑cyber threats, and easier to decide where leadership attention and capital should be focused.

A note on precision - and why it’s not the point

One of the most common objections to CRQ is concern about accuracy. After all, how can anyone reliably estimate the cost of a future cyber event?

The answer is that CRQ is not about perfect prediction. It’s about reasonable estimation and transparency. Good CRQ explicitly acknowledges uncertainty, documents assumptions, and focuses on ranges rather than exact figures. In practice, this often leads to more credible discussions, not less.

Executives are accustomed to making decisions based on forecasts, scenarios, and incomplete data. What they need is not certainty, but a clear understanding of what drives risk and how different choices influence potential outcomes. CRQ provides that structure.

Why this matters now

Cyber losses are becoming more visible, more material, and more disruptive. At the same time, organizations face increasing pressure to justify security spending and demonstrate sound governance. In this environment, relying on purely qualitative or technical risk descriptions is no longer sufficient.

Organizations that can explain cyber risk in business terms are better positioned to make disciplined investments, engage their boards effectively, and avoid both overreaction and complacency.

Cyber Risk Quantification doesn’t eliminate cyber risk, but it does make it manageable in the way business leaders expect.

SiRAcon '25 Highlights and Recap: Day 3

Tue, 30 Sep 2025 11:52:29 GMT

SiRAcon ’25 Highlights

From Zero to Quant to ERM

SiRAcon ’25 took place last week Sep. 9-11, 2025 at the Boston Federal Reserve in Boston, MA, which marks the second year that SiRAcon has occurred at this venue.

The event theme this year was “From Zero to Quant to ERM,” building on last year’s theme of “From Zero to Quant” and emphasizing the need to have conversations about cybersecurity risk as part of broader enterprise risk management decisions. Presentations reinforced this theme and brought in considerations for AI, industry standards to aid adoption, and steps for continued growth based on learnings from the past.

The event saw more than 100 attendees between in-person and virtual attendees, and the SiRA Slack and Zoom chat allowed for lively and energizing discussion and debate across the event. As always, the SiRA community was engaged and thought-provoking throughout the week, with excellent conversations taking place during breaks across the event. The sense of community at this conference is always amazing!

If you happened to miss this year’s SiRAcon but registered, you can still access session recordings through the event site. If you did not register, the recordings will soon be added to the Members’ Area of www.societyinforisk.org and you can access them (as well as recordings from previous SiRAcons and past webinars) by becoming a Member of SiRA: https://societyinforisk.org/join.

Day 3: Thursday, Sep. 11, 2025

Keynote: The Evolving Landscape of Risk Quantification: Past, Present, and Future

Jack Jones

The final keynote presenter of SiRAcon ’25 was Jack Jones, who provided a historical perspective of cybersecurity risk management. Jack connected the world of cyber risk to the medical industry, bringing in the notion of “Cybersecurity 2.0,” which will be characterized by consistent terminology and causal probabilistic models, quantitative ranges and distributions, and empirical data focus with forecasting evaluation. Jack also touched on AI, highlighting its potential value in scenario engineering and threat modeling.

Cross-Industry Lessons in Risk Quantification: Medical, Aviation, and Shipping Perspectives

Didier Jourdain

Continuing the trend of looking at other industries for lesson to be learned, Didier Jourdain utilized examples from the medical, aviation, and shipping industries to suggest an efficient approach to decision making. Didier noted the use of ordinal scales in these industries when rapid decision-making is required, noting the familiarity of these scales to these practitioners, but that more in-depth analysis can be used when time allows and requires.

Moving Toward Risk-Based Compliance: PCI DSS 4.0 Targeted Risk Analysis

Jim Lipkis

Jim Lipkis, with input from Aaron Arutunian, dove into target risk analysis (TRA) for specific control criteria. Jim noted that compliance does not necessarily mean security, but he posited whether compliance requirements might support stronger security postures. Jim advocated for conducting high-level assessments first to identify what’s actually important before performing deeper analysis to allocate resources to focus on truly critical controls.

Insecure at Any Speed: Why Secure by Design is Not Enough

John Benninghoff

Beginning with a historical overview of the auto industry and factors resulting in improved safety, John Benninghoff made connections to the CISA “Secure by Design” initiative. John noted the potential externalities from security incidents, notably that third-party breaches affect numerous interconnected companies. John ended with a call to action to professionalize the software engineering profession with proper tools and moral obligations.

Keeping Score: Using Real Breach Data to Evaluate Control Effectiveness

Matt Berninger

The final presentation of SiRAcon ’25 was from Matt Berninger, who went into the latest cybersecurity controls report from Marsh McClennan that analyzed the relationship between control attestations and breach performance. Matt concluded that the controls that mattered in 2023 still matter, but he noted that it is harder to differentiate due to high adoption rates (such as 98-99% MFA adoption). Matt also highlighted that using the Exploit Prediction Scoring System (EPSS) and contextual scoring frameworks is recommended over CVSS scores alone.

_____________________________________________________________

During SiRAcon ’25, the SiRAcon Planning Committee also announced exciting news: SiRAcon ’26 will take place from Apr. 21-23, 2026 at the Boston Federal Reserve in Boston, MA. Full event details, including the event theme, presentation proposal deadlines, and registration, will be announced in coming weeks.

Thank you to everyone who made SiRAcon ’25 a success, particularly the keynote presenters and speakers, SiRA Board Members and SiRAcon Planning Committee Members, and attendees alike!

Thank you, too, to the sponsors of SiRA and SiRAcon ’25:

SiRA Organizational Sponsors
- Marsh McClennan
- Ostrich Cyber-Risk
SiRAcon ’25 Gold Sponsor
- Marsh McClennan
SiRAcon ’25 Bronze Sponsors

Finally, thank you to the Boston Federal Reserve for acting as a phenomenal host yet again and to the YOTEL Boston for providing fantastic accommodations and space for attendees.

SiRAcon '25 Highlights and Recap: Day 2

Tue, 23 Sep 2025 11:22:42 GMT

SiRAcon ’25 Highlights and Recap: Day 2

From Zero to Quant to ERM

SiRAcon ’25 took place last week Sep. 9-11, 2025 at the Boston Federal Reserve in Boston, MA, which marks the second year that SiRAcon has occurred at this venue.

The event theme this year was From Zero to Quant to ERM, building on last year’s theme of From Zero to Quant and emphasizing the need to have conversations about cybersecurity risk as part of broader enterprise risk management decisions. Presentations reinforced this theme and brought in considerations for AI, industry standards to aid adoption, and steps for continued growth based on learnings from the past.

Day 2: Tuesday, Sep. 10, 2025

The State of SiRA

Darrell Waurio, SiRA Board President

Darrel Waurio got day 2 started with a brief session focused on the vision and goals of SiRA for the near future. Darrell highlighted the five strategic priorities of the SiRA Board: member community development, sponsor relationships, strategic partnerships, Board strategic direction and oversight, and financial sustainability. Darrell included a call for volunteers to help SiRA meet these goals.

(For more details, please read the SiRA President’s Letter: https://societyinforisk.org/Presidents-Letter)

Keynote: Is AI the Biggest Risk to Risk Analysis – Or its Future?

Lonnie Chrisman

Lonnie Chrisman was the keynote presenter for day 2 and dove straight into an engaging presentation focused on AI. Lonnie emphasized the impacts of AI on information risk analysis, highlighting increases in the ability to perform multi-step tasks and tying this to a movement from reactive risk management to proactive strategic planning. Lonnie noted that future (and current!) risk analysts can make great use of AI to provide improvements to modeling efforts and helping to fill a gap where there is missing expertise. Lonnie advised that risk analysts should adopt AI tools to increase performance and efficiency.

Surfing the Risk Sine Wave

Tyler Britton and Taylor Maze

Presenting remotely, Tyler Britton began his session developed with Taylor Maze by noting the limitations of traditional risk reporting: risk burn-down charts show consistent downward trends, but they create an unrealistic expectation that risk approaches zero. In reality, a net risk approach provides a better insight into risk oscillation and allows better risk management, based on risk tolerance and appetite and with allowances for variation built in.

Student Research Competition Winners

Day 2 featured the Inaugural SiRA Research Competition Winners Isaac Teuscher and Philip Akekudaga, who gave brief presentations on their research.

Automating the RMF: Lessons from the FedRAMP® 20x Pilot

Isaac Teuscher

Isaac Teuscher’s presentation focused on FedRAMP, which is the process to authorize cloud-based software for use by U.S. federal agencies and changes coming with FedRAMP 20x. Isaac provided insights into these changes based on a case study involving first-hand experience, tying in the NIST Risk Management Framework (RMF) and addressing evidence and documentation considerations.

Quantifying Systemic Risk in Critical Power Infrastructure Using FDNA: From Single-Node Failure to Grid-Wide Cascades

Philip Akekudaga

Philip Akekudaga’s presentation focused on function dependency network analysis (FDNA, which is a graph‑based methodology for identifying, representing, and quantifying dependencies. Philip applied FDNA to a simulation to understand and improve the resilience of electric power grids, noting possible tie-ins to dynamic models to capture real-time varying shocks as well as enterprise portfolio planning to prevent cascading failures through capability chains.

Quantifying the Cost of Cyber Risk

Scott Stransky

Following the presentations by the SiRA Research Competition winners, Scott Stransky used cyber insurance data to dive into the history of insurance risk modeling, cyber data types, correlation studies, and academic research. Scott highlighted the advantages offered by using insurance data, notably that there is high fidelity in incident details (including remediation efforts). Scott also noted that there is no statistically significant increase in ransomware incidents after buying cyber insurance.

A Quant-a-Be’s Journey to Integrate CRQ at an Enterprise Scale

Sean Atkinson

Sean Atkinson offered insight into lessons learned from implementing a risk quantification program, offering open and honest lessons learned from attempts and resistance met. Sean noted his various failed attempts and what was learned at each stage, providing attendees with clear ways to improve communication within an organization and improve adoption efforts. Sean stressed the need to meet each department where they are in understanding (i.e., don’t present deep analytics to someone new to quantification) and to use current methodologies as a bridge to quantification.

Adversarial Machine Learning and AI Forensics

Paul Starrett

Paul Starrett kicked off his presentation by ensuring common understanding of AI forensics, which is the process of collecting, analyzing, interpreting evidence to prove/disprove legal disputes involving AI systems. Paul used his experience throughout his career to provide real-world examples and emphasize the need to plan for adoption beforehand, rather than after.

Quantifying in the Age of Hallucination: How I Learned to Stop Worrying and Trust the AI (Sometimes)

Tony Martin-Vegue

Rounding out day 2 was Tony Martin-Vegue, who offered some clear guidance on safe AI adoption:

Accelerate don’t outsource – use AI for tasks you already understand
Assume wrong until proven right – verify all sources and claims from AI
Keep humans at the wheel – never let AI make final risk decisions

Tony concluded his presentation by noting that AI fluency paired with human judgment will differentiate successful analysts.

_____________________________________________________________

Thank you to everyone who made SiRAcon ’25 a success, particularly the keynote presenters and speakers, SiRA Board Members and SiRAcon Planning Committee Members, and attendees alike!

Thank you, too, to the sponsors of SiRA and SiRAcon ’25:

SiRA Organizational Sponsors
- Marsh McClennan
- Ostrich Cyber-Risk
SiRAcon ’25 Gold Sponsor
- Marsh McClennan
SiRAcon ’25 Bronze Sponsors

Finally, thank you to the Boston Federal Reserve for acting as a phenomenal host yet again and to the YOTEL Boston for providing fantastic accommodations and space for attendees.

SiRAcon '25 Highlights and Recap

Tue, 16 Sep 2025 12:02:50 GMT

SiRAcon ’25 Highlights and Recap: Day 1

From Zero to Quant to ERM

SiRAcon ’25 took place last week Sep. 9-11, 2025 at the Boston Federal Reserve in Boston, MA, which marks the second year that SiRAcon has occurred at this venue.

Day 1: Tuesday, Sep. 9, 2025

Keynote: Quantitative Enterprise Risk Management

Graeme Keith

Graeme Keith kicked off SiRAcon ’25 as the keynote presenter on Tuesday, Sep. 9. Graeme stressed the need for risk management to influence decision-making in an organization. The models used need to be actionable, causal, stochastic, and simple, but adequate. Graeme stressed that enterprise risks occur and impact across the scale of the organization and that enterprise risk management aligns enterprise objectives and decisions with governance.

Zero Trust in CRQ? Or CRQ in Zero Trust?

John Linford

Following Graeme, John Linford dived into a presentation on areas where cyber risk quantification might be included as part of an organization’s Zero Trust transformation. John emphasized the mindset shift required to adopt Zero Trust and built on this to offer areas where CRQ might complement the transition and decision-making.

Why We Resist: Uncovering the Psychological Barriers to Effective ERM

Jason Leuenberger

Jason Leuenberger showed the power of the mind in his presentation, providing an open and honest glimpse into his own thought processes to demonstrate the value of Kegan’s Immunity to Change and Self-Determination Theory. Jason tied these concepts back to why risk initiatives face resistance and offered suggestions for designing ERM programs that will actually work.

Integrating Cyber Risk and Enterprise Risk Using the NIST 8286 IR

Andrew Shea

The Integrating Cybersecurity and Enterprise Risk Management (ERM) series of publications from NIST provide a valuable resource for any organization attempting to integrate cyber risk with enterprise risk, as shown by Andrew Shea. Andrew provided a breakdown of the documents in the series and offered guidance on implementation timelines and approach, highlighting technical and non-technical mitigations and utilizing the risk-adjusted return on capital (RAROC) methodology.

Navigating the Changing Cyber Landscape: Trends, Costs, and Risk Mitigation Strategies

Wendy Hou-Neely

Wendy Hou-Neely kept the energy of day 1 flowing with an overview key cyber risk trends and statistics, highlighting the top threat areas as well as ransomware payment trends, major incident driving costs, and business interruption costs. Wendy also stressed some key risk mitigations and controls, including MFA, data management best practices, and considerations for third-party risk management.

(Nearly) a Decade of Risk Management: Lessons Learned and What’s Next

David Severski

David Severski rounded out day 1 with an insightful (and cat-filled) presentation focused on security incident trends analysis. David offered real-world data from the Cyentia Institute to showcase changes in incident frequency (increasing), the probability of experiencing a security event (increasing for most organizations, but decreasing for mega corporations), and financial impact data (increasing). David kept the energy high and attention focused to round out the first day!

_____________________________________________________________

Thank you to everyone who made SiRAcon ’25 a success, particularly the keynote presenters and speakers, SiRA Board Members and SiRAcon Planning Committee Members, and attendees alike!

Thank you, too, to the sponsors of SiRA and SiRAcon ’25:

SiRA Organizational Sponsors
- Marsh McClennan
- Ostrich Cyber-Risk
SiRAcon ’25 Gold Sponsor
- Marsh McClennan
SiRAcon ’25 Bronze Sponsors

Finally, thank you to the Boston Federal Reserve for acting as a phenomenal host yet again and to the YOTEL Boston for providing fantastic accommodations and space for attendees.

We look forward to seeing everyone again next year at SiRAcon '26!

How Effective Are Your Controls?

Joseph Breen — Wed, 03 Sep 2025 13:01:39 GMT

From Control Checklists to Measurable Confidence

Controls are the backbone of any risk program. Firewalls, access controls, backups & MFA are just a few examples. Many organizations are packed with them. But here’s the question: how do you really know if those controls are working? And more importantly, how effective are they compared to the cost of maintaining them?

The “How Effective Are Your Controls?” track at SIRAcon ’25 is about moving beyond assumptions and audits to measurable evidence. Instead of treating controls as a binary measure of either “in place” or “not in place”, we’ll explore how quantification can reveal the actual risk reduction they deliver. That means better investment decisions, sharper communication with leadership, and less reliance on gut feel.

We oftentimes think ROI is the right way to go about it, but executives might not look at it that way - we are investing, but technically speaking, we aren’t getting returns. It’s time we start looking at it from the perspective of risk reduction rather than a return.

This track is for anyone who’s ever struggled to prove the value of security spend or wondered if compliance checkboxes are actually reducing risk. By applying quantitative approaches, you’ll leave with tools to measure, compare, and optimize the controls that make up your security (and enterprise) defense posture.

Quantifying Control Effectiveness

Controls aren’t perfect, they’re probabilistic. A phishing filter doesn’t block every malicious email. Backups don’t guarantee flawless recovery. But by treating controls as measurable (rather than assumed) risk mitigators, you can bring clarity to messy questions:

What’s the actual likelihood reduction from multi-factor authentication?
How do patching frequencies shift your risk curve?
Which of your overlapping tools are duplicative—and which are essential?

Sessions in this track will showcase methods to estimate control performance with real-world data, benchmarks, and expert judgment, helping you move from vague confidence to evidence-based decision-making.

The RROI (Risk Reduction on Investment) of Security Spend

Budgets are tight, risks are rising, and boards want proof. This part of the track will help you connect control effectiveness directly to dollars and cents. You’ll see how to calculate the risk reduction per dollar spent, prioritize investments based on quantified impact, and identify diminishing returns when layering controls.

Expect to walk away with frameworks for answering the age-old CFO question: “If I give you another million dollars, how much risk does that take off the table?”

Modeling Controls in a System, Not a Vacuum

Controls don’t exist in isolation, they work in layers with overlaps and gaps. A single vulnerability scan might not stop a breach, but combined with patch management, incident response, and endpoint detection, it forms a defense-in-depth system.

This track will show you how to model control performance as part of a broader ecosystem. Think: Monte Carlo simulations showing defense layers, scenario analysis that tests controls against realistic attack paths, and system-level views that reveal where a single weak link undermines the whole chain.

Beyond Cyber: Controls Everywhere

Although security controls may take the spotlight, the same thinking applies outside of cyber. Internal financial controls, environmental safeguards, safety systems - these are all “controls” that deserve measurement. Sessions may highlight how techniques developed in risk quant can be applied across domains, reinforcing enterprise-wide control confidence.

Sample Use Cases:

Cyber: Measuring MFA effectiveness in reducing credential theft incidents.
Operational: Estimating the reduction in workplace accidents from a new safety training program.
Financial: Quantifying how a segregation-of-duties control reduces fraud risk.

From Assurance to Influence

Ultimately, this track isn’t just about proving that controls exist, it’s about showing how they perform, in language that resonates with executives and boards. Attendees will learn to communicate control effectiveness in terms of risk reduction, business outcomes, and strategic priorities.

Sessions may explore:

Approaches for benchmarking controls against peers
How to incorporate control uncertainty into quant models
Linking control effectiveness to enterprise risk appetite
Telling a compelling control story to leadership

Controls as Measurable, Not Assumed

The “How Effective Are Your Controls?” track is about replacing blind trust with measurable assurance. You’ll leave with strategies to make your control program more transparent, defensible, and impactful - armed with the evidence you need to prove that your controls aren’t just there, they’re working. At SIRAcon ’25, we’re not just asking if you have controls in place. We’re asking how much they matter, how much they reduce risk, and how you can prove it.

From Cyber-Centric to Enterprise-Wide: Expand the Impact of Quantification

Joseph Breen — Tue, 12 Aug 2025 11:50:35 GMT

Risk Quantification Beyond Security

Risk quantification doesn’t stop at just security. We have used the term cyber risk quantification so heavily (for good reason) that people seem to forget we can quantify any kind of risk. The applications are endless—what about quantifying the negative outcome that can stem from hitting “reply all” to an email asking for anonymous submissions? Or estimating the productivity loss if a coworker microwaves last night’s fragrant fish dinner in the office microwave?

As those examples show, some of the most innovative applications of risk modeling are happening outside cybersecurity—covering workplace tomfoolery, supply chains, finance, and even climate and environmental risk. The “Risk Measurement Outside of Cyber” track at SiRAcon ’25 is your invitation to break down silos and explore how quant can support truly enterprise-wide resilience.

This track is for forward-thinkers who see risk measurement as more than a security function. Whether you're in cyber, ops, or enterprise risk, you'll walk away with tools to extend your modeling practice into new domains—while staying grounded in the rigorous, defensible approaches that define good quant.

Modeling the Messy World of Supply Chains

Just-in-time works brilliantly—until it doesn’t. Supply chain risk is not just about disruptions; it’s about understanding the ripple effects of delays, geopolitical instability, or labor unrest on your business outcomes. In these sessions, you’ll learn to bring structure and quantification to a system that often feels chaotic. You’ll see how probabilistic models, scenario analysis, and cross-functional collaboration can reveal the real financial stakes behind operational hiccups and help you make a defensible case for resilience investments.

Financial Risk Quant for Non-Quants

You don’t need to be on Wall Street to use financial modeling. From value-at-risk (VaR) to cash flow stress testing, these techniques can be adapted to help organizations prepare for worst-case scenarios, budget effectively, and understand the downstream financial effects of incidents—cyber or otherwise. This track will focus on translating financial quant concepts into accessible, actionable tools for decision-making, capital planning, and insurance choices.

Environmental and Climate Risk: Measured and Modeled

Environmental risk is not a far-off concern—it’s here now, and it’s measurable. Climate volatility, extreme weather events, shifting regulations, and ESG pressures all create uncertainty. Talks here could cover how to work with environmental risks, even with imperfect data, and show how to integrate climate risk scenarios into operational, financial, and strategic planning. You’ll gain strategies to turn uncertain data into actionable insights that support both resilience and sustainability goals.

Sample Use Cases Across Domains

Supply Chain Risk: Modeling the cost impact of a two-week port closure on seasonal product availability.
Financial Risk: Estimating cash flow stress from a sudden legal settlement unrelated to cyber incidents.
Environmental Risk: Quantifying potential downtime costs from an extreme heatwave affecting warehouse operations.

Thinking Like an Enterprise Risk Function
Cyber risk quant started as a niche—but it doesn’t have to stay one. This track will also explore how cyber professionals can evolve their models and language to contribute to broader enterprise risk efforts. Think: integrating cyber into operational risk heatmaps, showing cumulative exposure across domains, or linking cyber incidents to financial and reputational outcomes.

Sessions may explore:

Frameworks for aligning cyber quant with ERM practices
Building shared assumptions across risk domains
Communicating cross-domain risks to boards and executives
The art of zooming out: when to keep cyber-specific detail and when to abstract for enterprise view

Because when risk is everyone's responsibility, quant can’t live in just one department.

One Discipline, Many Domains

The “Risk Measurement Outside of Cyber” track is about scale, translation, and collaboration. You’ll leave with the mindset and methods to take what you’ve learned in cyber and apply it to the rest of the enterprise—helping your organization become more adaptive, resilient, and future-ready.

At SiRAcon ‘25, we’re not just advancing cyber risk measurement—we’re elevating risk quant to meet the full spectrum of enterprise challenges. And we’re doing it one model, one scenario, one shared framework at a time.

Smarter Models, Sharper Insights: AI in Quantitative Risk Measurement

Joseph Breen — Wed, 09 Jul 2025 22:05:01 GMT

Artificial intelligence is everywhere, but how do you separate the hype from the helpful when it comes to risk models?

The “AI in Quantitative Risk Measurement” track at SIRAcon ‘25 is all about the practical side of integrating AI and machine learning into your risk analysis. Not to build flashy toys—but to make your models faster, smarter, and more insightful.

This track isn’t about automating your entire job away. It’s about enhancing your ability to detect patterns, handle uncertainty, and generate defensible, data-driven insights with greater efficiency. If you’ve ever wondered whether a model could learn from past scenarios, detect bias in your inputs, or help you forecast risk with fewer assumptions, we think you’ll find some answers here.

AI that Adds, Not Obscures

In risk, clarity matters more than complexity. That’s why these sessions will focus on interpretable AItools and techniques that enhance your understanding instead of burying it in black-box algorithms.

Potential session topics include:

Leveraging machine learning to spot patterns in incident and loss data
Using natural language processing (NLP) to extract risks and controls from unstructured sources
Building AI-enhanced models that provide explainable outputs—not just predictions
Identifying when AI helps… and when it just adds noise

Because if you can’t explain how your model works, you probably can’t defend it either.

Faster, Leaner Modeling with ML

AI can do more than just analyze data. It can accelerate how you prep, structure, and test your models. We’re hoping to hear from experts on time-saving applications of machine learning that let you skip the grunt work and get to insight faster.

Learn how to:

Auto-clean and cluster messy data sets from multiple sources
Use AI to flag anomalies and inconsistent assumptions before they skew your results
Train models on historical loss data to inform probability distributions and impact ranges
Optimize Monte Carlo simulations with smarter parameter tuning and convergence detection

No data science background required—just a low tolerance for cleaning up messy models.

Redefining Risk Scenarios with AI

Scenario development is the heart of good risk quantification, but it’s also one of the most labor-intensive steps. We’d like to hear from experts on how AI can augment scenario creation with smarter suggestions, better inputs, and real-time threat intelligence integration.

Expect to see talks covering:

Tools that generate realistic risk scenarios based on current threat trends
Ways to blend AI-generated insights with SME judgment (without losing control)
Techniques for continuously updating scenarios as new data becomes available
Risk storylines driven by both structured and unstructured sources

The result? More relevant scenarios. Less mental gymnastics.

AI + Human Judgment = Better Risk Decisions

AI isn’t here to replace you. As long as you approach it properly, it’s here to supercharge you. The real value of AI in quant isn’t in outsourcing thinking, but in enhancing it. Sessions in this track will help you strike the right balance between automation and expert oversight, and show you how to turn AI outputs into decisions leadership can trust.

You’ll walk away with:

A working knowledge of AI’s strengths and limits in risk modeling
Practical tools to experiment with right away (no PhD required)
New ideas for solving old problems like data gaps, stale assumptions, and overworked analysts

Build Better Models, Make Smarter Moves

The “AI in Quantitative Risk Measurement” track is designed for risk professionals who want to move beyond spreadsheets and truly level up their modeling practice. Whether you're just starting to explore AI or already experimenting with it in your workflows, this track offers real-world insights, not just research papers.

At SIRAcon ‘25, we’re not just talking about the future—we’re putting it to work.

Unlocking Better Risk Decisions: The Power of Decision, Behavioral, and Data Science at SiRAcon

Joseph Breen — Wed, 18 Jun 2025 01:38:16 GMT

At SiRAcon 2025, we're not just measuring risk—we’re exploring how risk decisions actually get made. That’s why this unique track dives deep into the intersection of Decision Science, Behavioral Science, and Data Science—disciplines that go far beyond numbers and models to influence the very core of enterprise risk management.

Why this track matters

In theory, good data should lead to good decisions. But in practice? It's messier. Cognitive biases, organizational politics, incomplete information, and poorly designed models can all distort risk assessments and decisions. This track confronts that reality head-on.

By blending technical methods with human insight, speakers will share strategies for making risk quantification more useful, usable, and actionable across the enterprise.

What to Expect from this Track

Decision Science: Structuring Better Choices

How do you move from quantification to action? Decision science provides frameworks for structuring options, defining objectives, and assessing tradeoffs under uncertainty. Sessions in this area will explore:

How to frame risk questions that matter to executives
Using decision trees, value of information, and utility curves to clarify priorities
Real-world case studies of decisions improved (or distorted) by modeling

Behavioral Science: Understanding Risky Humans

Risk isn’t just technical—it’s deeply human. Behavioral science helps us understand how people perceive, misinterpret, and respond to risk. This sub-track explores:

Common biases in interpreting risk data (e.g., overconfidence, probability neglect)
Organizational friction: how teams resist or misapply quant models
Nudging better decisions with communication, design, and defaults

Data Science: Driving Better Inputs

Behind every credible model is a mountain of messy, fragmented data. Data science helps risk professionals:

Clean and structure data from disparate sources
Automate updates and detect outliers
Apply machine learning techniques with caution and transparency

You’ll also hear from practitioners who are bridging the gap between raw telemetry and business-relevant insights, using real-world data pipelines to power meaningful risk decisions.

Risk Isn’t Just a Number—It’s a Decision Process

This track will challenge attendees to think differently about the role of quantification. It's not about producing the “perfect” number—it’s about producing information that improves decisions under uncertainty.

You’ll leave with frameworks, stories, and tactics for:

Making your models more decision-relevant
Communicating uncertainty more effectively
Designing processes and cultures that absorb, not resist, risk intelligence

Join Us

If you’ve ever asked “Why aren’t they using our risk analysis?”, this track is for you. Decision, behavioral, and data science offer practical, often surprising answers—and this year’s speakers are bringing their best lessons forward.

Because at the end of the day, a quantified risk is only valuable if it helps someone make a better choice.

SIRAcon 2025: Measurement Tips, Tricks, & Tools

Joseph Breen — Wed, 28 May 2025 15:09:23 GMT

Fix the Data. Trust the Model. Move Faster.

Behind every successful risk quantification effort is something most people never see: a messy, manual, and often frustrating process of wrangling data, building models, and troubleshooting why they just don’t behave like they should. That’s the reality of risk measurement—and it’s exactly what the “Measurement Tips, Tricks, & Tools” track at SiRAcon ‘25 is here to tackle.

This track isn’t about flashy dashboards or the latest software suite. It’s about the everyday work of making quantification practical, defensible, and trusted. If you've ever thought, “this model looks right, but something feels off,” or spent hours trying to clean a spreadsheet someone exported from an obscure legacy system—this track is for you.

Data Hygiene in the Real World

Before you model anything, you have to trust your data. That’s easier said than done when your inputs come from ticketing systems, config management databases, threat intel feeds, or one-off subject matter expert interviews.

In this session, you'll learn proven methods for:

Spotting common inconsistencies in real-world cyber risk data
Creating defensible assumptions when you don’t have a complete dataset
Validating source quality—and knowing when a source is too noisy to use
Building workflows that let you revisit and update assumptions without starting from scratch

If garbage in = garbage out, this is how you take out the trash before it corrupts your model.

Troubleshooting Quant Models

“My loss exceedance curve looks weird.” If you’ve ever said that out loud, congratulations—your LEC does in fact look weird, but you’re not alone. Diagnosing why your model output seems “off” takes more than gut instinct, which is what this talk track is about. This session will give you the skills to reverse-engineer your models when the results don’t match expectations.

Some possible topics to explore:

How to identify hidden bias in your estimates or distributions
Techniques for sensitivity analysis that highlight which inputs matter most
Warning signs that your simulation isn't converging—or is overfitting to bad data
Ways to communicate uncertainty and model limitations without undermining credibility

It’s not just about making models—it’s about making models that hold up under scrutiny.

Scripting Smarter Simulations

Monte Carlo models are the backbone of modern risk quantification—but building simulations that are fast, flexible, and maintainable is an evolving art.

Sessions in this track might walk through:

Structuring simulations so they scale and adapt as your data evolves
Writing modular code in Python, R, and Excel to reduce manual work
Running multiple what-if scenarios in parallel without rewriting your logic every time
Avoiding common performance bottlenecks when running large simulations

If you’re stuck in a spreadsheet swamp, or want to build scripts that do more of the heavy lifting, this will get you there faster.

Shortcuts and Time-Savers

Risk teams are often under-resourced and over-asked—so efficiency isn’t a luxury, it’s a necessity. These sessions are full of “if only I knew this sooner!” kinds of tricks that help you move faster without compromising accuracy or integrity.

Talks in this track aim to address:

Lightweight ways to automate recurring analysis tasks
How to templatize your modeling workflow to reduce errors
Creative ways to repurpose prior assessments and speed up scenario development
Quick checks you can run to spot red flags before presenting results

Because the faster you can get to reliable insight, the more time you have to act on it.

Your Quant Practice, Supercharged

The Measurement Tips, Tricks, & Tools track delivers practical knowledge that risk professionals can apply the very next day. It’s for the people doing the work—building models, validating inputs, debugging strange outputs, and constantly evolving their methods to be more credible and more actionable.

When you walk away from these sessions, you won’t just know how to measure risk—you’ll know how to do it better, faster, and with a lot more confidence.

At SiRAcon ‘25, we’re not just pushing boundaries—we’re refining the engine behind the insights that matter.

From Zero to Quant to ERM: The Role of Risk Decision Support in Modern Organizations

Joseph Breen — Tue, 06 May 2025 14:49:36 GMT

In the world of risk analysis, knowing the numbers is just the beginning. The real challenge, but also the value, lies in using those numbers to support better decisions. That’s why the Risk Decision Support track at this year’s SiRAcon 2025 will be insightful for anyone looking to advance from quantifying risk to managing it strategically.

From Zero to Quant to ERM

Continuing the evolution from last year’s theme “From Zero to Quant,” this year’s theme “From Zero to Quant to ERM” spotlights the journey organizations are on: from beginning their risk quantification efforts, to integrating those efforts into broader enterprise risk management (ERM) strategies. At the heart of that journey is decision support - the ability to turn data into action.

Why Risk Decision Support Matters

Quantifying risk isn’t just about producing numbers; it’s about helping leaders make informed, defensible decisions under uncertainty. Whether you're prioritizing controls, selecting vendors, allocating budget, or evaluating cyber insurance options, quantitative models provide a structured way to weigh trade-offs and assess outcomes.

This track is for analysts, CISOs, risk managers, and decision-makers who want to bridge the gap between technical measurement and real-world action.

What to Expect in This Track

The Risk Decision Support track will cover topics such as:

Using Quant Models to Drive Action: Learn how organizations are applying Monte Carlo simulations, Value-at-Risk, and expected loss modeling to prioritize cybersecurity initiatives, justify budgets, and communicate risk in financial terms.
Decision Frameworks That Integrate Quantification: Discover methods for embedding quantitative risk assessments into strategic frameworks - such as cost-benefit analysis, decision trees, and Bayesian updating to support rational, transparent decision-making across the enterprise.
Real-World Case Studies: Hear from practitioners who’ve operationalized quant models, and learn what worked (and what didn’t) when translating analytics into business value.
Bridging the Analyst–Executive Gap: Explore communication strategies for presenting quantitative results to non-technical stakeholders, ensuring data drives decisions without getting lost in translation.

Take the Next Step in Your Risk Journey

SiRAcon 2025’s Risk Decision Support track is your opportunity to explore how cutting-edge quant methods are being transformed into powerful decision-making tools. Whether you're deep in the modeling weeds or steering enterprise strategy, this track will spark new ideas and deliver practical insights you can apply immediately. Don’t miss the chance to be part of the conversations that are shaping the future of risk management. Let’s move beyond metrics and toward meaningful, data-driven decisions.

From Zero to Quant to ERM: Exploring the Expanding World of Risk Analysis at SIRAcon ‘25

Joseph Breen — Wed, 23 Apr 2025 18:34:15 GMT

SIRAcon ‘25 is set to take place September 9th-11th at the Boston Federal Reserve. This year's theme, "From Zero to Quant to ERM," highlights the evolving landscape of risk analysis. Building on its strong foundation in cyber risk quantification, this year's conference expands its focus to include broader Enterprise Risk Management (ERM) practices. Attendees can expect practical insights, hands-on guidance, and strategic frameworks to improve risk measurement across the enterprise.

Presentations this year will center around several possible topics:

Risk Decision Support
Measurement Tips, Tricks, and Tools
Decision Science, Behavioral Science, and Data Science
AI in Quantitative Risk Measurement
Risk Measurement Outside of Cyber
Control Effectiveness

Risk Decision Support

Risk quantification can guide strategic decision-making. Presenters will share methods for integrating risk data into prioritization and resource allocation processes, ensuring that organizations make informed decisions backed by quantified insights. Expect sessions that explore techniques like financial impact modeling, showcasing how risk quantification can improve outcome predictions and help leadership make data-driven decisions.

Measurement Tips, Tricks, and Tools

Practitioners looking to improve their risk measurement processes need actionable strategies for enhancing data collection, analysis, and visualization. Expect sessions that will provide practical techniques for streamlining risk quantification efforts, ensuring practitioners can deliver clear, meaningful insights that resonate with stakeholders.

Decision Science, Behavioral Science, and Data Science

Effective risk management requires more than just data – it demands an understanding of how people interpret and act on that data. By applying behavioral science principles, risk professionals can enhance their ability to communicate insights, drive change, and improve outcomes. Expect sessions that delve into psychology, cognitive biases, and data modeling to help attendees improve decision-making under uncertainty.

AI in Quantitative Risk Measurement

Artificial intelligence and machine learning are revolutionizing risk quantification. Leveraging AI requires best practices to improve accuracy, efficiency, and insight in risk models. Expect sessions that offer practical applications of AI for forecasting, automation, and enhancing decision support capabilities.

Risk Measurement Outside of Cyber

Risk quantification isn't limited to cybersecurity. Risk quantification techniques can be applied to broader domains, such as supply chain risk, financial risk, and environmental risk. Expect sessions that provide strategies for expanding risk frameworks to align with enterprise-wide objectives and improve resilience.

Control Effectiveness

Ensuring that controls perform as intended is crucial for mitigating risk. Practitioners require practical strategies for assessing control performance, identifying gaps, and measuring control effectiveness. Expect sessions that provide frameworks for improving control designs, tracking key metrics, and ensuring alignment with organizational risk objectives.

Come Join Us!

SIRAcon ‘25 promises to deliver valuable insights for risk professionals seeking to expand their skill sets and improve decision-making in their organizations. Whether you're new to risk quantification or looking to build on existing practices, this year's conference will provide the tools and knowledge needed to advance from zero to quant to ERM.

You can register for SiRAcon ‘25 here.

Watch your email, LinkedIn, and the SiRAcon event site for the full agenda to be posted in April!