Risk & Error Budgeting

Omer Levi Hevroni
Phil Huggins
Aaron Rinehart
When (day):
Thu
At:
20:00 - 22:00
Track:
CISO and Risk Management
Topics:
Watch
Zoom link will be available very soon
Register:

Training Session Video

(below are draft sessions note, please add missing content and improve on them)

What is the tolerance and capacity levels of vulnerabilities or issues to go live with for each team? How long can they be tolerated, time limits..

Common language, terminology, with business.

Asset depreciation for security risk.

Value return on spend on specific controls, how to measure. Use maps?

Where do you spend your money, on fixing issues which are fast to fix or slow? Does that make business sense? WHat is the window of opportunity for not spending it on the slow ones? What would be the damage?

Risk velocity

Service Risk indicators

https://www.omerlh.info/2020/05/17/appsec-learning-sre-principles-metrics-and-measurements/

https://twitter.com/omerlh/status/1262351264710615040

Pre-summit session - 2 hr this week on Risk Budgeting.

next week*
starting with the concept of risk budgeting and then doing prep for the summit session
outcomes from this session: terminology & glossary
Omer to convert the blog post to a repo
Align to established Finance terms
Technical lag
time to update
Dpendency drift
Cost of delay
Dependency drift
need to include requirement to demonstrate & evidence value gained
all registrant to this session to be invited to doodle
Douglas Hubbert - how to measure anything in Cyber Security risk
Doug Hubbard Is Risk leading the factor or is it following the considerations tely) : https://www.howtomeasureanything.com/cybersecurity/ tely) : thanks
Risk budget or budgets for risk factors. Risk factors contribute to likelihood or consequence measure the factors and estimate the risk matter, which should be measured tely) : So are risk factors the same as proxy measures?

Notable logs from the chat during the session

00:39:40 Phil Huggins: https://raw.githubusercontent.com/oracuk/oisru/master/universe-scope.png
00:39:51 Phil Huggins: https://blog.blackswansecurity.com/wp-content/uploads/Risk.jpg
00:42:43 Phil Huggins: https://blog.blackswansecurity.com/wp-content/uploads/GQM-Approach.png
01:12:23 Haydn Brooks (Risk Ledger): Risk is also highly contextual, agree with Ben
02:00:34 Martin: Need to be careful on the whole correlation not implying causation

Back to list of all Working Sessions

Updated: 2020-10-03 18:35:58 -0300 -0300, Version: 28f7832