SlideShare une entreprise Scribd logo

Deconstructing risk management

Mike D
Mike D

A Practical Approach Towards Decision Making

Technologie
1  sur  30
Télécharger pour lire hors ligne
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making) Michael Dahn ChaordicMind.com Thursday, April 29, 2010
Who am I? Thursday, April 29, 2010
Which side are you on? • « Risk Management is Dead … Long Live Risk Management »  Tastes Less Great! Filling! Thursday, April 29, 2010
Pete Lindstrom « We have already solved the problem of Risk Management over 200 times, the problem is that we don’t know which one is right. » Thursday, April 29, 2010
Question Group 1 Question Answe r What year was George ? Washington born? How many countries are in ? South America? How many calories in a In- ? n-Out Double-Double burger?  was Diet Coke What year ? invented? How many elements are in ? the periodic table? Thursday, April 29, 2010
Variance? • Upper bound • Lower bound • Range (Upper – Lower) • Standard deviation Thursday, April 29, 2010
Question Group 1 Question Answe r What year was George 1732 Washington born? How many countries are in 13 South America? How many calories in a In- 670 n-Out Double-Double burger?  was Diet Coke What year 1982 invented? How many elements are in 102 the periodic table? Thursday, April 29, 2010
Question Group 2 Question Answe r How many languages are ? available on Flickr.com? How many breach incidents ? were reported by DatalossDB in 01/10? When did Arnold Palmer first ? win the PGA Masters Tournament? How many minutes do ? Facebook users spend on the site / month? How many contributors to ? the Encyclopedia Britannica Thursday, April 29, 2010 in 2008?
Variance? • Upper bound • Lower bound • Range (Upper – Lower) • Standard deviation Thursday, April 29, 2010
Question Group 2 Question Answe r How many languages are 8 available on Flickr.com? How many breach incidents 35 were reported by DatalossDB in 01/10? When did Arnold Palmer first 1958 win the PGA Masters Tournament? How many minutes do 500b Facebook users spend on the site / month? How many contributors to 4,411 the Encyclopedia Britannica Thursday, April 29, 2010 in 2008?
Question Group 3 Question Answe What percentage of all r ? malicious code will be executed in 2012? there in How many bugs are ? Windows Vista? What is the chance a ? Wikipedia article will contain an error? will it take for an How long ? average computer to be p0wned in 2015? What is the air speed ? Thursday, April 29, 2010 velocity…
Unknown-Unknowns • Known Knowns (KK) – People in this room now • Unknown Knowns (UK) – Population of the earth • Known Unknowns (KU) – The day I will die • Unknown Unknowns (UU) – Which risk management is right for you… Thursday, April 29, 2010
To Know “kennen” vs “wissen” « kennen »  :: to know a fact – KK, UK, KU, UU « wissen » :: to know a concept – KK, UK, KU, UU Thursday, April 29, 2010
Concepts vs Domains « Concepts » – an abstract or generic idea generalized from particular instances « Domain » – a sphere of knowledge, influence, or activity Domains contain Concepts Thursday, April 29, 2010
Adam Shostack « What the industry needs it more data in order to form proper conclusions » Thursday, April 29, 2010
I got your “more data”! Thursday, April 29, 2010
Donn Parker Frequent-ism Due to the unknown-unknown number of data breaches, any data set we collect may be too small to statistically analyze data. « Risk-based security is impossible » « Dilligance-based security is what we need » Thursday, April 29, 2010
Parker-nomics • Risk based approaches are nothing more than data alchemy • There is simply not enough public data available to make any sort of statistically significant conclusion when you assume that the entire population of data breaches or security failures (realistically unknown) is vastly larger Thursday, April 29, 2010
Example Rogue Device Detection (Sampling?) Thursday, April 29, 2010
Diligence-based Model • Diligence to avoid negligence • Compliance to meet or exceed requirements of regulations, laws, and standards to avoid penalties • Enablement to meet business and budget needs « generally agreed upon best practices » https://www.issa.org/Library/Journals/2008/January/Parker-A%20Diligence-Based%20Idealized%20Security%20Review.pdf Thursday, April 29, 2010
Alex Hutton Bayesian-ism Probability is a probable term… « Governance without metrics and models, is superstitian  » « Governance with metrics and models , describes capability to manage risk » Thursday, April 29, 2010
Hutton-nomics • Risk management: Time to blow it up and start over? • Evidence-based risk management – Deconstructed, notional view of risk • Metrics based management, governance, and risk – Failure if lack of data Thursday, April 29, 2010
Managing Risk « Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners » - Jack Jones Thursday, April 29, 2010
Managing Risk « Risk management may be hard (or even impossible)… … but we all manage risk » - Me Thursday, April 29, 2010
Spheres of Expertise You don’t know everything « We > You » Practitioners don’t know everything « Experts > Practitioners » Next up… « Reputational weighted value » Success = more detailed info, per domain Thursday, April 29, 2010
Thursday, April 29, 2010
Thursday, April 29, 2010
Domains of Knowledge Expertise Thursday, April 29, 2010
Sounds simple? Nope « Education, education, education » « Flexibility of Domains » « More data (per domain) for risk modeling » Thursday, April 29, 2010
Conclusion « Seek first to understand and then to be understood » « Holistic information security » « Intra-connectedness of domains drive value of (risk) data » Thursday, April 29, 2010

Recommandé

Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemRoshan Ranabhat
 
Smoke wizard-gld-40-manual
Smoke wizard-gld-40-manualSmoke wizard-gld-40-manual
Smoke wizard-gld-40-manualClark Heintz
 
Smart Cards & Devices Forum 2013 - Aritmetika s velkými čísly
Smart Cards & Devices Forum 2013 - Aritmetika s velkými číslySmart Cards & Devices Forum 2013 - Aritmetika s velkými čísly
Smart Cards & Devices Forum 2013 - Aritmetika s velkými číslyOKsystem
 
Elevator Networking
Elevator NetworkingElevator Networking
Elevator NetworkingImtiaz Rastgar
 
Survol de ProtegeWX
Survol de ProtegeWX Survol de ProtegeWX
Survol de ProtegeWX Inaxsys Security Systems
 
1_VESDA Intro_7_Reasons_final
1_VESDA Intro_7_Reasons_final1_VESDA Intro_7_Reasons_final
1_VESDA Intro_7_Reasons_finalPutri Verninda
 
SmartCard Forum 2011 - Converge security
SmartCard Forum 2011 - Converge securitySmartCard Forum 2011 - Converge security
SmartCard Forum 2011 - Converge securityOKsystem
 
Slide ppt automation
Slide ppt automationSlide ppt automation
Slide ppt automationMehul Patel
 

Recommandé

Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemRoshan Ranabhat
 
Smoke wizard-gld-40-manual
Smoke wizard-gld-40-manualSmoke wizard-gld-40-manual
Smoke wizard-gld-40-manualClark Heintz
 
Smart Cards & Devices Forum 2013 - Aritmetika s velkými čísly
Smart Cards & Devices Forum 2013 - Aritmetika s velkými číslySmart Cards & Devices Forum 2013 - Aritmetika s velkými čísly
Smart Cards & Devices Forum 2013 - Aritmetika s velkými číslyOKsystem
 
Elevator Networking
Elevator NetworkingElevator Networking
Elevator NetworkingImtiaz Rastgar
 
Survol de ProtegeWX
Survol de ProtegeWX Survol de ProtegeWX
Survol de ProtegeWX Inaxsys Security Systems
 
1_VESDA Intro_7_Reasons_final
1_VESDA Intro_7_Reasons_final1_VESDA Intro_7_Reasons_final
1_VESDA Intro_7_Reasons_finalPutri Verninda
 
SmartCard Forum 2011 - Converge security
SmartCard Forum 2011 - Converge securitySmartCard Forum 2011 - Converge security
SmartCard Forum 2011 - Converge securityOKsystem
 
Slide ppt automation
Slide ppt automationSlide ppt automation
Slide ppt automationMehul Patel
 
Camera and their loop holes
Camera and their loop holesCamera and their loop holes
Camera and their loop holesshantanu pramanik
 
VESDA
VESDAVESDA
VESDAAbhijeet Kumar Singh
 
ProtegeGx Overview 2016
ProtegeGx Overview 2016ProtegeGx Overview 2016
ProtegeGx Overview 2016Inaxsys Security Systems
 
التلفزيون الرقمي التعليمي Instructional Digital Television
التلفزيون الرقمي التعليمي Instructional Digital Televisionالتلفزيون الرقمي التعليمي Instructional Digital Television
التلفزيون الرقمي التعليمي Instructional Digital TelevisionProfessional Diploma in Education - Department of Education Technology
 
Man power review and HR budget
Man power review and HR budgetMan power review and HR budget
Man power review and HR budgetWalid Al Wakeel
 
Ch1 circuits logiques_p2_transcodeurs
Ch1 circuits logiques_p2_transcodeursCh1 circuits logiques_p2_transcodeurs
Ch1 circuits logiques_p2_transcodeurslinuxscout
 
Security Intrusion Detection & Electronic Surveillance
Security Intrusion Detection & Electronic SurveillanceSecurity Intrusion Detection & Electronic Surveillance
Security Intrusion Detection & Electronic SurveillancePLN9 Security Services Pvt. Ltd.
 
Skyscraper Security Mgt Part II- by Richard Garrity
Skyscraper Security Mgt Part II- by Richard GarritySkyscraper Security Mgt Part II- by Richard Garrity
Skyscraper Security Mgt Part II- by Richard GarrityRichard Garrity
 
Smart Office Strategies
Smart Office StrategiesSmart Office Strategies
Smart Office StrategiesSmart Office Strategies, LLP
 
Cctv presentation By jeevan mc sullia
Cctv presentation By jeevan mc sulliaCctv presentation By jeevan mc sullia
Cctv presentation By jeevan mc sulliaJeevan M C
 
كيف تبني مشروعك في عالم الإلكترونيات
كيف تبني مشروعك في عالم الإلكترونياتكيف تبني مشروعك في عالم الإلكترونيات
كيف تبني مشروعك في عالم الإلكترونياتWikilogia
 
Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is AugmentedBenjamin Joffe
 
Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is AugmentedBenjamin Joffe
 
Global Awareness
Global AwarenessGlobal Awareness
Global AwarenessAndrew Kohl
 
Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?Tommi Pelkonen
 
Tsunammis of Change
Tsunammis of ChangeTsunammis of Change
Tsunammis of ChangeGomindSHIFT
 
Disarmament & nuclear weapons
Disarmament & nuclear weaponsDisarmament & nuclear weapons
Disarmament & nuclear weaponsyvettefraga
 
Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010SFEley
 
Weird Sisters Essays
Weird Sisters EssaysWeird Sisters Essays
Weird Sisters EssaysJanet Katarezzy
 
Notacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next GenerationNotacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next GenerationJames Arlen
 
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)Marcus Dapp
 
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...eCommConf
 

Contenu connexe

En vedette

Man power review and HR budget
Man power review and HR budgetMan power review and HR budget
Man power review and HR budgetWalid Al Wakeel
 
Ch1 circuits logiques_p2_transcodeurs
Ch1 circuits logiques_p2_transcodeursCh1 circuits logiques_p2_transcodeurs
Ch1 circuits logiques_p2_transcodeurslinuxscout
 
Skyscraper Security Mgt Part II- by Richard Garrity
Skyscraper Security Mgt Part II- by Richard GarritySkyscraper Security Mgt Part II- by Richard Garrity
Skyscraper Security Mgt Part II- by Richard GarrityRichard Garrity
 
Cctv presentation By jeevan mc sullia
Cctv presentation By jeevan mc sulliaCctv presentation By jeevan mc sullia
Cctv presentation By jeevan mc sulliaJeevan M C
 
كيف تبني مشروعك في عالم الإلكترونيات
كيف تبني مشروعك في عالم الإلكترونياتكيف تبني مشروعك في عالم الإلكترونيات
كيف تبني مشروعك في عالم الإلكترونياتWikilogia
 

En vedette (11)

Camera and their loop holes
Camera and their loop holesCamera and their loop holes
Camera and their loop holes
 
VESDA
VESDAVESDA
VESDA
 
ProtegeGx Overview 2016
ProtegeGx Overview 2016ProtegeGx Overview 2016
ProtegeGx Overview 2016
 
التلفزيون الرقمي التعليمي Instructional Digital Television
التلفزيون الرقمي التعليمي Instructional Digital Televisionالتلفزيون الرقمي التعليمي Instructional Digital Television
التلفزيون الرقمي التعليمي Instructional Digital Television
 
Man power review and HR budget
Man power review and HR budgetMan power review and HR budget
Man power review and HR budget
 
Ch1 circuits logiques_p2_transcodeurs
Ch1 circuits logiques_p2_transcodeursCh1 circuits logiques_p2_transcodeurs
Ch1 circuits logiques_p2_transcodeurs
 
Security Intrusion Detection & Electronic Surveillance
Security Intrusion Detection & Electronic SurveillanceSecurity Intrusion Detection & Electronic Surveillance
Security Intrusion Detection & Electronic Surveillance
 
Skyscraper Security Mgt Part II- by Richard Garrity
Skyscraper Security Mgt Part II- by Richard GarritySkyscraper Security Mgt Part II- by Richard Garrity
Skyscraper Security Mgt Part II- by Richard Garrity
 
Smart Office Strategies
Smart Office StrategiesSmart Office Strategies
Smart Office Strategies
 
Cctv presentation By jeevan mc sullia
Cctv presentation By jeevan mc sulliaCctv presentation By jeevan mc sullia
Cctv presentation By jeevan mc sullia
 
كيف تبني مشروعك في عالم الإلكترونيات
كيف تبني مشروعك في عالم الإلكترونياتكيف تبني مشروعك في عالم الإلكترونيات
كيف تبني مشروعك في عالم الإلكترونيات
 

Similaire à Deconstructing risk management

Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is AugmentedBenjamin Joffe
 
Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is AugmentedBenjamin Joffe
 
Global Awareness
Global AwarenessGlobal Awareness
Global AwarenessAndrew Kohl
 
Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?Tommi Pelkonen
 
Tsunammis of Change
Tsunammis of ChangeTsunammis of Change
Tsunammis of ChangeGomindSHIFT
 
Disarmament & nuclear weapons
Disarmament & nuclear weaponsDisarmament & nuclear weapons
Disarmament & nuclear weaponsyvettefraga
 
Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010SFEley
 
Notacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next GenerationNotacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next GenerationJames Arlen
 
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)Marcus Dapp
 
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...eCommConf
 
Alterian Summit Social Media Analysis via Intrepid
Alterian Summit Social Media Analysis via IntrepidAlterian Summit Social Media Analysis via Intrepid
Alterian Summit Social Media Analysis via IntrepidAlterian
 

Similaire à Deconstructing risk management (12)

Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is Augmented
 
Your Reality Is Augmented
Your Reality Is AugmentedYour Reality Is Augmented
Your Reality Is Augmented
 
Global Awareness
Global AwarenessGlobal Awareness
Global Awareness
 
Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?Social Media Evolution - Revolution - So What?
Social Media Evolution - Revolution - So What?
 
Tsunammis of Change
Tsunammis of ChangeTsunammis of Change
Tsunammis of Change
 
Disarmament & nuclear weapons
Disarmament & nuclear weaponsDisarmament & nuclear weapons
Disarmament & nuclear weapons
 
Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010Podcasting 101 1/2 - March 1, 2010
Podcasting 101 1/2 - March 1, 2010
 
Weird Sisters Essays
Weird Sisters EssaysWeird Sisters Essays
Weird Sisters Essays
 
Notacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next GenerationNotacon 7 - Hacking The Future Weaponizing The Next Generation
Notacon 7 - Hacking The Future Weaponizing The Next Generation
 
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
Lecture 2011.01: General Introduction and Open Access (Digital Sustainability)
 
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
Mark Headd's Presentation at Emerging Communication Conference & Awards 2010 ...
 
Alterian Summit Social Media Analysis via Intrepid
Alterian Summit Social Media Analysis via IntrepidAlterian Summit Social Media Analysis via Intrepid
Alterian Summit Social Media Analysis via Intrepid
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Dernier (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Deconstructing risk management

  • 1. Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical Approach Towards Decision Making) Michael Dahn ChaordicMind.com Thursday, April 29, 2010
  • 2. Who am I? Thursday, April 29, 2010
  • 3. Which side are you on? • « Risk Management is Dead … Long Live Risk Management »  Tastes Less Great! Filling! Thursday, April 29, 2010
  • 4. Pete Lindstrom « We have already solved the problem of Risk Management over 200 times, the problem is that we don’t know which one is right. » Thursday, April 29, 2010
  • 5. Question Group 1 Question Answe r What year was George ? Washington born? How many countries are in ? South America? How many calories in a In- ? n-Out Double-Double burger?  was Diet Coke What year ? invented? How many elements are in ? the periodic table? Thursday, April 29, 2010
  • 6. Variance? • Upper bound • Lower bound • Range (Upper – Lower) • Standard deviation Thursday, April 29, 2010
  • 7. Question Group 1 Question Answe r What year was George 1732 Washington born? How many countries are in 13 South America? How many calories in a In- 670 n-Out Double-Double burger?  was Diet Coke What year 1982 invented? How many elements are in 102 the periodic table? Thursday, April 29, 2010
  • 8. Question Group 2 Question Answe r How many languages are ? available on Flickr.com? How many breach incidents ? were reported by DatalossDB in 01/10? When did Arnold Palmer first ? win the PGA Masters Tournament? How many minutes do ? Facebook users spend on the site / month? How many contributors to ? the Encyclopedia Britannica Thursday, April 29, 2010 in 2008?
  • 9. Variance? • Upper bound • Lower bound • Range (Upper – Lower) • Standard deviation Thursday, April 29, 2010
  • 10. Question Group 2 Question Answe r How many languages are 8 available on Flickr.com? How many breach incidents 35 were reported by DatalossDB in 01/10? When did Arnold Palmer first 1958 win the PGA Masters Tournament? How many minutes do 500b Facebook users spend on the site / month? How many contributors to 4,411 the Encyclopedia Britannica Thursday, April 29, 2010 in 2008?
  • 11. Question Group 3 Question Answe What percentage of all r ? malicious code will be executed in 2012? there in How many bugs are ? Windows Vista? What is the chance a ? Wikipedia article will contain an error? will it take for an How long ? average computer to be p0wned in 2015? What is the air speed ? Thursday, April 29, 2010 velocity…
  • 12. Unknown-Unknowns • Known Knowns (KK) – People in this room now • Unknown Knowns (UK) – Population of the earth • Known Unknowns (KU) – The day I will die • Unknown Unknowns (UU) – Which risk management is right for you… Thursday, April 29, 2010
  • 13. To Know “kennen” vs “wissen” « kennen »  :: to know a fact – KK, UK, KU, UU « wissen » :: to know a concept – KK, UK, KU, UU Thursday, April 29, 2010
  • 14. Concepts vs Domains « Concepts » – an abstract or generic idea generalized from particular instances « Domain » – a sphere of knowledge, influence, or activity Domains contain Concepts Thursday, April 29, 2010
  • 15. Adam Shostack « What the industry needs it more data in order to form proper conclusions » Thursday, April 29, 2010
  • 16. I got your “more data”! Thursday, April 29, 2010
  • 17. Donn Parker Frequent-ism Due to the unknown-unknown number of data breaches, any data set we collect may be too small to statistically analyze data. « Risk-based security is impossible » « Dilligance-based security is what we need » Thursday, April 29, 2010
  • 18. Parker-nomics • Risk based approaches are nothing more than data alchemy • There is simply not enough public data available to make any sort of statistically significant conclusion when you assume that the entire population of data breaches or security failures (realistically unknown) is vastly larger Thursday, April 29, 2010
  • 19. Example Rogue Device Detection (Sampling?) Thursday, April 29, 2010
  • 20. Diligence-based Model • Diligence to avoid negligence • Compliance to meet or exceed requirements of regulations, laws, and standards to avoid penalties • Enablement to meet business and budget needs « generally agreed upon best practices » https://www.issa.org/Library/Journals/2008/January/Parker-A%20Diligence-Based%20Idealized%20Security%20Review.pdf Thursday, April 29, 2010
  • 21. Alex Hutton Bayesian-ism Probability is a probable term… « Governance without metrics and models, is superstitian  » « Governance with metrics and models , describes capability to manage risk » Thursday, April 29, 2010
  • 22. Hutton-nomics • Risk management: Time to blow it up and start over? • Evidence-based risk management – Deconstructed, notional view of risk • Metrics based management, governance, and risk – Failure if lack of data Thursday, April 29, 2010
  • 23. Managing Risk « Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners » - Jack Jones Thursday, April 29, 2010
  • 24. Managing Risk « Risk management may be hard (or even impossible)… … but we all manage risk » - Me Thursday, April 29, 2010
  • 25. Spheres of Expertise You don’t know everything « We > You » Practitioners don’t know everything « Experts > Practitioners » Next up… « Reputational weighted value » Success = more detailed info, per domain Thursday, April 29, 2010
  • 28. Domains of Knowledge Expertise Thursday, April 29, 2010
  • 29. Sounds simple? Nope « Education, education, education » « Flexibility of Domains » « More data (per domain) for risk modeling » Thursday, April 29, 2010
  • 30. Conclusion « Seek first to understand and then to be understood » « Holistic information security » « Intra-connectedness of domains drive value of (risk) data » Thursday, April 29, 2010