SlideShare une entreprise Scribd logo
1  sur  40
Télécharger pour lire hors ligne
FLUSHING AWAY 
PRECONCEPTIONS OF RISK 
Thom Langford! 
@thomlangford 
September 2014
DISCLAIMER 
The opinions expressed in this 
presentation are my own and 
do not necessarily represent 
those of my employer 
@thomlangford
• our interpretation of risk! 
• our measurement of risk! 
• our effective treatment of risk 
@thomlangford
THE INTERPRETATION OF RISK 
riskier? 
@thomlangford
@thomlangford
@thomlangford
@thomlangford
@thomlangford
49 sq/in 
@thomlangford
1,676 sq/in 
@thomlangford
3,295 sq/in 
@thomlangford
20,961 sq/in 
@thomlangford
25,127 sq/in 
@thomlangford
@thomlangford
@thomlangford
“perceived” risk 
@thomlangford
“hygiene” risk 
@thomlangford
“actual” risk 
@thomlangford
THE MEASUREMENT OF RISK 
@thomlangford
Malik, Javvad 
(2014-05-12). The 
CISSP companion 
handbook: A collection 
of tales, experiences 
and straight up 
fabrications fitted into 
the 10 CISSP domains 
of information security 
(Kindle Locations 
918-923). . Kindle 
Edition. 
The Malik Risk Model! 
Ver 1.0 
Impact 
Won’t Hurt 
Is that the 
best you 
got? 
Ouch! Holy Crap! 
Likelihood 
Ain’t 
Happening 
“a swift 
half” 
“it’s your 
round” 
“easy 
Tiger…” 
“hold my 
drink Steve” 
Possibly “it’s your 
round” 
“easy 
Tiger…” 
“hold my 
drink Steve” 
“Get off him 
Dave, he ain’t 
worth it” 
It’s On “easy 
Tiger…” 
“hold my 
drink Steve” 
“Get off him 
Dave, he ain’t 
worth it” 
“cab to 
A&E 
please” 
Holy Crap! “hold my 
drink Steve” 
“Get off him 
Dave, he ain’t 
worth it” 
“cab to 
A&E 
please” 
“Ambulance 
please” 
@thomlangford
The 
Langford/ 
Malik Risk 
Model ver 
1.0 
Likelihood 
of threat Ain’t Happening It’s On! Holy Crap! 
Ease of 
Exploitation 
I’m a 
Ninja 
I’m a 
drunk 
Ninja 
I’m 
drunk 
I’m a 
Ninja 
I’m a 
drunk 
Ninja 
I’m 
drunk 
I’m a 
Ninja 
I’m a 
drunk 
Ninja 
I’m 
drunk 
Asset 
Value 
Arm “It’s your 
round” 
“have a 
word, 
mate” 
“easy 
Tiger…” 
“have a 
word, 
mate” 
“easy 
Tiger…” 
“cheeky 
slap” 
“easy 
Tiger…” 
“cheeky 
slap” 
“get off 
him Dave” 
Leg 
“have a 
word, 
mate” 
“easy 
Tiger…” 
“cheeky 
slap” 
“easy 
Tiger…” 
“cheeky 
slap” 
“get off 
him Dave” 
“cheeky 
slap” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
Chest “easy 
Tiger…” 
“cheeky 
slap” 
“get off 
him Dave” 
“cheeky 
slap” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
Face “cheeky 
slap” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Ambulance 
please” 
Testicles “get off 
him Dave” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Ambulance 
please” 
“cab to 
A&E 
please” 
“Ambulance 
please” 
“Mortuary 
please” 
@thomlangford
The 
Langford/ 
Malik Risk 
Model ver 
1.0 
Likelihood 
of threat Ain’t Happening It’s On! Holy Crap! 
Ease of 
Exploitation 
I’m a 
Ninja 
I’m a 
drunk 
Ninja 
I’m 
drunk 
I’m a 
Ninja 
I’m a 
drunk 
Ninja 
I’m 
drunk 
I’m a 
Ninja 
I’m a 
drunk 
Ninja 
I’m 
drunk 
Asset 
Value 
Arm “It’s your 
round” 
“have a 
word, 
mate” 
“easy 
Tiger…” 
“have a 
word, 
mate” 
“easy 
Tiger…” 
“cheeky 
slap” 
“easy 
Tiger…” 
“cheeky 
slap” 
“get off 
him Dave” 
Leg 
“have a 
word, 
mate” 
“easy 
Tiger…” 
“cheeky 
slap” 
“easy 
Tiger…” 
“cheeky 
slap” 
“get off 
him Dave” 
“cheeky 
slap” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
Chest “easy 
Tiger…” 
“cheeky 
slap” 
“get off 
him Dave” 
“cheeky 
slap” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
Face “cheeky 
slap” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Ambulance 
please” 
Testicles “get off 
him Dave” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Ambulance 
please” 
“cab to 
A&E 
please” 
“Ambulance 
please” 
“Mortuary 
please” 
18-24 YEAR @thomlangford OLD (SINGLE & UP FOR IT)
The 
Langford/ 
Malik Risk 
Model ver 
1.0 
Likelihood 
of threat Ain’t Happening It’s On! Holy Crap! 
Ease of 
Exploitation 
I’m a 
Ninja 
I’m a 
drunk 
Ninja 
I’m 
drunk 
I’m a 
Ninja 
I’m a 
drunk 
Ninja 
I’m 
drunk 
I’m a 
Ninja 
I’m a 
drunk 
Ninja 
I’m 
drunk 
Asset 
Value 
Arm “It’s your 
round” 
“have a 
word, 
mate” 
“easy 
Tiger…” 
“have a 
word, 
mate” 
“easy 
Tiger…” 
“cheeky 
slap” 
“easy 
Tiger…” 
“cheeky 
slap” 
“get off 
him Dave” 
Leg 
“have a 
word, 
mate” 
“easy 
Tiger…” 
“cheeky 
slap” 
“easy 
Tiger…” 
“cheeky 
slap” 
“get off 
him Dave” 
“cheeky 
slap” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
Chest “easy 
Tiger…” 
“cheeky 
slap” 
“get off 
him Dave” 
“cheeky 
slap” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
Face “cheeky 
slap” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“get off 
him Dave” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Ambulance 
please” 
Testicles “get off 
him Dave” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Let’s ‘ave 
it then” 
“cab to 
A&E 
please” 
“Ambulance 
please” 
“cab to 
A&E 
please” 
“Ambulance 
please” 
“Mortuary 
please” 
40 YEAR @thomlangford OLD (MARRIED WITH KIDS)
ISO 
27005 
Risk 
Model 
Likelihood 
of threat Low Medium High 
Ease of 
Exploitation Low Medium High Low Medium High Low Medium High 
Asset 
Value 
0 0 1 2 1 2 3 2 3 4 
1 1 2 3 2 3 4 3 4 5 
2 2 3 4 3 4 5 4 5 6 
3 3 4 5 4 5 6 5 6 7 
4 4 5 6 5 6 7 6 7 8 
@thomlangford IN PRACTISE
WHAT’S WRONG WITH ORDINALS? 
And nobody uses “red” because it means failure 
Therefore the risk world becomes “amber” 
Nobody uses “green” because it means no more budget 
H 
M 
L 
@thomlangford
Nassim Nicholas Taleb, 
“The Black swan” 
@thomlangford
@thomlangford
@thomlangford 
THE TREATMENT OF RISK
@thomlangford
@thomlangford
@thomlangford
@thomlangford
@thomlangford
CAUSATION VS CORRELATION 
900 
675 
450 
225 
0 
34 
32.75 
31.5 
30.25 
29 
Per capita consumption of cheese (US)! 
Pounds (USDA) 
Number of people who died by becoming tangled in their bedsheets! 
Deaths (US) (CDC) 
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 
Source: Spurious @thomlangford Correlation, www.tylervigen.com
FLEXIBLE RISK RESPONSE 
@thomlangford
TAKEAWAYS 
@thomlangford
TAKEAWAY #1 
• Recognise and understand the difference 
between “hygiene” risks and “actual” risks 
@thomlangford
TAKEAWAY #2 
• Spot patterns in your risks over time. 
What has become a commodity? 
What were the black swans? 
@thomlangford
TAKEAWAY #3 
• A risk hasn’t been mitigated just because it 
hasn’t happened; don’t suffer a placebo effect. 
@thomlangford
thom@thomlangford.com 
@thomlangford 
uk.linkedin.com/in/thomlangford

Contenu connexe

En vedette

44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON
 
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON
 

En vedette (20)

44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
 
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw
 

Plus de 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 

Plus de 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 

Dernier

UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 

Dernier (20)

UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 

44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford

  • 1. FLUSHING AWAY PRECONCEPTIONS OF RISK Thom Langford! @thomlangford September 2014
  • 2. DISCLAIMER The opinions expressed in this presentation are my own and do not necessarily represent those of my employer @thomlangford
  • 3. • our interpretation of risk! • our measurement of risk! • our effective treatment of risk @thomlangford
  • 4. THE INTERPRETATION OF RISK riskier? @thomlangford
  • 19. THE MEASUREMENT OF RISK @thomlangford
  • 20. Malik, Javvad (2014-05-12). The CISSP companion handbook: A collection of tales, experiences and straight up fabrications fitted into the 10 CISSP domains of information security (Kindle Locations 918-923). . Kindle Edition. The Malik Risk Model! Ver 1.0 Impact Won’t Hurt Is that the best you got? Ouch! Holy Crap! Likelihood Ain’t Happening “a swift half” “it’s your round” “easy Tiger…” “hold my drink Steve” Possibly “it’s your round” “easy Tiger…” “hold my drink Steve” “Get off him Dave, he ain’t worth it” It’s On “easy Tiger…” “hold my drink Steve” “Get off him Dave, he ain’t worth it” “cab to A&E please” Holy Crap! “hold my drink Steve” “Get off him Dave, he ain’t worth it” “cab to A&E please” “Ambulance please” @thomlangford
  • 21. The Langford/ Malik Risk Model ver 1.0 Likelihood of threat Ain’t Happening It’s On! Holy Crap! Ease of Exploitation I’m a Ninja I’m a drunk Ninja I’m drunk I’m a Ninja I’m a drunk Ninja I’m drunk I’m a Ninja I’m a drunk Ninja I’m drunk Asset Value Arm “It’s your round” “have a word, mate” “easy Tiger…” “have a word, mate” “easy Tiger…” “cheeky slap” “easy Tiger…” “cheeky slap” “get off him Dave” Leg “have a word, mate” “easy Tiger…” “cheeky slap” “easy Tiger…” “cheeky slap” “get off him Dave” “cheeky slap” “get off him Dave” “Let’s ‘ave it then” Chest “easy Tiger…” “cheeky slap” “get off him Dave” “cheeky slap” “get off him Dave” “Let’s ‘ave it then” “get off him Dave” “Let’s ‘ave it then” “cab to A&E please” Face “cheeky slap” “get off him Dave” “Let’s ‘ave it then” “get off him Dave” “Let’s ‘ave it then” “cab to A&E please” “Let’s ‘ave it then” “cab to A&E please” “Ambulance please” Testicles “get off him Dave” “Let’s ‘ave it then” “cab to A&E please” “Let’s ‘ave it then” “cab to A&E please” “Ambulance please” “cab to A&E please” “Ambulance please” “Mortuary please” @thomlangford
  • 22. The Langford/ Malik Risk Model ver 1.0 Likelihood of threat Ain’t Happening It’s On! Holy Crap! Ease of Exploitation I’m a Ninja I’m a drunk Ninja I’m drunk I’m a Ninja I’m a drunk Ninja I’m drunk I’m a Ninja I’m a drunk Ninja I’m drunk Asset Value Arm “It’s your round” “have a word, mate” “easy Tiger…” “have a word, mate” “easy Tiger…” “cheeky slap” “easy Tiger…” “cheeky slap” “get off him Dave” Leg “have a word, mate” “easy Tiger…” “cheeky slap” “easy Tiger…” “cheeky slap” “get off him Dave” “cheeky slap” “get off him Dave” “Let’s ‘ave it then” Chest “easy Tiger…” “cheeky slap” “get off him Dave” “cheeky slap” “get off him Dave” “Let’s ‘ave it then” “get off him Dave” “Let’s ‘ave it then” “cab to A&E please” Face “cheeky slap” “get off him Dave” “Let’s ‘ave it then” “get off him Dave” “Let’s ‘ave it then” “cab to A&E please” “Let’s ‘ave it then” “cab to A&E please” “Ambulance please” Testicles “get off him Dave” “Let’s ‘ave it then” “cab to A&E please” “Let’s ‘ave it then” “cab to A&E please” “Ambulance please” “cab to A&E please” “Ambulance please” “Mortuary please” 18-24 YEAR @thomlangford OLD (SINGLE & UP FOR IT)
  • 23. The Langford/ Malik Risk Model ver 1.0 Likelihood of threat Ain’t Happening It’s On! Holy Crap! Ease of Exploitation I’m a Ninja I’m a drunk Ninja I’m drunk I’m a Ninja I’m a drunk Ninja I’m drunk I’m a Ninja I’m a drunk Ninja I’m drunk Asset Value Arm “It’s your round” “have a word, mate” “easy Tiger…” “have a word, mate” “easy Tiger…” “cheeky slap” “easy Tiger…” “cheeky slap” “get off him Dave” Leg “have a word, mate” “easy Tiger…” “cheeky slap” “easy Tiger…” “cheeky slap” “get off him Dave” “cheeky slap” “get off him Dave” “Let’s ‘ave it then” Chest “easy Tiger…” “cheeky slap” “get off him Dave” “cheeky slap” “get off him Dave” “Let’s ‘ave it then” “get off him Dave” “Let’s ‘ave it then” “cab to A&E please” Face “cheeky slap” “get off him Dave” “Let’s ‘ave it then” “get off him Dave” “Let’s ‘ave it then” “cab to A&E please” “Let’s ‘ave it then” “cab to A&E please” “Ambulance please” Testicles “get off him Dave” “Let’s ‘ave it then” “cab to A&E please” “Let’s ‘ave it then” “cab to A&E please” “Ambulance please” “cab to A&E please” “Ambulance please” “Mortuary please” 40 YEAR @thomlangford OLD (MARRIED WITH KIDS)
  • 24. ISO 27005 Risk Model Likelihood of threat Low Medium High Ease of Exploitation Low Medium High Low Medium High Low Medium High Asset Value 0 0 1 2 1 2 3 2 3 4 1 1 2 3 2 3 4 3 4 5 2 2 3 4 3 4 5 4 5 6 3 3 4 5 4 5 6 5 6 7 4 4 5 6 5 6 7 6 7 8 @thomlangford IN PRACTISE
  • 25. WHAT’S WRONG WITH ORDINALS? And nobody uses “red” because it means failure Therefore the risk world becomes “amber” Nobody uses “green” because it means no more budget H M L @thomlangford
  • 26. Nassim Nicholas Taleb, “The Black swan” @thomlangford
  • 34. CAUSATION VS CORRELATION 900 675 450 225 0 34 32.75 31.5 30.25 29 Per capita consumption of cheese (US)! Pounds (USDA) Number of people who died by becoming tangled in their bedsheets! Deaths (US) (CDC) 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 Source: Spurious @thomlangford Correlation, www.tylervigen.com
  • 35. FLEXIBLE RISK RESPONSE @thomlangford
  • 37. TAKEAWAY #1 • Recognise and understand the difference between “hygiene” risks and “actual” risks @thomlangford
  • 38. TAKEAWAY #2 • Spot patterns in your risks over time. What has become a commodity? What were the black swans? @thomlangford
  • 39. TAKEAWAY #3 • A risk hasn’t been mitigated just because it hasn’t happened; don’t suffer a placebo effect. @thomlangford