Positive Risk, ISACA Journal, and more NIST

ISACA asked me to write a short piece on my Journal article about risk communication. They published that here. I also wrote a blog post for the @ISACA newsletter about the trouble with positive risk. Lastly, NIST released an update to their ERM-Cyber integration standard and my friends at the FAIR Institute asked me toContinue reading “Positive Risk, ISACA Journal, and more NIST”

Presenting on Agent Based Risk Modeling at RSA Conference Next Week

RSA Conference is next week and I’m excited to share that I will be presenting on some work a a colleague and I have done on building an Agent-Based Model (ABM) using FAIR risk data. This should be an interesting discussion, so please join me next Wednesday at 2:50PM Pacific in Moscone West 2011. IContinue reading “Presenting on Agent Based Risk Modeling at RSA Conference Next Week”

FAIR Institute Champion Award

I was humbled this week when I was awarded the FAIR Champion award from the FAIR Institute at their annual conference last week at Carnegie Mellon in Pittsburgh, PA. Jack Jones has created this extraordinary thing in FAIR and it is and will continue to do nothing less than revolutionize our industry. That he decidedContinue reading “FAIR Institute Champion Award”

RSA 2018 Presentation Video

RSA posted my presentation from this year’s conference, Implementing a Quantitative Cyber-Risk Framework: A FinSrv Case Study. You can hear me explain the organizational environment and requirements and the automated risk assessment solutions I put in place to satisfy them. The slides are still available here.

ICYMI: Concept Creep: Why Cyber Risk Problems Never Get Solved

I had a great time writing this post for the FAIR Institute. I was inspired by post-doc David Levari of the Harvard Business School’s article in The Conversation called Why Your Brain Never Runs out of Problems to Find. In it he talks about how our brains have a sliding scale of what “badness” is overContinue reading “ICYMI: Concept Creep: Why Cyber Risk Problems Never Get Solved”

Using Risk to Justify Security Strategy and Spending

I wrote a piece for RiskLens* recently that talks about how to utilize FAIR for building and justifying an information security budget and strategic initiatives. Its an interesting problem space as there is a need to have the appropriate level of abstraction (program level versus technology level) but its also a very solvable problem toContinue reading “Using Risk to Justify Security Strategy and Spending”

Jack and Jack talk Risk Modeling at Cyber Risk NA

Jack & Jack @RiskDotNet‘s #CyberRiskNA in action! “There isn’t a single part of our problem space that can’t be quantified.” –@JonesFAIRiq Did you catch these two during this morning’s live panel? Let us know what you thought. pic.twitter.com/NiC6FD6rm7 — RiskLens (@RiskLens) March 20, 2018 I had a great time this week at Risk.Net’s Cyber RiskContinue reading “Jack and Jack talk Risk Modeling at Cyber Risk NA”