Cyber Performance and Risk Quantification: Enabling Security Decision Makers

Presented at Diana Initiative 2020 Virtual, Aug. 22, 2020, 2 p.m. (30 minutes)

**Abstract** Cyber risk has graduated from a being a non-traditional risk to a mainstream risk that underpins major organizational capabilities. Security personnel – spread across the spectrum from operations to the echelons at the C-suite are faced with the juxtaposition of risk and reward in a technology enabled world. In this talk we explore, what makes the task of taking prudent decisions to secure technology and reduce cyber risk arduous. We also discuss the need to diversify cognitive intellect (gender, race, culture etc.) that drives cyber risk mitigation and how effective quantification techniques can strengthen decision making in the security realm. Elemental and strategic decisions are often taken based on experience and not quantitative data-driven analysis. In instances where decisions are taken to proactively mitigate risk, it is often inevitable to reflect and wonder if resources were overspent on a threat that may never have materialized. After all, in the world of security the absence of certain outcomes is a measure of success. The inherent challenge in security decision making is often exacerbated with a plethora of unstructured and irrelevant data. The quantification of cyber risk is a supplemental and essential part of the security decision-making dialogue. At the lowest level cyber performance quantification allows first line defenders to track effectiveness of activities across the board. At an Executive level, quantification allows for prudent allocation of resource and intellect to bolster organizational defensive capabilities. **Detail Outline ** * **Introduction [2 mins]** + Background and experience + Why cyber quantification matters? * **The decision maker’s dilemma [6 mins]** + The security decision chain hierarchy + Data Fatigue + Decision inertia + The hindsight bias: Anticipating the known + Paradox of risk versus unknown or insufficient reward * **Cognitive diversity in decision making [3 mins]** + Role of diversity in leveraging / mitigating risk + Role of diversity in reacting to risk + Role of intellectual diversity in prioritizing security decisions * **The makings of robust quantification [6 mins]** + Quantification models + Active engagement + Consequence modeling + Contextualization of intelligence + Nudge theory * **Benefits and parting words [3 mins]** + Enabling deliberate decision making + Increasing accountability + Increasing situational and consequence awareness

Presenters:

• Mysore Shruthi - Speaker
  Mysore Shruthi is a Senior Cyber Risk Advisory Consultant. Her primary focus is on helping organizations gain data-driven transparency into security performance while managing cyber risk. Having lived in four countries, she brings her global perspectives on cyber risk decision science with industry clients. Outside of work, she invests her time in educating herself on the application of behavioral sciences within cyber security and some good, old fashion TV binge-ing!

Links:

• https://tdi2020.sched.com/event/dbyI/cyber-performance-and-risk-quantification-enabling-security-decision-makers

Similar Presentations:

• Black Hat USA 2020 Virtual / Policy Implications of Faulty Cyber Risk Models and How to Fix Them
• Texas Cyber Summit 2019 / CS-2024 The Risk Management Hydra and why you need multiple assessments
• BSidesLV 2017 / The Human Factor: Why Are We So Bad at Security and Risk Assessment?