Cybersecurity, especially traditional security, has stagnated; adding security controls has appreciably improved outcomes and we continue to struggle with basic problems like vulnerabilities. Safety faced a similar problem 10-15 years ago; scientists and practitioners saw that safety outcomes were stagnant and concluded that the traditional method of avoiding accidents through centralized policies, procedures, and controls was no longer driving improvements.
I believe we’re seeing the same thing in security: historically, we’ve focused on constraining worker behavior to prevent cybersecurity breaches, and the limits of that approach are becoming increasingly clear. Adapting concepts from Safety Differently and Safety II offers a solution, by supporting success and focusing on positive capacities. In this talk, I will present practical advice on how to create a security program based on modern safety principles using evidence from both security and safety, and how it changes the role of the security professional.
Slides
My slides with notes, including references, are here.
Video
The talk was recorded, and I will post a link when it becomes available!
SIRAcon 2024 wrapped up last Thursday, and once again the conference didn’t disappoint! We had an amazing line-up of speakers this year, and all of the talks were excellent! We also had a diversity of talks; academic and non-academic, quantitative and qualitative approaches, confidentiality and availability, technical and human risk. All but one of the talks were recorded and currently available to attendees on the conference website and will be available to members on the SIRA website after they are uploaded.
Once again, I was honored to be selected as a speaker, and my talk, “UnFAIR: Simplifying and Expanding Technology Risk Quantification,” was well received, and even generated some agreeable disagreement! While some disputed my assertion that FAIR (Factor Analysis of Information Risk) is not suited to risks outside of cybersecurity, I stand by my assertion: while FAIR can be used to quantify any risk, the language, once you get past the top level, is specific to the cybersecurity domain, and can be confusing for other types of risk, such as operational risk.
quantrr
In my talk, I presented a demo of a new Risk Quantification tool designed to be more flexible, use statistical distributions that better fit the data, and ultimately meet the needs of an analyst who is trying to start a risk quantification practice with limited time and no budget.
Since attendees expressed interest in trying out the tool, I wanted to make it more accessible, including to people with little or no experience using R. To address this, I spent time this week repackaging the demo and am excited to announce version 1.0 of quantrr (QUANT-R)! quantrr is bundled as an R package (library) and includes documentation on how to quickly get started using a “standalone” version and how to integrate quantrr into your existing R analysis and publishing workflow. Using the Quick Start instructions, you should be able to have an example report based on the demo up and running in less than an hour.
If you’ve learned FAIR or read Hubbard’s How to Measure Anything and want to get started quantifying risk with something other than Excel, give quantrr a try!
It’s very much an MVP release, by design, to get early reactions. I already have some things that I’d like to improve, and I would greatly appreciate feedback from any and all who give it a try, either sent to me directly or through GitHub. Reproducible bugs, feature requests, and pull requests are all welcome, I’d love to see it evolve into a community supported project and submitted to CRAN to become an official R package!
Slides
Slides from my talk are available here, and this is the link from the QR code I shared at the end.
Someone on a local Slack group was looking for security conferences where they could present. Prompted by this, I went looking for a good list, and because I couldn’t find one, I created one!
Here’s my list of high-quality conferences where I’ve attended, presented, or would submit to in the future. This list is tailored towards cybersecurity professionals, and excludes academic conferences.
Minnesota
There are two notable security conferences in Minnesota, Secure360 and the Cybersecurity Summit.
Secure360: a strong regional conference held in May, currently at the conference center at Mystic Lake in Prior Lake. It’s been held for almost 20 years and was formed when the local chapters of security professional associations banded together to put on a conference (ISSA, ASIS, BCPA, ISFA, ISACA). (A photo of my 2024 talk, Security Differently is the top center photo here)
Cybersecurity Summit: the other major security conference in MN, held in October, now in its 14th year. It was started by the University of MN in partnership with MN-based corporations, other academic institutions, and government partners.
SiRA
As a SiRA member and former board member, SiRAcon gets a special mention.
SiRAcon: the annual conference of SiRA, the Society of Information Risk Analysts. SiRA was started in Minnesota, but now has a national and international reach. SiRA focuses on risk quantification and improving the practice of risk analysis applied to cybersecurity and technology. SiRAcon has no set date, and was last held August 20-22, 2024. SiRA members have access to recordings of past conferences.
USA
There are several US-based cybersecurity conferences, including the most well-known (RSA and BlackHat / DEFCON), as well as national conferences for professional associations. Many have additional venues outside the US:
RSA Conference USA: AFAIK, the largest security conference in the world, held annually in San Francisco in May. It’s expensive and highly competitive for talk submissions.
Black Hat USA and DEFCON: DEFCON was the original “Hacker” conference first held in Las Vegas in 1993. Black Hat started in 1997 as the “corporate” version of DEFCON. Both are held back to back in Las Vegas in August.
Security BSides: a loosely affiliated group of conferences, originally started to feature talks rejected from Black Hat, and later RSA. BSidesSF and BSidesLV are held roughly concurrently with the main conferences (RSA, Black Hat).
OWASP Global AppSec: Originally AppSec USA, OWASP hosts a global Application Security focused conference in the fall (September 2024 and November in 2025 and 2026).
ISC2 Security Congress: the annual conference held by ISC2, which is best known for creating the CISSP certification, held in October.
ISACA North America: the US-based conference of ISACA, which covers both security audit (CISA) and security management (CISM), held in May.
Canada
There are two Canadian conferences I’ve attended - each only once, but both were high quality.
CanSecWest - held in Vancouver in March, a highly technical conference, and the originators of the Pwn2Own contest.
SecTor - originally an independent conference held in Toronto, it is now associated with Black Hat and in its 18th year.