Risk: It’s not just a game from Parker Brothers presented at BSidesOrlando 2017

by Michael Brown,

Summary : As IT Security professionals we know very well the threats and vulnerabilities that affect our clients. But we seldom present this to executives in a form that they understand: RISK. Risk is something that businesses should understand, and it is how we should be communicating issues to them, but many IT Security professionals don’t understand the concepts of IT Risk.
In the session, we will go over a couple of basic frameworks for risk management (ISO 27005/31010 and NIST 800-30R1). We will review the ideas of identifying risk, conducting a risk assessment, and determining what will be the responses to risk. Many of the concepts of risk (appetite, tolerance, register, transfer, avoid, mitigate, accept) will be explained. We will also do a high-level overview of the major risk management frameworks: OCTAVE, FAIR, NIST 800-37. A review of further resources (books, training, etc), will be provided.
At the end of this session, the attendees will come away with a better understanding of the basics of risk, and be on their way to enunciate this to their employers or clients.