Applied Quantitative Risk Analysis presented at BSidesLasVegas 2018

by Michael Rich,

Summary : My experiences with qualitative risk analysis have never been satisfying. The categories used to bin the risks seemed arbitrary. I couldn’t see how to consistently compare one risk to another. I couldn’t combine risk assessments from multiple sources. I wasn’t sure how many “Low” risks it took to overwhelm a “High” risk and I couldn’t easily defend my analyses. In 2016 Douglas Hubbard and Richard Siersen released the book “How to Measure Anything in Cybersecurity Risk” which covers the science of measurement, the Monte Carlo simulation technique, and their application to cybersecurity risk. I was instantly hooked. Here was a repeatable, consistent, statistically valid method to really get a grasp on my risks. But learning about something is easy; applying it is hard. This talk will go over the basics of quantitative risk analysis techniques and my experiences with applying them at my current job. Attendees will leave with guidelines for practical application of the techniques as well as a link to a GitHub repo where the tools I use are freely available.