After speaking at The Last H.O.P.E. in 2008, I wanted to come up with another talk I could give on a topic that would interest the 2600 community. After racking my brain for some cool thing I had done that would interest them, I finally figured out what skill I possessed that I could pass on to these computer security enthusiasts, network administrators, IT professionals and people interested in security in general.
From The Full List of Talks:
Risk Analysis for Dummies
We all get that â€œgut feelingâ€ about what is risky, but how do we communicate that to managers or other people in a meaningful way? And how can we determine what risks are worse than others in a justifiable manner? How do you even define â€œrisk?â€ In this talk, youâ€™ll learn about the most up to date methods of identifying risk, evaluating risk, and communicating risk to others, as well as some models used by the U.S. government and others to identify attack targets, evaluate building security, diagram attacks, and more. And no math problems harder than simple addition, guaranteed.
Friday 2100 Bell
The synopsis doesn’t really capture what I hope this talk will be. It’s intended for IT professionals and aspiring penetration testers to understand how to take their experience and their intuition regarding what risks and vulnerabilities are int heir network and relate it in a quantifiable manner to managers and clients who may not either believe in their expertise or want to have to justify that new security staff and all those expensive security appliances. I plan to cover:
- The equation for risk
- How to scope a problem
- How to show results of an analysis
- Types of scales and how to use them
- Factor based models and their use
- The six questions of risk analysis and management
Here’s the list of other talks for Friday.
If anyone has any suggestions for topics to cover, drop me a comment.