Loading…
FloCon 2022 has ended
Back To Schedule
Thursday, January 13 • 2:30pm - 3:00pm
Managing Cyber Risks: Express Control Impact and Risk Analysis (ECI & RA)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Organizations are aiming to change how they address cyber risks, from endless frameworks, checklists, and broadly complex maturity models to a more pragmatic risk management approach. There is currently no practical framework or method to help organizations determine how to strengthen their security practices given a specific security budget and compliance requirements. Partnering with the Software Engineering Institute at Carnegie Mellon University, we devised a novel cyber risk tool that will ease CISOs life, helping them manage cyber risks. The ECI & RA method (Express Control Impact and Risk Analysis) can be applied to any organization to provide CISOs with an express control impact and concise compliance prioritization strategy. The project’s main objective is to provide a more practical and methodological approach to efficiently allocate CISOs budget, resources, investments, projects, and efforts. The ECI & RA method will also aid CISOs to effectively justify their budget allocation to executives by creating a novel synergy between several renowned frameworks. Lastly, our method will provide the organization with a clear roadmap to manage cyber risks and comply with regulations and industry standards.

The ECI & RA method combines the following frameworks and resources:
FAIR
OCTAVE Allegro
TARA - MITRE
CMMC
NIST CSF
NIST SP 800-53

Our ECI & RA method combines several techniques and strategies implemented by renowned organizations like the International Monetary Fund (IMF) Strategy and Netflix’s Risk Quant Project - both of which provide support for using log-normal distribution for impact. ECI & RA accomplishes a loss exceedance curve calculation, which is the quantitative expression of risk, that is then used to recommend a prioritized set of NIST controls in alignment with the organization’s specific needs and constraints (e.g., budget, compliance requirements). Our method possesses three main stages: Risk Appetite determination, Risk Analysis, and Risk Mitigation Optimization. Each stage contains its own unique activities to achieve an effective express control impact and risk analysis strategy.

We provide an express control impact and risk analysis method to help any organization manage their risk according to their custom-tailored appetite, budgetary constraints, compliance requirements, and cybersecurity strategy. Our project aims to guide organizations to select mission-critical controls based on renowned frameworks that consider threat capabilities, current controls, and vulnerability factors. ECI & RA will help organizations to drive their cybersecurity strategy based on risk decision-making and framework compliance, setting organizations into the path of cyber risk automation.

Attendees Will Learn:
A novel and pragmatic approach to solve the complex issues that CISOs face every day: How to manage risks while optimizing resources and investments to minimize those risks effectively? The combination of MITRE cyber kill-chain, FAIR risk quantification, and CMMC & NIST CSF maturity landscapes allows our method to aid CISOs to change their suit-it-all strategies based on rigid best practices to actually addressing their organizations risks in a custom-tailor approach. We will help cybersecurity professionals to acquire a new path to automate cyber risk and control impact management, prioritize NIST 800-53 controls to enhance mission-critical controls that address the organization main risks.

Speakers
avatar for Muhammad Bin Oiad

Muhammad Bin Oiad

Supervisor of ICS Cybersecurity Risk, Saudi Aramco
Muhammad is a Cybersecurity Specialist with a 10-year experience in IT and OT in private andpublic sectors. Muhammad is currently the Supervisor of ICS Cybersecurity Risk in theInformation Security Department at Saudi Aramco.
avatar for Fabio Beltran

Fabio Beltran

Electronic Engineer, Central Bank of Colombia
Fabio is a highly experienced cybersecurity professional with special interest in cybersecurityrisk quantification. He is an electronic engineer, Master in Business and InformationTechnologies and Master of Science in Information Security Policy & Management. He iscurrently working... Read More →
avatar for Lucas Falivene

Lucas Falivene

ISO Expert, ISO
Lucas is a highly experienced cybersecurity professional with a solid base in business, information systems, information security, and government cybersecurity policy-making. A former Fulbright scholar with a Master of Science degree in Information Security Policy and Management at... Read More →
avatar for Sarah Sha

Sarah Sha

Consultant, PwC Consulting
Sarah is a recent graduate of Carnegie Mellon’s Information Security Policy & Managementprogram and holds a B.S. in Computer Science from Indiana University. She is currently workingfor PwC Consulting in the Cybersecurity, Privacy, & Forensics practice.
avatar for Yaman Yu

Yaman Yu

Privacy and Security Researcher, University of Illinois Urbana-Champaign
Yaman is a privacy and security researcher at the University of Illinois Urbana-Champaign. Shemainly works on proposing inclusive mechanisms for protecting privacy and improving userexperience.



Thursday January 13, 2022 2:30pm - 3:00pm EST