 Hi, I'm Jim Hytel, I'm VPS Security with the Open Group, and I'll be talking today about risk analysis, measuring and managing cybersecurity risk. So for an agenda, I'll talk through why does IT security risk analysis matter. I'll talk through some of the challenges in risk analysis, talk about some of the open groups activity in the area of risk analysis over the last few years, and then I'll wind up with a short overview of some of the open group cybersecurity activities. So in talking about analyzing risk, I thought I would share a story actually for my childhood that was a classic risk analysis situation. So risk is often defined and defined in our open group standards as the probable frequency and magnitude of future loss. So in more common terms, how often are bad things likely to happen, and what's the impact going to be, how bad will it be when they do happen? So I was on a canoe trip when I was in my teens up in the wilderness of Northern Minnesota, Canada, and we encountered a set of rapids like you see on this slide. So we had to make a decision in the course of a very short time, do we take the risk, do we run the rapids or not. In our case, what happened to us was what happened to the fellas you see in the second photograph here. So we got broadside in the rapids, our canoe wrapped around a rock and you know bad things happen. The impact which we failed to really think through before we decided to run these rapids could have been a lot worse than it was because the canoe could have been unsalvageable, our packs could have floated away, never to be found again, we could have been in a very bad situation. In our case, we were able to pound the dent out of a canoe, recover our packs and very little damage done, but I tell this story really to illustrate that anything that helps you make better decisions around risk is a good thing and so as I talk about some of the work the open group has done here I hope you'll see that things like the risk taxonomy standard and the risk analysis standard can help you to do a better job of analyzing risk, determining how bad the impact of something bad happening can be and make more informed risk decisions. So I'll start by talking a little bit about the changing threat landscape which I think is fundamental to risk analysis. Clearly in today's world we've got issues like highly skilled, highly motivated attackers attacking our IT systems, you've got advanced persistent threats, maybe nation-states, other countries attacking critical infrastructure, it's a different threat landscape than it was 15 or 20 years ago when you had to worry about was teenage hackers trying to get into computer systems. So the threat is very different than it used to be, we've got hacktivism, threats are real and that really elevates the importance of doing effective risk management and risk analysis. The other thing that really has changed in terms of IT security risk analysis is that there's huge and dramatic shifts in our IT system so you've got things like big data, BYOD, cloud, consumerization generally, all of those are changing the nature of our IT systems are changing where information is stored and so I think you have to really think about what the threats are and analyze the risk to your data in the context of all that change in your IT system so clearly that also elevates the importance of doing effective risk analysis. Some of the drivers for more effective IT security risk management include just getting a better understanding of your risk and then effectively equipping you to make better decisions around how to manage it, helping you to prioritize security spend so you know the IT security budget you've got is it really being applied to the highest priority risks and you know getting an understanding of how much risk reduction you're buying with those security investments so helping you prioritize that, basically helping you protect your brand. In today's world if I look at for instance the US where there's a lot of data breach disclosure laws if you're losing the information of your customers you're now having to go public with that and that can hurt a company's brand and reputation and then finally meeting compliance requirements as a driver for better security risk management as well and as I alluded to earlier risk management really is intended to inform your information security spending to let you know if you're spending wisely on security controls if your security controls are effective is your risk increasing or decreasing if you're protecting the right information assets you know are you if you left unprotected assets that need to be protected so done right risk analysis or risk management helps you to to make better decisions around things like that. So let's talk for a minute about some of the challenges in risk management one that we saw five years ago when we started our work in the area of risk analysis is has been the lack of a consistent and standard taxonomy for risk so ensuring that when even security professionals are talking about things like threat vulnerability risk that they all mean the same thing and then more importantly when you go to talk to senior management just enabling a common vocabulary and understanding of what those those terms are. A second area of challenge is in the area of measurement and calibration so one of the things that we've seen around risk analysis and the way it's done sometimes is that ordinal scales so high medium low you know one two three four five really can mislead people in terms of understanding how much risk is really present so and certainly you can't take ordinal scales and compute with them so you can't multiply risks using high medium and low come out with meaningless data so those can be kind of dangerous to use. We've also got judgment issues that are inherent in humans in the way we process information so we all have biases that are built up over the years that can oftentimes lead us to make wrong risk conclusions and estimations. Generally you've got in the area of risk management a lack of good data to point to or frequently you do so you have to be creative about finding sources of information to make your risk decisions based upon. Communicating about risk can be a challenge as I mentioned earlier so communicating with senior management about risk and vulnerability threat and so forth. Senior management tends to care about risk a lot but not so much about things like vulnerabilities in very technical terms so framing the risk discussion in terms of your senior managers can understand is key. And finally compliance can be a risk management challenge many of the compliance regulations require you to do a risk analysis or risk assessment but they don't provide much guidance in terms of how to do one so you have a driver to do risk analysis but we saw a gap there in terms of guidance about how to do effective risk analysis. We wrote a standard called the risk taxonomy standard about five years ago now we recently updated it just this week actually in October 2013 came out with a new version of that standard it's freely available on our website. We also in the process of developing a certification program that I'll talk about in a few moments we wrote a second standard called the risk analysis standard which talks more to the process aspects of how to do an effective risk assessment. We also wrote a couple of guides a couple years ago so one is it's called requirements for risk assessment methodologies and it talks about some of the practical aspects of doing an effective risk assessment and then finally we wrote a cookbook showing how to use the risk taxonomy standard which is based upon fair factor analysis of information risk how to use that taxonomy with ISO 27005 which is another popular risk management framework standard from ISO and then finally I'll mention we published a fifth document called the dependency modeling standard that looks at risk that you inherit from other parts of your supply chain perhaps so it's dependent risk that you inherit from other organizations kind of an interesting area. Then the risk analysis standard as I mentioned adds the process pieces regarding risk analysis and covers things like an introduction to fair based risk analysis measurement and calibration issues that are necessary to do an effective risk analysis the risk analysis process itself and then finally it talks to some basic security control considerations when you're looking at the mitigation side of this so you've uncovered some risk and you want to understand how best to mitigate it so it talks to some of those available security controls and then the requirement for risk assessment methodologies as I mentioned it's really a companion document a guide that gets into things like quantitative versus qualitative measurement the need for subject matter expert involvement in doing effective risk analysis and some of those data gathering issues around where do you find data to base your risk decisions on and then the ISO 27005 cookbook really addresses that question of if I'm using if I want to use a detailed quantitative risk analysis methodology in the context of using I said 27005 as a risk methodology how do I do that how do I relate the terms and the things we gather in a fair based risk analysis to those same things so this week at the open group conference here in London besides introducing the two standards that I mentioned we're also launching the open fair risk certification program it's a people certification program and over the next few slides I'll talk about what that program involves and how to get involved in that so open fair certification is a knowledge based certification based upon candidates knowledge of fair based risk analysis and the principles the taxonomy that I mentioned in the risk analysis standard it requires passing an exam at a prometric test center so we offer those exams worldwide via our program prometric we'll have accredited training courses coming soon the trainers and we have a number of them that are interested and committed to the program we'll start accrediting their courses as of November 1st of this year and so then at that point when we have accredited courses you'll have the option of taking a course but you can also self test for for the exam just by studying the two standards which really comprise the body of knowledge for the certification program so that's the risk taxonomy and the risk analysis standard so currently there's one level of certification in the program it's open fair foundation and it's really a test of knowledge of terminology and those basic risk concepts that you find in fair and in the two standards and the core principles of doing a fair based risk analysis so the the risk taxonomy standard as I mentioned it is based upon fair factor analysis of information risk and it's a leading quantitative risk assessment methodology that's in use by a number of large organizations around the world we have plans to do a second level of certification more advanced level in 2014 so look for that sometime next year and then in terms of the exam itself to tell a little bit about it it is a multiple choice exam 80 questions 120 minutes it's a supervised exam that's not an open book close book exam and you can get more details by going to the pro-metric website and looking up by the open group fair certification I think the test is OG0441 and then I alluded to this but a trainer accreditation will start November 1st requires that the trainers pass a supplemental exam so that they're able to apply fair principles to a specific risk scenario and come up with the right conclusions and answers it requires a commercial license for the trainer as with our other Togaf and Archimede training programs and we'll also have a license of a course training course from the open group for trainers to use coming in November this year so let's talk a little bit about why this matters to risk analysts you know I think it matters having a couple of open standards to base your risk analysis on provides the basis for better quantitative risk assessments and also having a professional certification program can help demonstrate your competence and knowledge to potential employers to employers obviously matters because they can get a larger pool of qualified risk analysts as we get more people certified through the program and then for trainers and consultants we think that this is a new business area in a rapidly growing area that may make sense to offer training so interesting development just generally why does this matter as I mentioned at the start of the presentation that there's ever increasing cybersecurity threats more and more valuable information being stored in our IT systems and therefore a real need to understand what are those risks and how do they affect the business and how can we best reduce the risk and manage it to protect our enterprises so we think it's a valuable program and I encourage you to take a look at it there's more information on the open group website about the program and then finally I thought I'd wrap up with an overview of some of the others open group security activities so we security is one of those things that really stripes across the open group in lots of areas it certainly affects architecture it affects the new platform 3.0 work that we're doing security work here the open group is done in principally three different forums so we have the security forum where we do standards and best practices for information security we focus our work in the areas of security architecture and information security management and risk management is obviously a big big part of that activity and we've also just as of this week actually move the activities that were done in the Jericho forum for the last 10 years around thought leadership and things like deprimerization and cloud computing security the Jericho forum has sunsetted their activities and we've moved all that work for care and maintenance into the security forum so some of that work will continue in the security forum the second group that does security work is our real-time and embedded systems where there's work done on things like mills systems and software assurance and then finally the open trusted technology forum is a forum that we started a couple of years ago that really looks at the issues of supply chain security looking at think threats to the supply chain in the areas of currently taint and counterfeit so trying to ensure that the products IT hardware and software products that you buy and consume come from reliable suppliers and have a known set of security characteristics associated with them so that's a broad brush of the security activities in the open group there's a number of projects that we're doing in conjunction with the architecture forum to add security to the next version of toga and in other areas of the organization as well so thank you for your time and we invite you to find out more about the open group security activities in the areas of risk around the open fair certification and the two standards or just generally by visiting our website at www.opengroup.org and we invite you to get involved as well the open group is really run through our members to run by our members and we're always looking for folks to contribute to our efforts thank you