 We're going to switch gears, stick with security, but switch gears slightly to talk about the open fair body of knowledge that we have at the open group. And to introduce that, as he did with the Zero Trust architecture topic, back to my colleague, John Linford, a forum director of the open group security and open trusted technology forums. So he's live with us over to you, John. Welcome back. Excellent. Thank you, Steve. Glad to be back, or I guess to still be here. Looks like I now have control of the slides. So, yeah, hopefully everybody enjoyed the session earlier. As Steve said, shifting gears a bit now looking at open fair. So our quantitative risk analysis standard and some of the awesome work that we've got going around it. So if you've been with the open group for a while or you're just interested in open fair, you probably know what open fair is. But for those of you unfamiliar with it, fair stands for factor analysis of information risk. Having said that, open fair is applicable to much, much more than just information risk. And you're going to see a little bit of that in presentations today, which is pretty cool. The open fair body of knowledge is comprised of two standards, the open group standard for risk taxonomy, also known as ORT, and the open group standard for risk analysis, also known as ORA. In November of last year, so of 2020, we published new versions of both of these standards and are now actively working sort of behind the scenes to update the accompanying certification program documents. So including conformance requirements, configuration documents before eventually updating the exam and formally making the change in moving to these new versions of the standards. So if you are interested in becoming open fair certified, I'll emphasize it is still version two of ORA and version one of ORT against which you are certified. And it will be in the next hopefully few months, up to a year at the most ideally, if all goes smoothly, it'll be less than that, that will then migrate to these new versions of the standards. We also have published numerous guides, white papers, and even a tool to help operationalize and apply the open fair body of knowledge. So there's a lot of stuff out there, especially from the open group, but also from our members on this topic. So why use an open fair approach for risk analysis? Well, what open fair does extremely well is provide a consistent taxonomy and framework for discussing and analyzing information risk. Now, something I will emphasize here that is incredibly important is when talking about open fair, when we say risk, we're talking about the probable frequency and probable magnitude of loss. So if you are using the open fair framework, the open fair taxonomy, and you mentioned risk, you're discussing loss. This does make it relatively convenient, especially internally, since you know within your organization that if you say risk, you mean loss, and that's all there is to it. So you might use something else like opportunity to discuss opportunity rather than risk. Open fair allows for discussing risk in terms of magnitude and frequency. So as I said with that definition, so dollars, cents, yen, pounds, whatever unit of currency you're using, and frequency. So you're looking at some sort of time period. This means that you get numbers. It's quantitative. You're not talking in terms of high, medium, or low. So what's high risk to one person? Maybe low risk to another. It also avoids what's happening to deal with even if you do have well-defined bands for high, medium, and low. If you've got one risk, that's at $10 million, and that's the boundary between medium and low risk. What was it medium or low? So open fair avoids that confusion. So it provides an objective view of risk rather than something a little bit more subjective. Open fair is also incredibly useful when it comes to managing risk. Though it's important to point out open fair as a risk analysis standard, not risk assessment, not risk management. So an open fair risk analysis provides that accurate risk model that goes into these meaningful measurements to allow for effective comparisons that feed into these well-affirmed decisions and finally allow for effective management of your risk. The open fair taxonomy is comprised of sort of two parts. We have on one side the loss event frequency with its subcomponents and on the other, the loss magnitude side with its subcomponents. Open fair advocates for utilizing a top-down approach. So you only need to go to the layer within this risk tree that you're seeing in front of you that is necessary for the purpose of your analysis. So if you have excellent data on loss event frequency already, you don't necessarily need to drill down all of the way to contact frequency. However, if you're going to be looking at implementing a control that affects contact frequency, then you need to have those data for contact frequency in the first place before applying that control and seeing how your loss changes as a result. Open fair also advocates for using objective data as much as possible, not subjective information. So looking at how many laptops did your organization lose in a year? 100 is a much better answer than some. So trying to find those values, those data is going to dramatically improve the results that you can get with an open fair analysis. Open fair, of course, also then advocates for documenting your rationale and assumptions for the estimates that are made. That way, if there are differences of opinion in analysts or management disagrees with the outcome of the analysis, or if there's just confusion about how results were obtained, you can look back at your rationale and assumptions and maybe make some tweaks and adjustments and see do things change. And if they do change, are they substantial enough for us to change what we're going to do with this information? So we can now start to look through sort of the two different sides, starting with loss event frequency. And some of this is going to maybe be a little bit dry, but hopefully it provides the groundwork for the presentations you'll see in the coming few minutes. That will sort of rely on these concepts without necessarily the background explanation. Within open fair, loss event frequency is the probable frequency that a threat agent is going to inflict harm upon an asset. So this is your loss event. Your loss event frequency is driven by the threat event frequency and vulnerability. This threat event frequency is looking at how many times does a threat agent attempt to overcome your asset? And not every single one of those is going to be successful. If your threat agent just comes in contact with your asset, they might not act against it either. So not every contact event will lead to a threat event and not every threat event will result in a loss event. On the other side, we look at your vulnerability. So we're looking at the resistance strength of your asset as compared to the threat capability of the agent attempting to impair or overcome it. On the other side of the tree, we have our loss magnitude. Loss magnitude is the probable magnitude of loss resulting from a loss event. And an open fair, as I said before, risk always has this loss component. Your primary losses occur as a direct result of the threat agent's action upon the asset. And from that, you get your primary loss magnitude, which is the direct observable economic impact to the primary stakeholder. Critically, in open fair, you are always doing the analysis from the perspective of this primary stakeholder. So loss is always put in that perspective. Not every primary loss event is going to result in a secondary loss. So you might end up with some secondary losses that occur because secondary stakeholders, customers, stockholders, regulators, the list goes on, react negatively to the primary loss and cause an additional loss to that primary stakeholder. So we're still looking at this as the impact on the primary stakeholder. We might do a separate analysis to analyze the impact to those secondary stakeholders, but then we'd be making them the primary stakeholder of that analysis. Within your secondary loss, you've got that primary loss magnitude, as I said, and your secondary loss, that's comprised of secondary loss event frequency, which is the percentage of time that a scenario is expected to have secondary effects or the conditional probability that a primary loss has a secondary loss. Your secondary loss magnitude then is the losses that materialize from dealing with secondary stakeholder reactions. The security form currently has several active projects around open fair and the open fair body of knowledge. You're going to get to hear about a couple of those today, one of which this calculating reserves for cyber risk white paper is the first of a two part series. And it's actually currently in security form review until Friday of this week. So until Friday, July 23rd. So if you are currently a silver or academic member of the security form or a gold or platinum member of the open group, you are able to go and review that document and submit change requests against us against it and help us make it even better than we already think it is. If you are a silver or academic member of security or gold or platinum of the open group, you can also reach out to me directly. And we can schedule an onboarding session to bring you up to speed with other things happening in the forum. Non members are also able to participate as of last week, I believe July 13th, we published the open fair risk analysis example guide. And we do want that to be a living document. So if you are an open fair analyst out there and you're able to, we'd be very interested in having examples contributed that we could add to that guide and expand it for new practitioners to get a better idea of how open fair can be used. So thank you all very much for letting me give this introduction. And I think I hand it back over to you, Steve, for what are now some pre-recorded presentations. Great. Thank you, John. Great, great summary as before. And we'll see you again a bit later. But meanwhile, thank you very much.