Agenda

Agenda

Cyber Risk Modelling | Agenda

08:4509:00

Registration

09:00 - 10:00

09:0010:00

The connections between cyber risk, risk management and governance

09:00 - 10:00

  • How does cyber risk fit into risk management?
  • Is cyber an inherent risk or vector for other risks?
  • Connectivity with conduct risk, RRP, ERM
  • Establishing a leading cyber risk management capability
  • Financial stability board’s lexicon for cyber risk
  • Stricter EBA guidelines
  • How do you develop risk appetite limits for cyber security risks

10:0011:00

Integrating cyber risk and IT

09:00 - 10:01

  • Setting up risk subcommittees; addressing technology, IT, cyber risk & data governance
  • How to identify the latest threats and vulnerabilities
  • Working with technologists
  • Accommodating new technologies into your cyber risk strategy
  • Integrating IT risk as part of the GRC strategy
  • How do IT risks fit in the context of the business?
  • Data aggregation and intelligence gathering tools to address cyber security risks

11:0011:15

Morning break

09:00 - 10:00

11:1512:15

Creating an efficient and usable cyber risk program

09:00 - 10:00

  • Best place to start
  • Instilling security of culture and building cyber into core management processes
  • Creating a system that maintains daily usability
  • Dealing with the increasing price of cyber security
  • Potential for automation

12:1512:15

End of Day 1

09:00 - 10:00

09:0010:00

Introduction to using FAIR

09:00 - 10:00

  • Goals of risk management
  • How qualitative analysis fails
  • What is FAIR?
  • How is FAIR different from qualitative methods?
  • What additional value does it bring?
  • The risk management stack
  • Example analyses

10:0011:00

Flaws of Qualitative Analysis

09:00 - 10:00

  • Subjectivity/Differing interpretations
  • Theory of Levels of Measurement
  • Illogical conclusions drawn from heat maps
  • False precision/undeclared uncertainty
  • Defining the requirements for risk analysis methods

11:0011:15

Morning break

09:00 - 10:00

11:1512:15

Fundamental Concepts of Quantitative Risk Analysis

09:00 - 10:00

  • Accuracy vs. precision
  • Prediction vs. possibility vs. probability
  • Objectivity vs. subjectivity
  • Making estimates for the FAIR model
  • Calibrated estimation instruction and activities
  • Variable decomposition
  • Monte Carlo simulation

12:1512:15

End of Day 2

09:00 - 10:00

09:0010:00

Example Analysis: Ransomware

09:00 - 10:00

  • Six forms of loss
  • Interpreting the results of FAIR analysis
  • Categorizing controls according to the OpenFAIR Standard
  • Accounting for controls in FAIR analysis
  • Building a business case for control investment

10:0010:15

Morning break

09:00 - 10:00

10:1511:15

The Risk Analysis Process

09:00 - 10:00

  • Scoping scenarios for analysis
  • Collecting data and estimates
  • Conducting quality assurance
  • Presenting results, including histograms and loss exceedance curves
  • Case Study

11:1511:15

End of course

09:00 - 10:00