Monday, October 21, 2013

preso: Big 'R' Risk Management - from concept to pilot implementation

Here's the presentation (pdf) that I'm giving Monday at SIRAcon in Seattle.  This extends the ideas presented in the post "Risk Management: Out with the Old, In with the New!". This presentation presents some specifics on how to get started implementing the Big 'R' approach. It's even got a illustrative case toward the end featuring patch management and exceptions, shown in this figure (click to enlarge)

Example of Causal Dynamic Analysis, in this case Patch Management & Exceptions
(click to enlarge)


  1. This looks very interesting. For the 'patching illustrativ example' did you look at Allodi and
    Massacci's presentation at BlackHat ( could be relevant. as well as jericho and steve christey's to a point (

    1. Marco -- thanks so much for these references. No, I didn't draw on much outside sources or specifics. They will definitely add more detail and realism for the next pass of this presentation.

    2. Russell, specifically the Allodi/Massacci case is quite interesting. A statistical analysis into patching based on CVSS. Something I haven't seen before. I know, only a small part of your Risk presentation, but I'm sure you'll find good things in there.