Monday, November 25, 2019

Talk Like a Cyber Insurance Risk Analyst

In a recent class on catastrophe risk modeling, I learned the definition of terms that are common in insurance but not so well understood elsewhere:
  • Peril
  • Exposure
  • Hazard
  • Ground-up Loss
  • Risk
Read on for definitions, ending with an analogy that, hopefully, ties them all together.

Friday, June 14, 2019

RESET: "Data-driven Security Smashup" will launch in Fall 2019

Big change of plans for the "Data-driven Security Smashup":
We are canceling the live event in Las Vegas, August 3 - 5. 
Instead, we aim to launch one or more Virtual Smashup projects in the Fall of 2019, followed by one or more live events early in 2020, perhaps one in the US and one in UK.


Basically, we ran out of time as we were trying to organize the event: sponsorship, organizer recruiting and on-boarding, Call for Participation, legal structure, venue.  No fault to anyone.  We started relatively late, and our standards are high.  We didn't want to just throw it together and risk having things fall apart during the event.


This new schedule gives us time to do it right, starting with the basics.  For example, we will secure a "fiscal sponsorship" relationship so we have the legal, financial, and operational infrastructure to take donations, manage risk, and to spend money responsibly.

Another "basic" that needs attention is contact and relationship management for all the people who have expressed interest, asked questions, or need responses.  This includes a dedicated website instead of this blog.

The new schedule gives us the lead time to recruit organizers and collaborators in academia, professional associations, industry, independent consultants, and government, both in US and internationally (mostly UK, Europe, Switzerland).

Personally, I'm not disappointed. The core idea is solid.  Lots of interest.  This change makes some space for some of my other priorities (dissertation!).

Stay tuned!

Monday, April 15, 2019

Announcing: Data-driven Security Smashup

Data-driven Security Smashup

A Hackathon + Supercollider of Talent, Ideas, & Resources

Fall 2019

Las Vegas, NV; Saturday - Monday August 3-5, 2019

[updated June 14, 2019, see "RESET..." for more info]
  • Venue: rented house*, well off the Strip Working on it.  Aiming for UNLV
  • Timing: just before B-Sides LV/Black Hat/Defcon
  • Organizers: Me, Jon Hawkes, plus 2-6 others to be named (interested? Contact me)
  • On-site capacity: ~30 30 - 60
  • Remote/virtual participation? Yes. Details TBD  Also several Satellite locations
  • Call for Participation: coming soon, mid May
  • Call for Sponsorship: coming soon, mid May
  • Other locations: if this first Smashup goes well, we'd like to 'step-and-repeat' it soon in the EU, UK, Switzerland, elsewhere in US, and maybe more
  • Updates and news:  follow @dds_smashup on Twitter


The Data-driven Security Smashup (DDS Smashup) is a combination of hackathon and ‘supercollider’ of talent, ideas, and resources, aiming for breakthrough innovations in data-driven cyber security, especially solutions to problems that span domains of people, process, technology, institutions, and culture.  

Sunday, April 14, 2019

Why Is Breakthrough Innovation in Cyber Security So Hard?

Short answer: Innovation activities tend to focus on just a few pieces at a time, treating it as a simple problem. That doesn't create breakthroughs because the system* is too complicated.
* "system" = technology, information, people, processes, organizations, institutions, economics,...
In Sciences of the Artificial, Herbert Simon argued that most evolved systems (natural and artificial) were "partially decomposable" (if not fully decomposable) into units or subsystems that could be studied and understood in isolation. While cyber security is partially decomposable for many purposes, it is my conjecture that it is much less decomposable than we believe or desire.

What this means is that breakthrough innovations will depend on many, simultaneous inventions, including crossing system levels.

Sunday, March 31, 2019

A 12 Year Quest -- My Story

On a quest, through the desert.

(credit: Assassin's Creed – Origins;
Thick Skin Side Quest –
Crocodile, Hyena, Vulture Locations)
Last week I started a new job as Principal Modeler for Cyber Risk at Risk Management Solutions (RMS).  This is HUGE, coming after a 12 year quest that was far from easy or certain.

I don't normally post personal stories on this blog (or elsewhere) but today feels like the right time for this particular personal story.  I'm writing this as a way of connecting to my community, many of whom have shared the ups and downs of this journey.  I don't have any big lessons or advice. Even so, some readers may find this story instructive or inspirational, even indirectly.  I hope so.

Caveats: In this post, I don't individually acknowledge and thank all the people who have helped me along the way.  There are so many, so I will do that separately, both in one-on-one communications and later blog posts.  I'm also going to discipline myself not to write about all the details, all the events, all the feelings along the way.  That would be too long.  I aim is to have a post that is readable and still specific enough to be meaningful.

Even so, it's a long blog post. If this suits you, the story continues below.