Upgrade to receive CPD certificate + full access

Robert D. Brown III

How to optimize cybersecurity control decisions when supporting data is scarce

A Workshop by Robert D. Brown III (Cybersecurity Risk Management Leader, Resilience Insurance)

Register To Watch This Content

Watch this content now

By submitting you agree to the Terms & Privacy Policy

About this Workshop

For many planning and decision making exercises under risk and uncertainty, we often need to populate evaluation models with numerous parameter values. These may be difficult to obtain within the constraints of our immediate time and financial budgets and operational realities such as:

  1. Experiments are very difficult or costly to run in a timely manner.

  2. The system depends on the complex interaction of a number of driving variables that are difficult if not impossible to isolate while still maintaining the integrity of the system under scrutiny.

  3. Running experiments might present ethical constraints or barriers that could lead to irreversible harm to study subjects.

The Lens Model developed by Egon Brunswick and Kenneth Hammond provides a structured method to elicit parameters for descriptor variables in these situations from subject matter experts.

In this discussion, I present how we use the Lens Model to estimate the probability of experiencing a reportable ransomware event with an array of cybersecurity controls. This information can be used to optimize the chosen decision space for security controls. I also show how we identify the best SMEs using scoring tools that limit the effects of bias and noise. Of course, the process and tools presented can be applied generically to any complex systems analysis that are also subject to the methodological constraints described above.

About The Speaker

Say hello to your Speaker for this Workshop.

Robert D. Brown III

Robert D. Brown III

Cybersecurity Risk Management Leader, Resilience Insurance

Topics Covered


Risk mitigations that reduce the overall risk exposure, trade-offs, measuring quantitative effect