2019 RSA Conference to Spotlight Cyber Risk Quantification

For a leading indicator on where the cybersecurity industry is trending, scan the lineup of topics for sessions at the annual RSA Conference, coming in 2019 on Monday-Friday, March 4-8,  in San Francisco. The agenda is just out and it looks like 2019 is shaping up as year of heightened interest in a risk-based approach, driven by quantification – even more than the 2018 edition when RSA President Rohit Ghai said “risk quantification is a hot field and an essential tool” in his keynote speech (he also name checked the FAIR model that powers the RiskLens application).

Some highlights of this year’s agenda:

FAIR creator and RiskLens Chief Risk Scientist Jack Jones (right) presents on Defining a Cyber-Risk Appetite That Works on Tuesday, 11 AM and Wednesday, 9:20 AM.  Jack will “share a simple process for defining an unambiguous cyber-risk appetite that can drive better decision-making” beyond the typical high-medium-low, qualitative approach.


Hear more from Jack Jones and a panel of cyber risk quantification experts at the

FAIR Institute Breakfast during the RSA Conference, Wednesday at 8-11 AM.

Get the details.


One of the best presenters around on quantification, Evan Wheeler, CISO at Financial Engines, will walk his audience through Data Breach or Disclosure: A Quantitative Risk Analysis, Wednesday at 8 AM.

Risk quantification pioneers Marta Palanques and Steve Reznik of ADP will discuss What Makes a Good KRI? Using FAIR to Discover Meaningful Metrics, Thursday at 8 AM, a chance to learn about hands-on techniques to maximize ROI on security investments, as well as getting the most out of a risk register. 

Rick Howard, CSO for Palo Alto Networks will make the case in his talk Superforecasting II: Risk Assessment Prognostication in the 21st Century (11 AM) Tuesday that “for the past 25 years, network defenders have been doing risk assessments wrong. Qualitative risk matrices and heat maps are just bad science. The ‘new’ math consists of latency curves, Bayes algorithm and Monte Carlo simulations’.” Rick credits the FAIR book (Measuring and Managing Information Risk) as a major influence.

Jack Freund, co-author with Jack Jones of the FAIR book and Director, Cyber Risk, at TIAA, will present with colleague Joel Amick, Director, Cyber Analytics and Data Science, TIAA, on Virtual Pen Testing Using Risk Models, a FAIR-based approach to modeling likely scenarios for compromise in your network.

Other sessions to watch…

The Metrics Manifesto, 1 PM Tuesday, with Richard Seiersen, President, M-Cubed and co-author with Douglas Hubbard of How to Measure Anything in Cybersecurity Risk.

Finding the Right Answers—Facilitating Insider Threat Analysis Using OCTAVE, Tuesday, 2:20 PM, will cover the Software Engineering Institute (SEI) Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) process that integrates with FAIR.