The Cyentia Institute is updating its groundbreaking Information Risk Insights Study (IRIS) from 2020 with expanded data and deeper analysis – and will give its first public preview of the new report at the 2022 FAIR Conference.
Presentation: Unveiling the IRIS 2022: Bigger Scale, Greater Depth, and More Data for Your CRQ Program
Tuesday, September 27, 4:15-5:00 PM
>>Wade Baker, Partner, Cyentia Institute
>>David Severski, Senior Security Data Scientist, Cyentia Institute
The IRIS reports are all about quantifying frequency and magnitude of cyber loss events based on big data sets, so they’re especially useful to FAIR analysts looking to set distributions for analyses and understand patterns in cyber risk. Since IRIS 20/20, Cyentia has produced reports analyzing large multi-party incidents and the 100 largest cyber events of recent years. Cyentia also produces on-demand Risk Retina reports targeted to organizations.
What’s new in the 2022 IRIS (due for formal release October 1):
- An update and expansion of the Advisen data set that was the basis of the 2020 report, including more information on events from before 2020.
- Application of machine learning techniques to pull more detail on loss events from public records.
- A new focus on “incident patterns” (ransomware, DDoS and other event categories) that might, for instance, give a FAIR analyst parameters for a PERT distribution specific to an incident type. As Wade Baker says, “We hope that helps people to start asking the question, if IRIS has given me a sense of how frequently I should expect cyber events to happen, which ones among those are the most likely and most costly? You’ll be able to get those answers.”
- Cuts at the data useful for attack framework analysis.
"Our goal with IRIS is to empower analysts doing risk quantification through methods such as FAIR, to spend more time managing risk and less time trying to get the data to do the analysis of that risk,” David Severski says.
David will also speak at another FAIRCON22 event, “Presentation: Scaling a Quantitative Risk Management Program.” with Andrew Retrum, Managing Director, US Security Program & Strategy Practice Lead, Protiviti, on Wednesday, September 28, 3:45-4:30 PM.