Vulnerability does not equal loss
This keynote will focus on the things we can quantify and the things we should be quantifying. Cyber Risk is still forming, and much of the work is done because it is easy to quantify or measure, but not because the metric is relevant to the loss processes we want to study. The talk will also make clear the dangers of linear extrapolation in a field in which many things are supra linear, and thus how we should be normalising more metrics than we are. We are using an incomplete map of the internet, and extrapolating it onto the well mapped world, which also carries it's own dangers. Finally, we will close with some brand new research of my own in quantifying threat actors within the ecosystem.
Éireann Leverett once found 10,000 vulnerable industrial systems on the internet.
He then worked with Computer Emergency Response Teams around the world for cyber risk reduction.
Éireann Leverett is a regular speaker at computer security conferences such as FIRST, BlackHat, Defcon, Brucon, Hack.lu, RSA, and CCC; and also a regular speaker at insurance and risk conferences such as Society of Information Risk Analysts, Onshore Energy Conference, International Association of Engineering Insurers, International Risk Governance Council, and the Reinsurance Association of America. He has been featured by the BBC, The Washington Post, The Chicago Tribune, The Register, The Christian Science Monitor, Popular Mechanics, Wired, and Forbes.
He was part of a multidisciplinary team that built the first cyber risk models for insurance with Cambridge University Centre for Risk Studies, where he works to this day as a Senior Risk Researcher. He founded Concinnity Risks to perform cyber risk research and metrics. He also the Chair of FIRST,org's Cyber Insurance Special Interest Group.
He tries to bridge the world of the hackers and the insurers and will be giving signed copies of his book to anyone brave enough to volunteer.