October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Operationalizing risk

Bruce Potter (KEYW Corporation)
2:10pm–2:50pm Tuesday, 11/01/2016
Tools and processes
Location: Trianon Ballroom Level: Intermediate
Average rating: ****.
(4.67, 9 ratings)

Prerequisite knowledge

  • A reasonable knowledge of the breadth of cybersecurity concerns within a contemporary enterprise (e.g., the categories within NIST Cybersecurity Framework core)
  • Familiarity with a control framework such as NIST 800-53 (useful but not required)
  • A general understanding of IT and IT security

What you'll learn

  • Explore templates, processes, and examples that you can use to perform an assessment
  • Learn a repeatable methodology that works for most organizations as an entree into security risk assessments


Regardless if you’re writing code, deploying a network, or managing an existing enterprise, building and operating a secure, defensible system is really about managing risk. All security controls, operational and technical, can only be appropriately applied when you understand the risks to the system. Without applying controls with regard to risk, you are not necessarily making the system more secure but rather are hoping that your controls will have a meaningful impact on the system. When risk is considered, you are investing your time and energy in the areas that provide the most meaningful protection.

In order to properly understand the risk associated with your system, you must perform a risk assessment. The challenge many face is there is no single security risk assessment process. In fact, there are few formally documented risk assessment processes, and the few that are documented, including FAIR, NIST 800-30r1, and CyberVAR, can be difficult to understand and execute. While there are many professional services organizations that can perform a risk assessment for you, these activities are often costly and may vary wildly depending on the skill of the assessor.

Bruce Potter presents a pragmatic risk assessment process that you can use immediately to do your own assessment. The risk assessment process follows this basic flow: data gathering and elicitation, creating a system representation documenting threats and vulnerabilities, rolling up the risks, and documenting the results. This process has been refined over the last 15 years, utilizing parts of existing risk assessment processes and feedback from numerous clients.

Bruce will also provide templates for the documents and worked examples. Each documented risk will contain information on the risk itself and its impact and likelihood, a technical description of how the risk would be realized, short-term remediation actions, and long-term remediation activities. Risks, when properly documented, can be drivers for positive change in an organization. By the end of the talk, you’ll be able to use these concrete documents—and the associated processes—to jump-start your risk assessment activities.

Photo of Bruce Potter

Bruce Potter

KEYW Corporation

Bruce Potter is the CTO of the KEYW Corporation. Bruce has over 20 years of experience tackling high-end information security research and engineering problems. Over his career, Bruce has built and lead teams focused on hard problems in information security, such as cybersecurity risk analysis, telecommunications security, system and network engineering, computer and information security, advanced software analysis techniques, wireless security, and IT operations best practices. Bruce is also the founder of the Shmoo Group, a nonprofit think tank comprising security, privacy, and crypto professionals who donate time to information security research and development. Bruce assists in the organization of ShmooCon, an annual computer security conference in Washington, DC. The most recent conference had over 2,000 attendees from a broad cross section of the security community and included presentations by industry professionals on a variety of contemporary security issues. Bruce has authored many publications and has delivered numerous presentations at various security and network conferences and private events, including DefCon, Black Hat USA, ShmooCon, the United States Military Academy, Johns Hopkins University, and the Library of Congress.