The purpose of the risk workshop is to explore the hard parts of understanding risk. We have previously conducted workshops in Ireland and Australia on how to understand and model risk, how to explain and display risk to stakeholders, and how to think like our adversaries to identify threats that we would otherwise miss. In this workshop we will begin to explore the challenge of how to aggregate risk in a complex environment to help determine which mission objectives are most at risk. We understand single weaknesses and single risks well, but once things get complex it becomes complicated to understand how the risk compounds. Averages don’t do the trick; neither does plotting all the risk on a graph. Actuarial science has solutions, but these solutions require years of data we don’t have. This collaborative workshop will dive into this risk problem to discuss the specific challenges and collectively try to uncover a path forward.

This year, I propose the second edition of the COSAC LAB.

For the year 2024, the lab will use a new approach based on the lessons learned from the first edition performed in 2023.

1. What is the COSAC LAB?

The intent is to create an environment where people can come together and explore ideas and solutions that were generated during COSAC and develop them in a way which will give the ideas greater potential for further development by the creator or a team they create during the lab.

COSAC LAB speakers: « Hello, the first condition to get in the COSAC LAB workshop is to accept the rules without knowing them”.

Participant: Atchoo !

COSAC LAB speakers : « Bless you »

Participant: Psssst, come here, COSAC reviewers, I will tell you what’s happens here but for now, it’s a secret so keep it for you. Ok we enter in the workshop. Oh, the speakers bring some materials: games, computer, paper, paints, music and so one. I’m not so good at DIY and common, it’s not my age anymore!

Participant: Now, the speakers explain that the first rule is to put away watches and phones. They are the time masters and timekeeper. Interesting, isn’t it? They said that we will work during a time breach. I am curious and interested. Let’s continue, they ask us to propose an idea and I have one: be vulnerable to increase awareness: paradox or reality? They ask other participants if they would like to join my idea to work together on that, and maybe create a new learning model based on paradoxical behaviour.

Participant: Oh wait! Someone else proposes something very new.

Participant: You know what, it is interesting too! A lot of people have ideas. Like I said before they bring some materials to unleash our creativity. I see that I can use AI Art platform. I will try it. People join my idea about paradoxical behaviour. Let’s begin...

COSAC LAB speakers: We give you some steps to follow to achieve your objectives in a COSAC style. Of course, you are free to follow steps or not. Here the aim is to break the figure. We are here to participate too and help if we can.

Participant: Ok the conclusion is ... SURPRISE!

2. Characteristics of the COSAC LAB

Value: These design workshops not only build teams from people who may have never worked together before. This workshop will bring a list of ideas which can be developed. It will provide potential ideas for sponsorship by the SABSA foundation and provide interesting future COSAC presentation. This is new and the goal is to "break the figure". The opportunities for evolution and modification are limitless. The more feedback is given, the more people play the game, the more creative possibilities the COSAC Lab will offer.

Uniqueness: The COSAC Lab comes from its essence the COSAC which is a completely different conference as we know them. This conference is intended for people who build, create, and innovates. A laboratory’s main objective is to provide reliable results.

A laboratory whose results are too often unsafe could not be approved by the competent authorities. The COSAC Lab is the only laboratory that demands to be in danger. Everything is possible. It wants to be opportunist, nutcracker, refractory and innovative.

The first condition to be "accepted" in the COSAC Lab is to accept the conditions and the rules of COSAC Lab without knowing them. Bring the ideas together instead of losing them in discussion.

Timeliness: It is important to develop to get ideas on paper at COSAC instead of losing them.

Approach: The COSAC Lab is the place where the theoretical exchanges will take place in a practical way. Steps to follow are proposed, they remain flexible, only value creation counts.

We will create a time breach when you evolve. We will be the master of the time.

Rule 1 : No phones and no watches

Rule 2 : A commitment to attribute to all authors

Rule 3 : You must agree not to steal ideas and use competitively in a negative way

Rule 4 : You agree to build on good ideas collaboratively, the COSAC-way

A group of people trust each other, will exchange ideas, work together on an issue, an idea, a problem or other. This laboratory aims to export its creations in the real world. Its ultimate goal is to enable the creation of innovations in real life.

Do you want to learn to build a functional incident response exercise?

Perhaps you’d like to have clear and measurable exercise goals and performance reporting. The kind that will endear you to your training team and produce clear and actionable reporting. Good news, we can do that together. After all it’s dangerous to go alone.

The workshop will provide attendees with both support and guidance in developing a plan for a simple incident response exercise. Attendees will be walked through the process of making key decisions and creating usable exercise documents. The workshop will include an introduction to exercise concept development, scenario planning, exercise logistics, communication plans, effective evaluation and post-exercise reporting.

Attendees will leave with a usable exercise plan that will be relevant and usable within their organisation. A selection of video and print resources will be made available for attendees to explore and utilise post-workshop.

Everyone with experience using SABSA knows that Attributes are great for capturing and reflecting business needs. However, they can be less beneficial when working with Agile teams.

Last year, I presented a pragmatic approach to requirements engineering in agile environments. This workshop builds upon that session and aims to provide delegates with practical skills to close the requirements gap.

In this workshop, you will learn how to use SABSA Attribute profiles to develop a codified set of 'non-functional' requirements in Agile and DevOps environments.

We will explore:

• • Creating SABSA Attribute profiles for your organisation using the Multi-Tiered Attribute
• Profiling (MTAP) methodology.
• • Using SABSA Attributes to define security requirements in Agile and DevOps environments.
• • Developing user stories that clearly articulate the who, what, and why of security features.
• • Prioritising security User Stories to ensure that they are not overlooked.

Learning outcomes:

• • Understand how to use MTAP to develop SABSA Attributes tailored to your organisation's needs.
• • Comprehend the difference between SABSA Attributes and security User Stories.
• • Understand how to create security User Stories that reflect the intent of, and are traceable to, a SABSA Attribute.
• • Ability to ensure that security User Stories are priori2sed and addressed in the relevant Program Increment (PI) or sprint.

They’ve had enough. They just get used to one environment and some SOB changes it. And we security geeks want to add change to the change. No wonder they growl at us. Complex, ever-evolving work environments turn communities of competent, veteran users into fumbling rookies who make new-guy mistakes, some of which impact security. Organizational restructuring is almost a constant. People still resist change, make mistakes, painstakingly follow bad security practices and get socially engineered. And bad guys find creative ways to defeat our newest, most sophisticated security measures.

We’ll give guidance for coping with human foibles, complexity and change in securing our vital assets.

Part 1 – Securing the semi-predictable humans – Phishing, really automated social engineering, has been an element in almost every Ransomware event and a multitude of other egregious breaches. We’ll examine why social engineering works so well on our employees, on all humans, for that matter. We’ll give suggestions for shoring up this most vital link in our security chain.

Part 2 – Securing the ever-changing organization – Change agents that can seriously affect security are gaining traction everywhere. Massive organizations are making their own rules and privacy decisions, at least until governments levy gargantuan fines. Mergers, acquisitions, divestitures, downsizing in many forms, even internal reorganizations can bring danger. We’ll identify areas of security focus and give recommendations for minimizing security incidents and effects in the midst of the upheaval.

An intriguing session that will attempt to re-orient the mindset required to undergo a Digital Transformation. In an unusual manner (not about just technology or apps) session will provide real world insight and experiences as it relates to the following:

• • The drivers of why we have to undergo Digital Transformation.
• • The thinking required for a Digital Transformation.
• • The Organizational Shift to a Digital Transformation.
• • New ways of marketing.
• • New ways of Hiring.
• • Technologies at play in that enable Digital Transformation.
• • Interactive practical activity on how to digitize something that’s highly physical and manual in nature.

Cybersecurity is known as the department of “NO” while SABSA uses business opportunity risk to transform it to “YES”. This session leverages improvisational skills to increase the engagement, imagination, and impact of tabletop exercises.

We will show how to strategically leverage a tabletop exercise scenario and expand upon it with methods from improv comedy for continuing the scene. Using the techniques of “Yes, And” and “No, But”, we will overcome scenario objections, get participant buy-in to expand upon the premise, address unrealistic recovery options, and keep creativity in the solutions proposed. The optimal outcome is making tabletop exercises fun while producing more relevant and actionable results.

This material is relevant and timely as cyber-risk insurers ask if tabletop exercises are conducted, external audit firms look at scope and reports from tabletop exercises, and the business looks for tangible results from exercises that use many hours of valuable human resources.

This session, redesigned from the bottom up based on our experience at COSAC APAC, will be interactive with the attendees being called upon to participate in games and exercises leveraging improv to show the value of using this novel approach and adding fun to what might otherwise be a compliance ritual.

In late 2022 I was assigned to lead a team mandated with creating and implementing a strategy to transform the Managed Security Services business of a global organization that provides end-to-end security services. This organization operates more than twenty delivery centres globally and has grown, organically and through acquisition, to more than 3000 delivery centre employees. Due to the rapid growth, many of the delivery centres were operating in their own bubbles and using their own operating models, service definitions, delivery processes, playbooks, runbooks, people management processes, SLAs, metrics and technology stacks. This caused a high degree of inconsistency in the quality, delivery methods and collaboration between the centres, especially when providing services to clients with global footprints.

In this session we will look at how SABSA was used in this transformation journey and the value and impact that it has had on the organization.

Part 1: Context – Setting the context of the requirements and putting the necessary governance in place (Program Governance Model)

Part 2: Setting the baseline – Creating a way to consistently communicate priority and value through language and terminology (Business Attributes & Glossary)

Part 3: Organization – Creating a repeatable organization model based on priorities, requirements, skills and technology (Domain Model & Talent Program)

Part 4: Performance Targets – Creating internal and external facing KPIs and SLAs to measure performance

Part 5: Processes – Creating repeatable operational processes

Part 6: Delivery Method – Updating existing mandated delivery methods to reflect and implement changes