SABSA measures the impact of risk on attribute performance targets within a domain and we use these measures in decision support for our control objectives. This SABSA domain model paints a tropical canvas of business attributes isolated deep in a domain jungle with the where-abouts known only to the domain owner. Forging into this domain we might take care to draw upon multi-tiered attributes to describe how risk is systemically transferred from one attribute to another - but can an attribute directly support another attribute or are we searching for the missing link in this view?

In this presentation I will detail all the missing elements needed to properly excavate a multi-tiered attribute view. I’ll demonstrate how systemic risk is really transferred between elements in a multi-tiered attribute view and how this missing link is actually part of the powerhouse that drives the implementation of SABSA in the real world. Attendees will emerge from this domain jungle with a solid gold view of what the multi-tiered attributes view really represents and how it can be used to delegate risk successfully in your next expedition.

Achieving cyber resilience for our critical systems using traditional, human-intensive methods is becoming more difficult as adversarial tactics, techniques and technologies outpace our current cyber defenses. New and disruptive techniques are needed to not just catch-up to the increased risk of cyber threat vectors, but to surpass the threat to attain cyber resilience.

This presentation provides an introduction of how we can collaboratively develop and acquire Autonomous Intelligent Cyber-defense Agents (AICAs) for next-generation cyber resilience.

This presentation explores and discusses the future of autonomous cyber defense and resilience techniques from the human perspective; as well as how this new paradigm for autonomous intelligent cyber-defense agents may be integrated with our human cyber protection team with transparency and explainability. It introduces the AICA International Working Group’s ongoing efforts to develop a new reference architecture for implementing autonomous intelligent cyber-defense agents and transition the science from concept to reality for battlefield applications.

We will discuss the definition for intelligent cyber-defense agents, and the requirements and challenges associated with this approach, including: Infrastructure, architecture and engineering; Individual and collective decision-making; Stealth and resilience; Societal considerations.

We then examine and discuss modernizing for tomorrow through the application of cyber-defense agents by exploring the need and requirements for human-machine teaming. This portion of the presentation will present novel techniques for aligning human and machine mental models and user interface techniques for gaining transparency and explainability for artificial intelligence (AI) and cognitive solutions.

The space sector is undergoing a new surge in activity as major advances in technologies create opportunities for existing space systems owners (e.g. governments, SATCOM telcos) and new players to design, build, launch and operate new space systems and services. At the same time, there is increased use of and reliance on space services within the general economy.

All space systems and services are complex technology-based platforms that have specific cybersecurity concerns and attributes. This session will discuss these issues around the application of cybersecurity to space systems, current developments in security in the sector and review the applicability of specific SABSA attributes to the security architecture of space systems.

Exercises are useful training, validation and discovery tools for any security program but are also becoming formal business requirements. Many legal and governance frameworks such as CPS234 and the Australian ISM call for regular testing of incident response systems. As a result security leaders find themselves adding exercises to their calendar and wondering how to effectively conduct exercise campaigns while showing positive return on investment.

It’s dangerous to go alone. Fortunately we can turn to the field of serious games for tools and maps to ease the path. We will venture through the key conceptual landmarks, drawing linkages to familiar architectural concepts using a SABSA lens. The journey will build on existing security architecture muscles to support both exercise design and evaluation. This session will guide you to design your campaigns to align with your security priorities. We will explore ways of defining what ‘good’ looks like and translate that into exercise design. You will leave the session with clear signposts for demonstrating the impact and value of your exercise program to your leadership team.

This session will guide you to design your campaigns to align with your security priorities. We will explore ways of defining what ‘good’ looks like and translate that into exercise design. You will leave the session with clear signposts for demonstrating the impact and value of your exercise program to your leadership team.

Despite the investment in cyber security over decades, many security teams are still wedded to qualitative methods. When the business comes asking for our evaluation of something it all comes down to will the answer be high, medium or low this time? We categorise into one of 3, 4 or maybe even 5 ordered categories. Based on these ordinal scales we turn out the same charts to communicate security to the business. We still hear the argument that senior leadership’s brains would explode if we tried to explain it. But they think we’re just fudging it and say, “what do you expect us to do with this?”. They want a number. Numbers can be added, multiplied and averaged. They can be compared to other people’s numbers; they can be plugged into models. This is the 21st century, quantitative methods are what is needed.

So now we get asked for a number? Once delivered that number will be the expert opinion, quoted as gospel and combined with other such numbers in ways we cannot begin to comprehend, and cannot control. It’s true, there are less places to hide: we’re now being asked to be certain of our uncertainties. So, what to do? We do what everyone would do, we pad the numbers and we do it early. When combined the padding grows and the numbers lose even more accuracy. But they also gain the illusion of precision, which merely serves to make them more trustworthy to the masses. Oh, and the numbers are often just as subjective as the qualitative methods that came before.

Do we even consider the risks relating to our risk management frameworks and methods themselves? If we misrepresent risks to the business, it may not be those risks that derail us, but the decisions made based on the bad data. SABSA does not magically resolve this issue: it is commonplace to see single numbers for risk (and its constituent elements), performance targets and risk appetite.

This session will discuss some pitfalls of quantification as well as questions such as:

• - How can we express our uncertainty so that it survives the calculations that will follow?
• - How can we improve our objectivity and deliver numbers that we’re confident are accurate and are sufficiently precise?
• - How do we enable aggregation with numbers we didn’t produce?
• - Do we need expensive specialised tools to get started?

In this session we will discuss the growthofacybersecurity risk management program at a Healthcare organizationduringthe COVID-19 pandemic.In addition tothe pandemic,wewerealso experiencing an unprecedentedincrease in targeted cybersecurityattacks, as well asmaintaining consistent organizational growth.We will discussthe significant executive leadership support that enabled and drove thecybersecurity improvementeffortseven whilethey weredealing with the significant impacts of COVID-19, and setting up the organization as a leader both regionally and nationally. The key topics will include discussion of our efforts aroundthe enterprise cybersecurity risk management programand IT vendor risk managementprogram, as well asthe significant collaborationswith IT and clinical colleagues that have proven to beessentialto our success.We will discusssuccesses, lessons learned, and next stepsas our journey continues.

Despite the ever-increasing investment in cyber security, organisations are still struggling to implement an integrated approach to cyber risk management and reporting. More often than not decision makers rely on poorly structured reports which are skewed towards technical jargon and as such fail to convey an accurate or consistent articulation of the risk exposure.

This presentation will cover the common pitfalls of attempting cyber risk quantification, even in mature end-client environments, in an attempt to frame the problem and identify its main root causes. It will then move to introduce a more architecture-focused approach on how to build an integrated single data model that encapsulates the security fabric and holds everything together as an interdependent network of nodes. The structure of the data model, with its various layers of abstraction, provides a reliable mechanism to utilise actuarial data, mine insights and support effective decision making. Most importantly, it breaks away from the siloed mentality and the disconnected thinking it usually fosters, puts the emphasis on what is materially important and communicates the most essential information for a complete risk profile.

This timely presentation addresses the escalation seen in ransomware (wiperware) tied to the Russian Federation, uniquely framed by an experienced hospital system CISO. Healthcare is currently one of the top three sectors being targeted, and healthcare systems are particularly susceptible because basic security controls are not in place within highly integrated systems with limited funds and manufacturers still sell systems with obsolete operating systems.

Organizations are being advised to spend resources on ransomware tabletop exercises, technology solutions, security awareness training, memberships in organizations, and specific technology controls to protect them from ransomware. Recommendations from the FBI include “be[ing] a cautious and conscientious computer user,” implying that the average user is not being conscientious if they fall victim to ransomware.

The approach of this presentation is to discuss the different strategies that should be used in healthcare while providing patient care and finding innovative treatments and cures, with complex systems that are constantly changing. Participants will have the opportunity to challenge or build on these strategies, which can also be leveraged in other business verticals.

The value in this discussion is that it will leverage SABSA to focus on the business requirements to determine which controls help meet the business objectives.

“They are in front of us, behind us, and we are flanked on both sides. They can’t get away from us now!”

– Lt.Gen. Lewis “Chesty” Puller, USMC

The environment is a mess. The architects are proselytizing. The engineers want you to go away. The project managers are flogging dead horses everywhere while shutting out distractions from you. The auditors are sticking the knife into you. Management is screaming at everyone for updates. The business hates the whole damn lot fo you.

And there you are, right in the centre of the storm, being handed your rifle, pointed at the direction of the enemy and told to start running!

All too often, we are faced with the unenviable circumstance of being dropped into a swirling maelstrom of conflicting goals, priorities, challenges, ideas and personalities, and are expected to start pulling rabbits and unicorns out of the proverbial hat – and all while being watched and ruthlessly judged by your peers, your management and the Board!

If all that sounds like it’s enough to make you curl up into a foetal position wrapped in a Dettol-soaked blanket mumbling random prose in haiku*, then this presentation is for you!

In Deep Behind Enemy Lines with SABSA, 20 years of practical experience is brought to bear to provide you with the joie-de-guerre to face an enormously complex and challenging environment, win allies and set-up yourself up to succeed with SABSA. Before you know it, you will dive headlong where angels fear to tread with a smile on your face, into the fray of a real corporate environment and revel in a resounding victory!

* based on actual events

This session will present a framework integration of SABSA and the ISA/IEC 62443 Standard Series which addresses Cyber Security for Industrial and Automation Control Systems. With the increased public awareness of cyber security incidents affecting Industrial Control Systems (ICS) and the industry drivers to converge Information Technology and Operational Technology, we need a true enterprise security framework that works for both IT and OT. The session will draw upon the presenter’s practical experience as a security architect working in Operational Technology environments. 

This session will educate and inform the audience about the nuance of Operational Technology (OT) cyber security through the application of ISA/IEC 62443. This application will enable critical infrastructure operators to manage their risks and opportunities for cyber physical systems in a truly holistic and whole of enterprise manner. The debate for convergence has passed, now it is about making risk informed integration decisions. 

The session will make it real by using a worked example of the fictitious State Power Corporation Enterprise Security Architecture. The session will also encourage audience participation in working through common assumptions for the state of OT cyber security and challenge the audience to consider the differences of IT and OT.

Does a scale-up software engineering company need a security architect to have a successful security program? Is strong technical leadership and a strongly business aligned security engineering community of practice enough? This session will interrogate the trade-offs and pitfalls of choosing to do away with the security architect role.

At MYOB, we set out to engender strong security practices as opposed to creating a security architecture. Our guiding principle is that the business aligned security team can build the solution with engineering teams in addition to guiding and influencing. We also asked what could be borrowed from architecture frameworks and applied to a digital products organisation. In a world where objectives and key results drive business outcomes can the SABSA attributes model be augmented to deliver the same security outcomes?

Are these concepts sustainable in the long term? How does a security program keep aligned to strategic outcomes with engineers, not architects.

More human interaction now occurs in the digital realm, than the physical realm. The internet is where our kids grow up. Software is running our physical world. Yet we have more vulnerabilities and more exploits than ever.

The cyber-security sector has historically been defined as the “protection of computers and networks”, and yet our roles are fast becoming way more than this...

This presentation covers "Digital Safety" and what that means, not only to us as practitioners, but particularly to the people who want to feel and be safe both online and in the physical world.

I’ll be challenging current thinking in areas such as:

• What happens when exploits to our digital realm impact the physical realm?
• Are we equipped to cope? Are our current “IT risk management and security protocols” sufficient to protect the physical world?
• Should boards be legally liable for physical injury caused by software breaches?
• Who would be willing to guarantee and warranty their systems against breaches?

In short, security weaknesses in our digital realm are already impacting our physical realm. What insights and learnings can we get from trying to build a world of “Physical Safety” into how we provide “Digital Safety".

This session will focus on the challenges of maximising the business value organizations can gain from their Security Architecture function in middle to large sized, compliance driven organizations, like finance and banking for example.

The session will be based on personal experiences in the Telecommunications and Financial industry. It will cover how combining enterprise architecture governance, information management approaches and other architecture models, frameworks and concepts will be essential for gaining value from an organization’s security architecture function.

While SABSA might be a good starting point for aspiring security architects to plan for security changes, it does not go into detail of integrating change and operations to deliver business value. For this it is important to understand business service models, business capability maps, organizational taxonomies and more. Enterprise architecture maturity and governance can have a huge impact on the value security architecture can contribute to a business. The presenter will share his experiences and views on these and other aspects, providing an insight into what factors outside of the Security Architecture function will be equally important when an organization wants to establish a more mature security architecture capability and get value beyond ticking a compliance box.

At the end of this session participants should be able to understand the challenges that need to be addressed when being asked to setup or mature Security Architecture capabilities in an organization. This presentation should assist CISOs, senior executives, and senior security architects in gaining a broader understanding of the interplay between security architecture, enterprise architecture and other business aspects, like corporate culture and organizational structure, when it comes to delivering business value through security architecture.

In the spirit of COSAC, this session will hopefully provoke lots of questions, discussions and sharing of experiences that will assist in building and maturing Security Architecture in organizations that not only want to tick the business compliance box when establishing a security architecture function, but also want to see to see some tangible returns like increased customer trust and business agility for example.

This timely discussion centers on the structural incentives of social media to allow misinformation to circulate on their platforms. Companies such as Facebook (Meta), YouTube and Twitter have long complained there is no way for them to effectively fight bots or misinformation, yet bot activity significantly decreased when Russian accounts were cut off after the invasion of Ukraine. This demonstrates that there are steps these companies can take if given sufficient incentive.

The problem is that the profit incentive of social media companies is diametrically opposed to some of their mission statements. The success of a social media platform is determined by engagement, whether that engagement is positive or negative. Engagement is easier using the tactics of disinformation. Showing people information that they will react to emotionally increases activity and profits for these corporations, regardless of whether the information is true or not.

This session will be unique in its scientific perspective on misinformation geared specifically toward security professionals. Our approach will be to examine the competing incentives of social media companies and discuss how the scales might be tipped in favor of accurate information. The value of our discussion will come from providing ways to leverage positive engagement and other tools to improve the culture of the internet landscape.

Good decisions are at the heart of every successful security architecture. A security architect must constantly make good decisions and sound judgements to protect business assets from harm and keep an enterprise safe. But what if these decisions weren’t always sound? What if these judgements were just plain wrong? The truth is that making good decisions is hard. Decade’s worth of behavioural science research has consistently shown that humans aren’t naturally wired to make good decisions. Our mental makeup is subject to many biases that impair our decision-making. In the context of SABSA security architectures, these biases can adversely influence how security architects make good risk decisions and protect business assets. Poor decision-making in this respect can be costly and jeopardise the overall value proposition of a security architecture. This presentation will focus on some of the more common biases that arise when designing security architectures and what can be done to overcome them.

Zero Trust Cybersecurity (ZTC) is emerging as the preferred security model for business and government and is now a critical national infrastructure mandate for US Government Agencies. ZTC differs significantly from the trust-model of traditional perimeter-focused security, requiring instead real time validation of access based on policy which dynamically adjusts to the cyber environment. The implementation of ZTC is a complex undertaking involving situational awareness of the cybersecurity state relating to identity, device, application, infrastructure, network, and data. This goes beyond the traditional triad of confidentiality, integrity and availability into attributes such as timeliness of authentication, assurance of device health as well as microdomain zoning and dynamic policy.

As organisations begin to implement zero trust in their infrastructure, there is a need to be able to measure the effectiveness of the infrastructure from a zero trust perspective. This requires measurements of both control performance and process maturity in order to effectively manage risk. In this presentation, we describe a model for measuring the performance of a critical infrastructure zero trust implementation using SABSA developed as part of a post-graduate research initiative on Zero Trust maturity.

One of the pillars of a well-functioning information security program is effective governance. Good governance tends to go unnoticed. Bad or ineffective governance however, becomes very apparent when “things go wrong”. What is good governance? How do you know if you have it or not? What is the value of having good governance and the penalty for not having it? These tend not to be the burning questions within the organization until bad things happen, and the inevitable question gets asked—how could this happen? I thought we had a policy for that. More difficult questions could follow from the Board. Governance is one of the main drivers and foundations in many if not most security architectures or frameworks. What is it and how do you get it? How do you know if it is good or not? Having defined security policies are not enough.

We will define what information security governance is and how it applies to all levels, from overall corporate governance and oversight through to the security program that is implemented and operationalized. We will define the “value of effective governance” and the evidence of ineffective or non-existent governance. We will have a look at what the standards such as ISO, NIST, the ISF, CIS CSC and several others have to say about the need for effective risk management and governance.

How do we build an effective information security governance model and get the right people making the right decisions, with the right accountability, at the right time to continually manage risk to the acceptable level, even when “things go wrong”? We will outline the top 10 things to consider and the critical success factors that will show you governance is working. Good governance provides effective management of business risk and is much, much more than just having good technology and policies.

My proposed topic is at this stage loosely looking at the application of the SABSA Architecture for Cryptographic Key Management for Cloud, Cloud-adjacent & On-prem alternatives – supported by some case studies.

It will also discuss ways to align to new Cryptographic protocols coming out of NIST to position companies for the quantum computing algorithms.

The value proposition for this topic will be that it covers 3 scenarios that could apply from large enterprises, to smaller enterprises – whether they are still utilising on-premise compute, or Cloud, or Cloud-adjacent models.

The uniqueness of this presentation is that hopefully the Cloud-adjacent model has not been previously presented at COSAC – so this would be a point of differentiation for the audience.

In terms of timeliness, with ever increasing demands for data protection, and businesses considering alternatives to the big Cloud providers, hopefully this will give the audience timely and relevant information for other cryptographic capabilities.

In terms of approach, the presentation content and style will be tailored to the expectations of the COSAC audience, as per previous presentations in 2017 (in Melbourne) & 2018 (in Sydney).

Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability in our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the method of the Chaos Monkey.

What are the reasons we often discount certain threats, methods, and outcomes as unreasonable, unlikely, or even crazy?

Are we working with blinders, unable to understand systemic risk around us which may contribute to the motivation and outcome in our threat model?

Do our countermeasures create opportunities?

Can we truly understand how the adversaries’ objectives may be different from our perspective?

How do we adapt to rapid changes in our understanding due to observed or experienced events?

The session will start by exploring what was accomplished in the 2022 Threat Modeling session at 2022 COSAC. We then will address what we know and what processes exist to help us unfold this difficult topic. We will then move into a group discussion where we will explore how we can leverage each other’s perspectives and ideas.

As SABSA architects we often focus on how to successfully engage with enterprise/organisation leadership about security programs to address enterprise/organisational challenges and the successfully delivery of security solutions/programs to meet those challenges.

These situations are focused more on the internal operation of the enterprise; but, what about the situation where security solution need to be proposed and delivered into another organisation as part of a larger business activity or capability delivery program?

Requesting Manager to You: “You are the security proposal lead for this major tender. The security part of the proposal is big factor in us winning (or losing) this business!”

You, the Security Architect Lead (thinking): “OK, so what do I need to do now?!”

The production of an effective security proposal that is an integrated part of a larger business proposal / tender response is a difficult activity that involves more than just formulating a proposed technical solution. It must meet many conflict needs (effective, bounded, compelling, minimum cost, etc). At the same time, the proposal will be the starting point for defining the potential future security program, if the tender is successful. Good choices made early make all the difference.

This session will discuss the challenges, experiences and lessons learnt from supporting security contribution to major business proposal or tender response activities.

Accident and fault management has been topic of high importance for many years. Understanding when even so small parts of a system are malfunctioning and what major or even catastrophic faults or accidents they might cause is of enormous importance in safety-relevant systems. Modelling techniques like STPA/STAMP or Bow-ties allow to explode a system into its smaller parts and construct hierarchies of controls, which can then be tested for their operating effectiveness that inform the causation or non-causation of a main event. This then allows for either improvement of controls (moving towards risk avoidance) or at least understanding of the implications and the risk (or residual risk).

This talk explores on how these modelling techniques should be applied to cyber risk, allowing to create more meaningful Key Risk Indicators and Cyber Risk Reports than are generally used in the industry and how to allow dynamic adjustment and re-calculation of the Risk position based on exposures found throughout daily security analysis work. It also explores how to codify such exposure hierarchies and speed up the provisioning of meaningful risk reports.

Since a means of expressing the security concepts in standard Enterprise Architecture modelling notation was first proposed at COSAC 2018, a great deal of progress has been made: a Working Group has developed, enriched and extended the original White Paper with the collective wisdom and experience of SABSA practitioners, the Security Overlay has been defined as a schema and the approach has been made accessible through webinars, presentations and this year, as a SABSA Training course with basic tool support.

While COSAC 2018-21 has traced the emergence of security modelling as an technique, its early-stage technical readiness meant that conference sessions were limited to discussion of concepts, ideas, possibilities and envisioned benefits based on small scale, proof of concept ‘laboratory models’.

This year for the first time, we expect to be able to present feedback from the application of this technique at scale in real-world case studies with an honest appraisal of where modelling delivered technical & business benefit, scenarios that were challenging or thought-provoking and where the technique might be headed in light of this experience.

At the time of CfP, the contracts for this work are just being signed with projects set for completion in the summer – so fresh content to be unveiled for the first time at COSAC. In addition to presenting the projects from the security architect’s perspective, we hope to be joined via video-link by a client representative who can present, and answer questions, from the customer viewpoint.

The value to the conference will not only be an awareness of an emerging technology but to stimulate a better understanding of what is increasingly possible, based on what is already being achieved.

It is a fundamental dilemma faced by all strategists: how to run strategy into reality?

Enterprise Architecture takes a long time to define and rarely starts from a green field site. Ordering I.T. to postpone all initiatives until the strategy is fully developed is a seriously career-limiting, if not life-threatening, move. Business innovation cannot stop, developments and improvements cannot be shelved or hang around waiting on Architects in their perceived ivory tower to complete their idealist thinking.

The Architecture may be brilliant work but what if we have an incident tomorrow, are we any safer while the Architect is doing their ‘thing’, can we demonstrate any value from a strategic initiative that isn’t yet deployed?

In practice, the Architect’s scope is rarely all of Enterprise in a single bite, but if we can’t start at the all-of-Enterprise end, where is the beginning? We must deliver something before we deliver everything. How do we scope an Architectural project or an RFP in practical reality?

By definition any starting point below all of Enterprise is not Enterprise, it is only one particular viewpoint or aspect of Enterprise: being Business-driven and looking downward we see multiple dependencies and relationships, many contributing “means to an end”, but looking upward from any non-Enterprise viewpoint as see an exclusive relationship – a single “means to an end”. This creates a tunnel vision that risks the creation of the very isolated silos we set out to remove. So, even if we can identify a starting point, how do we ensure that it is Architecturally consistent, holistic, and integrated with all the other aspects and viewpoints of our complex Enterprise that are currently out of scope?

Join us in this session to explore SABSA Architecture realisation techniques to help us overcome our eternal dilemmas.

Cyber security risk is one of the top non-financial risks for organisations. It can be present in almost any part of digital operations. The nature of the risk is both complex and broad due to the complexity of the attacks and evolving capabilities of the attackers. More often than not, risk assessments rely on static artefacts, unilaterally focus on controls and rely heavily on the biases of the person who is conducting the assessment.

This presentation will focus on how to instil a degree of pragmatism in the identification and evaluation of cyber security risk. Using real-life case studies, we will highlight how the development of plausible threat scenarios for the critical products and services, based on a threat modelling methodology, may be operationalised to embed an accurate reflection of the threat landscape in the risk evaluation and thus validate the relevance of the relationship between risk events and key controls. Utilising threat scenarios as the conduit between risks and controls helps to identify actionable insights, simplify remediations actions and improve the risk position of the organisation.

This unique discussion will address the structural limits of artificial intelligence such as machine learning in comparison to human intelligence. We will also consider the dangers posed by overestimating these systems and the responsibilities of professionals and organizations to manage expectations for their performance and monitor their function.

This session is timely because of the accelerating use of AI systems to determine everything from who to employ to how to treat diseases. While these systems’ decisions have increasingly impactful consequences, scrutiny of their structure and inputs has lagged behind. AI processes are unintelligible to the average IT practitioner or citizen, so it is increasingly important that those with the background and experience to understand its hazards prevent misconceptions, correct misinformation, and ensure responsible use.

The approach will be to outline the current state and direction of artificial intelligence systems in comparison to their fleshy counterparts, suggest actions that individuals and groups can take to mitigate the risks that their operation and perceptions of their operation can pose, and open the floor for discussion of these topics.

The value of this session is in presenting a scientific comparison of the differences between artificial and human intelligence and using that comparison to determine risk and suggest next steps.

In 2020, my then CISO tasked me with charting “the” Identity and Access Management Risk for the organisation.

That triggered me to not only list the standard risks, such as credential theft, but also the risks when dealing with 3rd parties: Sales agents downstream, and suppliers upstream, regulators, authorities…

Result: Sales Agent and Vendor Risk Management Assessments with (less) obvious risk. For example: if you have shared account (SABSA Trust Relation) with a printing company for your posters, how easy is it to get a picture of the CISO in a vampire suit onto a billboard in the street?

You can use SABSA to map that trust relations with the outside world, and then use threat modelling to list scenarios once the authentication has taken place, and classify risks as reputational, financial, availability risks. We present an easy to use table.

Further attention for IAM related issues such as key management on non-owned IAM systems, managing non-federated IAM with associated organisations.

This matters to Security Architecture, because these Trust Relations with vendors and agents are the foundation of the organisation’s business.

Despite huge investments cyber security continues to hit the headlines for all the wrong reasons. Each year brings new technologies that will, apparently, save us all. Away from the bright lights you’ll hear it is all about people: you need to increase awareness and adopt the right culture. If that doesn’t work there’s always AI, that’ll save us.

We sit in our ivory towers developing our architectures and programmes, assuming that ours is the one true way. But big data and the scientific method are failing us. Beyond the biases we’ve all heard about our data sets are often collected and applied across widely differing cultures. Those we look towards to steer us through the storm stick to the familiar, fearing or discounting the foreign.

We need to step back from the bird’s-eye view that encompasses so much, but at the cost of local context. What does the worm’s-eye view from the ground show us? Those strange people that don’t align to our expectations, that don’t behave correctly; they’re not irrational or uneducated, they just have different perspectives, different drivers, and maybe goals we’ve overlooked. We know what they’re doing, or not, but do we really understand why? We also need to look critically at ourselves: does our normal and familiar look weird and alien from the outside in?

As global recessions and pandemics hit, business leaders and politicians are looking to anthropologists to help them understand why people are behaving the way they are in the present and prepare for the future. Together we’ll discuss some examples, some parallels, and invite insights into cyber folklore and customs. By understanding behaviours better, we may be better able to influence them.

I had a brilliant 2019 having embarked on a spiritual pilgrimage walking the Camino in Spain and my intellectual pilgrimage to Ireland but like many of us my follow up experience in 2020 was less than ideal and I came out of that year needing to take stock of my general health and wellbeing.

It is a shared observation of my colleagues, that as we approach retirement, we look back at the last years of our careers to realise too late that we have worked harder, worked longer hours, taken less time for ourselves, managed very stressful jobs and feel like we are about to collapse, exhausted, over the finish line at the end of a marathon.

We have, to a certain extent, let ourselves go and we are no longer the fit young 30 somethings we used to be as we enter the next phase of our lives. Not the greatest when we now have the time to engage and enjoy the good things in life.

In this vein, and following 2020, I sort of undertook a personal health and wellbeing journey in 2021 with the aim of being “Retirement Fit”. I took a haphazard approach and by the end of the year I realised three things:

Firstly, this is not a one-year project – it is going to be an ongoing iterative process.

Secondly, a structured approach to this project (health and wellbeing) should deliver better and more consistent results; and

Thirdly, many of my younger colleagues (those thirty and forty somethings) who are falling into the ‘Working Harder, Working Longer, and Not Looking after themselves’ category might be able to benefit from this structured approach.

So, heading into 2022 I have applied SABSA to my health and wellbeing project to see if that will deliver long term sustainable outcomes and

This presentation uses SABSA as framework for health and well-being and presents the fundamentals of SABSA in a non-security and non-IT context.

What is an organization to do? You’re expected to master managing your cybersecurity risks, but the threats are constantly changing, and there are differing ideas of exactly what mastery means and requires. However, mastery isn’t enough. You need to be able to demonstrate your mastery to anyone who needs to know and in a way everyone, including business partners and regulators, can understand and accept. All within budget and available resources. How can you adapt your approach to satisfy all the demands and expectations?

The good news is that there many frameworks and standards to help you master your domain. This is also bad news, because there are many common (or not so common) standards and frameworks that influence how you organize your cybersecurity program. You already may have defined cybersecurity requirements and perhaps an organizing framework that is specific to your industry, required by regulation or aligned to your technical choices. However, all frameworks are not equivalent, nor are they intended to solve identical problems. You may be important gaps to fill in or conflicts to deal with. How do you navigate through this multiverse of choices for the framework that aligns to your cybersecurity requirements?

After establishing a common taxonomy, we will examine and categorize various approaches to cybersecurity frameworks using examples to illustrate the considerations. We will outline some the issues and challenges involved in defining or using cybersecurity frameworks to organize and manage your cybersecurity risk. We will discuss essential principles for establishing an effective framework foundation and outline a risk-based approach for effective management of your cybersecurity risk. We will review and discuss critical success factors for an effective cybersecurity framework. Have you leveraged a framework in your own organization and have some insight to share? Maybe together we can put frameworks to better use.

The COSAC "rump" has for many years been a hugely popular closing session to COSAC. Now, returning to APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at [email protected]

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 1st March.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedInPage congratulating them on their achievement!Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

In this exclusive COSAC half-day session we will investigate four unique aspects of our workplace and address the considerable challenges of hiring, developing skills, and supporting the well-being of our teams in one the most stressful professions of the digital age:

Recruitment

The journey starts with a novel and unique discussion on who we hire and how we manage from the perspectives of both neuroscience and information security.

Mentoring

Part 2 investigates humanity's attempts at passing on knowledge across generations and the lessons we can learn from them to build a strong mentoring program to develop and inspire new people.

Mental Health

Part 3 discusses the state of mental health in the cyber industry, emphasising the unique stresses faced by cyber security professionals, and outlines how industry can begin to tackle this challenge.

Career Change

We conclude the half-day session by revealing the unique challenges faced by professionals switching into security from other parts of the organisation. Using the true story of a career switch we will reveal the expectations versus the reality of a new team member being placed into the firing line.

This is a novel and unique discussion on who we hire and how we manage from the perspectives of both neuroscience and information security. Debunking prevalent Human Resource and Information Security thought leadership and training materials, this presentation addresses how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misinterpretation and misunderstanding of how the brain works.

Utilizing the false concept of “left-” and “right-brained thinkers” and other myths about brain differences to explain how we think and decide influences perceptions and detracts from otherwise accurate information and can skew materials to make them entirely incorrect. By establishing a faulty knowledge foundation, this impairs the ability of information security professionals to create appropriate defenses for malicious hacking attempts including hiring and managing diverse teams well-equipped to tackle problems.

The value in this session is providing information from current brain science to use in hiring and managing, including addressing gender bias. This discussion is timely as social engineering, human resource, and behavior experts are spreading misinformation. The approach of this session provides opportunities to challenge and give input while imparting attainable science on the real brain and the importance of diversity.

From the psychological significance of a parent-child relationship to the unravelling of the modern schooling system, in this discussion, we will approach humanity's attempts at passing knowledge on across generations and the lessons we can learn from them and apply in our daily social and professional engagements.

In this series of talks, you will be able to take away Three things.

A strong argument for the importance of mentorship in the building of a relatively new industry.

Building a working knowledge of some of the underlying biological processes that undergird human development

And a clear & PRACTICAL guide on how to begin your career as a mentor in your own domain of knowledge.

“If you are in cybersecurity and are constantly feeling angry, exhausted, bitter and you jump up to the ceiling when your company mobile rings — welcome to the burnout club.”

(CISO Burnout, Medium, 2021)

Recent industry reports state that workplace stress is impacting the mental health of cyber security professionals. In 2020, nine out of ten executives holding either the title of chief information security officer (CISO) or chief security officer (CSO) reported “moderate or tremendous” job-related stress. As a result, the average tenure of a CISO was just 26 months in 2020 due to high stress and burnout, and this is likely to have deteriorated further during the progression of the COVID-19 pandemic. It is further likely that similar trends are occurring not only within CISO groups, but across all role levels within cyber security teams. Consequently, Cybermindz.org was launched as a not-for-profit initiative to support mental health in the cyber sector. Cybermindz’ mission is to deliver peer-informed, effective, accessible relief and resilience building to stressed and embattled cyber teams. We use military grade, evidence-based protocols to counter burnout. Our message is that resourcing prevention is a better strategy from a compassionate, continuity and cost standpoint. In this talk, Andrew Reeves (Psychologist & Cybermindz Director of Organisational and Behavioural Research) discusses the state of mental health in the cyber industry, emphasising the unique stresses faced by cyber security professionals, and outlines how industry can begin to tackle this challenge.

Why would an infrastructure Specialist want to move across to security and put themselves in the firing line of the business?

Join me as I look through the past year as I moved from IT infrastructure and IT Service Management to Information Security. What expectations I had and what was the reality.

I came into a business that had a lot of work, the role was separated from the technical function, and had to ensure the technical teams were deploying and maintaining a secure environment.

Moving into a new specialism is daunting, especially when you change business and industry at the same time. When there is a myriad of issues, where do you start? How do you prioritise the issues, balance self-expectations and feel like a useful member of the team?

I will explore what are common perceptions of security teams from the greater IT team.

Look into the training pressures for a newcomer? How are we supposed to stack up against security professionals that have evolved with the industry? And how do you find new talent and entice quality security professionals to the field?

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your question/problem depends on your situation and what you are trying to achieve. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session, attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Any SABSA Master’s in attendance at COSAC will be welcome and encouraged to participate as they are available.Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the “COSAC way” there will be plenty of group debate and interaction, and no shortage of experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

Since the idea of a Security Overlay for ArchiMate was first introduced at COSAC 2018, a great deal of progress has been made - principally via the Working Group dedicated to the modelling of SABSA in ArchiMate (MSA). This culminated in a revised White Paper, a schema definition of the Overlay and the introduction of a 2-day training course to the SABSA Institute catalogue.

This proposal for a half-day workshop would be an abridged version of the full course with the following goals:

• - To raise awareness of the SABSA course’s availability, contents and objectives.
• - To show, through a hands-on session, how the Overlay can be used within an EA modelling environment to create the following artefacts, easily and productively:
  • - SABSA Business Attribute traceability;
  • - Compliance with security standards & frameworks;
  • - Threat Models;
  • - Risk Analysis.

• To demonstrate that the use of these models goes well beyond the creation of documentation but an ‘active’ resource capable of being validated and analysed.

The workshop will step through examples that have been derived from anonymised, real-world consulting assignments, selected to highlight the advantages of being able to overlay security concepts onto the context of an EA model (e.g. situational awareness) that are not possible in traditional approaches (spreadsheets and checklists).

The value to the conference, is likely to be two-fold:

• - For practitioners seeking ways of applying SABSA pragmatically and at scale, it provides a quick induction to the course, open-source tool support, supplemented by SABSA Institute resources;
• - For others engaged by the ‘Case Studies’ presentation (separate but independent CfP submission), it provides further detail on the methodology and a pathway to achieving the same in their own organisations;

If delegates would like to actively participate (rather than just observe), they should come prepared with an installation of Archi ( open source ArchiMate modelling tool) and if possible, the jArchi javascript plug-in.

As always, this will be original content, being presented at conference for the first time.

Registration for the SABSA World Forum is separate to COSAC 2023 and can be completed fee of charge at https://www.eventbrite.co.uk/e...