SABSA measures the impact of risk on attribute performance targets within a domain and we use these measures in decision support for our control objectives. This SABSA domain model paints a tropical canvas of business attributes isolated deep in a domain jungle with the where-abouts known only to the domain owner. Forging into this domain we might take care to draw upon multi-tiered attributes to describe how risk is systemically transferred from one attribute to another - but can an attribute directly support another attribute or are we searching for the missing link in this view?

In this presentation I will detail all the missing elements needed to properly excavate a multi-tiered attribute view. I’ll demonstrate how systemic risk is really transferred between elements in a multi-tiered attribute view and how this missing link is actually part of the powerhouse that drives the implementation of SABSA in the real world. Attendees will emerge from this domain jungle with a solid gold view of what the multi-tiered attributes view really represents and how it can be used to delegate risk successfully in your next expedition.

Achieving cyber resilience for our critical systems using traditional, human-intensive methods is becoming more difficult as adversarial tactics, techniques and technologies outpace our current cyber defenses. New and disruptive techniques are needed to not just catch-up to the increased risk of cyber threat vectors, but to surpass the threat to attain cyber resilience.

This presentation provides an introduction of how we can collaboratively develop and acquire Autonomous Intelligent Cyber-defense Agents (AICAs) for next-generation cyber resilience.

This presentation explores and discusses the future of autonomous cyber defense and resilience techniques from the human perspective; as well as how this new paradigm for autonomous intelligent cyber-defense agents may be integrated with our human cyber protection team with transparency and explainability. It introduces the AICA International Working Group’s ongoing efforts to develop a new reference architecture for implementing autonomous intelligent cyber-defense agents and transition the science from concept to reality for battlefield applications.

We will discuss the definition for intelligent cyber-defense agents, and the requirements and challenges associated with this approach, including: Infrastructure, architecture and engineering; Individual and collective decision-making; Stealth and resilience; Societal considerations.

We then examine and discuss modernizing for tomorrow through the application of cyber-defense agents by exploring the need and requirements for human-machine teaming. This portion of the presentation will present novel techniques for aligning human and machine mental models and user interface techniques for gaining transparency and explainability for artificial intelligence (AI) and cognitive solutions.

The space sector is undergoing a new surge in activity as major advances in technologies create opportunities for existing space systems owners (e.g. governments, SATCOM telcos) and new players to design, build, launch and operate new space systems and services. At the same time, there is increased use of and reliance on space services within the general economy.

All space systems and services are complex technology-based platforms that have specific cybersecurity concerns and attributes. This session will discuss these issues around the application of cybersecurity to space systems, current developments in security in the sector and review the applicability of specific SABSA attributes to the security architecture of space systems.

Exercises are useful training, validation and discovery tools for any security program but are also becoming formal business requirements. Many legal and governance frameworks such as CPS234 and the Australian ISM call for regular testing of incident response systems. As a result security leaders find themselves adding exercises to their calendar and wondering how to effectively conduct exercise campaigns while showing positive return on investment.

It’s dangerous to go alone. Fortunately we can turn to the field of serious games for tools and maps to ease the path. We will venture through the key conceptual landmarks, drawing linkages to familiar architectural concepts using a SABSA lens. The journey will build on existing security architecture muscles to support both exercise design and evaluation. This session will guide you to design your campaigns to align with your security priorities. We will explore ways of defining what ‘good’ looks like and translate that into exercise design. You will leave the session with clear signposts for demonstrating the impact and value of your exercise program to your leadership team.

This session will guide you to design your campaigns to align with your security priorities. We will explore ways of defining what ‘good’ looks like and translate that into exercise design. You will leave the session with clear signposts for demonstrating the impact and value of your exercise program to your leadership team.

Despite the investment in cyber security over decades, many security teams are still wedded to qualitative methods. When the business comes asking for our evaluation of something it all comes down to will the answer be high, medium or low this time? We categorise into one of 3, 4 or maybe even 5 ordered categories. Based on these ordinal scales we turn out the same charts to communicate security to the business. We still hear the argument that senior leadership’s brains would explode if we tried to explain it. But they think we’re just fudging it and say, “what do you expect us to do with this?”. They want a number. Numbers can be added, multiplied and averaged. They can be compared to other people’s numbers; they can be plugged into models. This is the 21st century, quantitative methods are what is needed.

So now we get asked for a number? Once delivered that number will be the expert opinion, quoted as gospel and combined with other such numbers in ways we cannot begin to comprehend, and cannot control. It’s true, there are less places to hide: we’re now being asked to be certain of our uncertainties. So, what to do? We do what everyone would do, we pad the numbers and we do it early. When combined the padding grows and the numbers lose even more accuracy. But they also gain the illusion of precision, which merely serves to make them more trustworthy to the masses. Oh, and the numbers are often just as subjective as the qualitative methods that came before.

Do we even consider the risks relating to our risk management frameworks and methods themselves? If we misrepresent risks to the business, it may not be those risks that derail us, but the decisions made based on the bad data. SABSA does not magically resolve this issue: it is commonplace to see single numbers for risk (and its constituent elements), performance targets and risk appetite.

This session will discuss some pitfalls of quantification as well as questions such as:

• - How can we express our uncertainty so that it survives the calculations that will follow?
• - How can we improve our objectivity and deliver numbers that we’re confident are accurate and are sufficiently precise?
• - How do we enable aggregation with numbers we didn’t produce?
• - Do we need expensive specialised tools to get started?

In this session we will discuss the growthofacybersecurity risk management program at a Healthcare organizationduringthe COVID-19 pandemic.In addition tothe pandemic,wewerealso experiencing an unprecedentedincrease in targeted cybersecurityattacks, as well asmaintaining consistent organizational growth.We will discussthe significant executive leadership support that enabled and drove thecybersecurity improvementeffortseven whilethey weredealing with the significant impacts of COVID-19, and setting up the organization as a leader both regionally and nationally. The key topics will include discussion of our efforts aroundthe enterprise cybersecurity risk management programand IT vendor risk managementprogram, as well asthe significant collaborationswith IT and clinical colleagues that have proven to beessentialto our success.We will discusssuccesses, lessons learned, and next stepsas our journey continues.

Despite the ever-increasing investment in cyber security, organisations are still struggling to implement an integrated approach to cyber risk management and reporting. More often than not decision makers rely on poorly structured reports which are skewed towards technical jargon and as such fail to convey an accurate or consistent articulation of the risk exposure.

This presentation will cover the common pitfalls of attempting cyber risk quantification, even in mature end-client environments, in an attempt to frame the problem and identify its main root causes. It will then move to introduce a more architecture-focused approach on how to build an integrated single data model that encapsulates the security fabric and holds everything together as an interdependent network of nodes. The structure of the data model, with its various layers of abstraction, provides a reliable mechanism to utilise actuarial data, mine insights and support effective decision making. Most importantly, it breaks away from the siloed mentality and the disconnected thinking it usually fosters, puts the emphasis on what is materially important and communicates the most essential information for a complete risk profile.

This timely presentation addresses the escalation seen in ransomware (wiperware) tied to the Russian Federation, uniquely framed by an experienced hospital system CISO. Healthcare is currently one of the top three sectors being targeted, and healthcare systems are particularly susceptible because basic security controls are not in place within highly integrated systems with limited funds and manufacturers still sell systems with obsolete operating systems.

Organizations are being advised to spend resources on ransomware tabletop exercises, technology solutions, security awareness training, memberships in organizations, and specific technology controls to protect them from ransomware. Recommendations from the FBI include “be[ing] a cautious and conscientious computer user,” implying that the average user is not being conscientious if they fall victim to ransomware.

The approach of this presentation is to discuss the different strategies that should be used in healthcare while providing patient care and finding innovative treatments and cures, with complex systems that are constantly changing. Participants will have the opportunity to challenge or build on these strategies, which can also be leveraged in other business verticals.

The value in this discussion is that it will leverage SABSA to focus on the business requirements to determine which controls help meet the business objectives.

“They are in front of us, behind us, and we are flanked on both sides. They can’t get away from us now!”

– Lt.Gen. Lewis “Chesty” Puller, USMC

The environment is a mess. The architects are proselytizing. The engineers want you to go away. The project managers are flogging dead horses everywhere while shutting out distractions from you. The auditors are sticking the knife into you. Management is screaming at everyone for updates. The business hates the whole damn lot fo you.

And there you are, right in the centre of the storm, being handed your rifle, pointed at the direction of the enemy and told to start running!

All too often, we are faced with the unenviable circumstance of being dropped into a swirling maelstrom of conflicting goals, priorities, challenges, ideas and personalities, and are expected to start pulling rabbits and unicorns out of the proverbial hat – and all while being watched and ruthlessly judged by your peers, your management and the Board!

If all that sounds like it’s enough to make you curl up into a foetal position wrapped in a Dettol-soaked blanket mumbling random prose in haiku*, then this presentation is for you!

In Deep Behind Enemy Lines with SABSA, 20 years of practical experience is brought to bear to provide you with the joie-de-guerre to face an enormously complex and challenging environment, win allies and set-up yourself up to succeed with SABSA. Before you know it, you will dive headlong where angels fear to tread with a smile on your face, into the fray of a real corporate environment and revel in a resounding victory!

* based on actual events

This session will present a framework integration of SABSA and the ISA/IEC 62443 Standard Series which addresses Cyber Security for Industrial and Automation Control Systems. With the increased public awareness of cyber security incidents affecting Industrial Control Systems (ICS) and the industry drivers to converge Information Technology and Operational Technology, we need a true enterprise security framework that works for both IT and OT. The session will draw upon the presenter’s practical experience as a security architect working in Operational Technology environments. 

This session will educate and inform the audience about the nuance of Operational Technology (OT) cyber security through the application of ISA/IEC 62443. This application will enable critical infrastructure operators to manage their risks and opportunities for cyber physical systems in a truly holistic and whole of enterprise manner. The debate for convergence has passed, now it is about making risk informed integration decisions. 

The session will make it real by using a worked example of the fictitious State Power Corporation Enterprise Security Architecture. The session will also encourage audience participation in working through common assumptions for the state of OT cyber security and challenge the audience to consider the differences of IT and OT.

Does a scale-up software engineering company need a security architect to have a successful security program? Is strong technical leadership and a strongly business aligned security engineering community of practice enough? This session will interrogate the trade-offs and pitfalls of choosing to do away with the security architect role.

At MYOB, we set out to engender strong security practices as opposed to creating a security architecture. Our guiding principle is that the business aligned security team can build the solution with engineering teams in addition to guiding and influencing. We also asked what could be borrowed from architecture frameworks and applied to a digital products organisation. In a world where objectives and key results drive business outcomes can the SABSA attributes model be augmented to deliver the same security outcomes?

Are these concepts sustainable in the long term? How does a security program keep aligned to strategic outcomes with engineers, not architects.

More human interaction now occurs in the digital realm, than the physical realm. The internet is where our kids grow up. Software is running our physical world. Yet we have more vulnerabilities and more exploits than ever.

The cyber-security sector has historically been defined as the “protection of computers and networks”, and yet our roles are fast becoming way more than this...

This presentation covers "Digital Safety" and what that means, not only to us as practitioners, but particularly to the people who want to feel and be safe both online and in the physical world.

I’ll be challenging current thinking in areas such as:

• What happens when exploits to our digital realm impact the physical realm?
• Are we equipped to cope? Are our current “IT risk management and security protocols” sufficient to protect the physical world?
• Should boards be legally liable for physical injury caused by software breaches?
• Who would be willing to guarantee and warranty their systems against breaches?

In short, security weaknesses in our digital realm are already impacting our physical realm. What insights and learnings can we get from trying to build a world of “Physical Safety” into how we provide “Digital Safety".

This session will focus on the challenges of maximising the business value organizations can gain from their Security Architecture function in middle to large sized, compliance driven organizations, like finance and banking for example.

The session will be based on personal experiences in the Telecommunications and Financial industry. It will cover how combining enterprise architecture governance, information management approaches and other architecture models, frameworks and concepts will be essential for gaining value from an organization’s security architecture function.

While SABSA might be a good starting point for aspiring security architects to plan for security changes, it does not go into detail of integrating change and operations to deliver business value. For this it is important to understand business service models, business capability maps, organizational taxonomies and more. Enterprise architecture maturity and governance can have a huge impact on the value security architecture can contribute to a business. The presenter will share his experiences and views on these and other aspects, providing an insight into what factors outside of the Security Architecture function will be equally important when an organization wants to establish a more mature security architecture capability and get value beyond ticking a compliance box.

At the end of this session participants should be able to understand the challenges that need to be addressed when being asked to setup or mature Security Architecture capabilities in an organization. This presentation should assist CISOs, senior executives, and senior security architects in gaining a broader understanding of the interplay between security architecture, enterprise architecture and other business aspects, like corporate culture and organizational structure, when it comes to delivering business value through security architecture.

In the spirit of COSAC, this session will hopefully provoke lots of questions, discussions and sharing of experiences that will assist in building and maturing Security Architecture in organizations that not only want to tick the business compliance box when establishing a security architecture function, but also want to see to see some tangible returns like increased customer trust and business agility for example.

This timely discussion centers on the structural incentives of social media to allow misinformation to circulate on their platforms. Companies such as Facebook (Meta), YouTube and Twitter have long complained there is no way for them to effectively fight bots or misinformation, yet bot activity significantly decreased when Russian accounts were cut off after the invasion of Ukraine. This demonstrates that there are steps these companies can take if given sufficient incentive.

The problem is that the profit incentive of social media companies is diametrically opposed to some of their mission statements. The success of a social media platform is determined by engagement, whether that engagement is positive or negative. Engagement is easier using the tactics of disinformation. Showing people information that they will react to emotionally increases activity and profits for these corporations, regardless of whether the information is true or not.

This session will be unique in its scientific perspective on misinformation geared specifically toward security professionals. Our approach will be to examine the competing incentives of social media companies and discuss how the scales might be tipped in favor of accurate information. The value of our discussion will come from providing ways to leverage positive engagement and other tools to improve the culture of the internet landscape.

Good decisions are at the heart of every successful security architecture. A security architect must constantly make good decisions and sound judgements to protect business assets from harm and keep an enterprise safe. But what if these decisions weren’t always sound? What if these judgements were just plain wrong? The truth is that making good decisions is hard. Decade’s worth of behavioural science research has consistently shown that humans aren’t naturally wired to make good decisions. Our mental makeup is subject to many biases that impair our decision-making. In the context of SABSA security architectures, these biases can adversely influence how security architects make good risk decisions and protect business assets. Poor decision-making in this respect can be costly and jeopardise the overall value proposition of a security architecture. This presentation will focus on some of the more common biases that arise when designing security architectures and what can be done to overcome them.