In this session, we demonstrate how risk floats exactly like bricks don’t.

Sailors will tell you that you want to sail as close to the wind as possible to maximise your speed and this risk concept, while oft miss-used by the non-nautical, is a great analogy for maximising your performance in a risky environment.

The often-tragic events in humanity’s conquest of the great oceans, demonstrates the severity of negative outcomes in sea of ever changing risks.

In this SABSA presentation we take a deep dive into managing risk with SABSA, demonstrating clearly, using maritime success and disasters, how doing business means taking risk.

We ask how much risk is enough and how much risk is too much? We will get our feet wet answering the question - In the deep blue do we always want to operate in the green?

We will plumb the depths of SABSA attribute performance targets and suggest raft of extensions to buoy our ability to manage risk within appetite, helping us sail closer to the wind to rapidly meet our goals.

Attendees will take away new findings regarding SABSA performance targets, for both positive and negative risk and systemic risk interactions, helping them and their organisations plot a course through the uncertain business risk environment.

This session is recommended for anyone interested in measuring risk and would serve as a ship load of ideas for a SABSA Masters’ thesis, telescoping suggested extensions to the framework to provide additional guidance to captains of change.

“Alright, you primitive screwheads, listen up! You see this? This... is my BOOMSTICK!!!” – Ash Williams, Evil Dead 4

Ahhhhhhhhhhhhhhhhhh, Risk: no other topic bears as sweet a perfume, as intoxicating a character, as entrancing an allure...

... Nor, for some reason, as predisposing an invitation to an uninvited critique from those around you (including, I might add, from yours truly).

That we all do this to each other is a good sign that the way we think about Risk is full of complexity, character and a seemingly bottomless well of nuance from which any amount of pithy insight can be drawn.

‘That’s all well and good, but you should model your opportunities.’

‘I can see your inherent risks, but where are your cascading risks?’

‘That’s a discrete risk, what about the aggregate risk?’

‘There’s too much detail here, roll it up.’

‘This is too abstract, break it down.’

‘That’s not a risk.’

Yet amidst the hoity-toity brouhaha of the Risk enthusiast lies the rock-solid, time-worn lesson:

Suck at Risk and you suck at your job.

That’s why, shoppers, you need the RISK BOOMSTICK™! 25 years of not sucking at Risk is distilled down into an eensy weensy power-packed (like me) 1 hour presentation for your enjoyment, pleasure and 100% money-back-guaranteed satisfaction*. Chock-packed full of nuanced techniques, revitalised ideas and all-weather analysis ammo to get you out of any situation, this baby will eat up ANYTHING you feed it and never fail to deliver whatever is on your sights and on le-plait-de-jour!

That’s right. Shop smart! Shop S-MART!

* 100% money-back-guarantee not included

Trust is an integral part of human nature and society. However, ‘Zero Trust’ is a hot topic among security professionals, vendors, regulators, assurers, and business stakeholders. The immediate impression one gains from ‘zero trust’ is ‘no trust’, though the concepts and principles described by zero trust are about the maintenance and provision of continuous trust.

The presentation uses SABSA frameworks and methodologies to argue the case for a holistic ‘Business Trust Model’ that can be architected to assist the business and its stakeholders in making informed decisions on the business trust strategy they could implement. The ‘Business Trust Model’ explores the entities that play a part in providing business trust and their interactions, the definition of business trust as attributes of value to the business, the risks (opportunities and threats) associated with business trust, the use of attributes of business trust to map the capabilities of tool and processes related to business trust and means for justifying the capabilities required, the type of governance and assurance processes that are required for business trust to be immutable, the use and interplay of logical and physical domains in business trust, and the time dependencies related to trust.

Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability in our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the methods of our adversary!

• - What are the reasons we often discount certain threats, methods, and outcomes as unreasonable, unlikely, or even crazy?
• - Are we working with blinders, unable to understand systemic risk around us which may contribute to the motivation and outcome in our threat model?
• - Are our adversaries using AI to undermine our controls?
• - How do we adapt to rapid changes in our understanding due to observed or experienced events?

In this session we will leverage the work from the 2022/2023 working sessions at both COSACs. We then will build on these ideas with our combined experience and discuss what mechanisms and processes exist to help us unfold this difficult topic and see if we can create a method to address these threats.

‘Words mean things’, as Drill Sergeant once enthusiastically bellowed at me after failing to communicate effectively. I came to understand this was because of the lethal consequences of the profession he was training me for.

When undertaking any work as a risk professional, it behooves us to proceed with caution and choose our words wisely. Business Drivers, Attributes and the careful crafting of their definitions for the Enterprise to which they belong are foundational to the ESA toolbox. With our work, we hope to capture complexity within plain language expressions while remaining flexible and removing ambiguity.

This session is for those who feel that creating meaning from words is both a powerful and dangerous undertaking. These brave persons will want to better harness language for their work. It is also for anyone who enjoys a cheeky bit of wordplay.

Attendees will be exposed to principles and tools from game design, systems engineering and linguistics. These concepts will be connected back to Security Attribute writing and demonstrate their utility for ESA. By the end of the session you will be equipped to define Requirements and Attributes with the decisiveness of James Murray heading the Oxford Scriptorium

As Australia continues to adopt renewable energy resources, virtual power plants (VPPs) are becoming an increasingly popular solution for integrating renewable energy sources into the grid. A VPP is a cyber-physical system that coordinates the operation of distributed energy resources (DERs) such as solar panels, wind turbines, and energy storage devices.

While VPPs offer numerous benefits, such as improved grid stability and flexibility, they also introduce new attack surfaces and opportunities for exploitation. This talk will review recent developments in VPP technologies and their security ramifications, and present a consolidated VPP threat model. As a class of emerging technologies where adoption tends to outpace security practice, the practice of threat modeling and security by design is imperative for VPPs.

Architectural characteristics of VPPs can vary significantly depending on the deployment and operating model. However. a number of key features tend to recur and are worth noting from a security perspective:

• - Centralised command and control to enable efficient management and optimisation of energy flows, often hosted in the public cloud
• - Connectivity between the VPP cloud and onsite equipment such as inverters, solar panels, generators, and batteries, via a ruggedised site controller.
• - Real-time energy trading platforms that leverage telemetry from enrolled DER assets and onboard analytics to enable more intelligent energy economies
• - Digital twins and actor-oriented systems which represent real-life devices and enable dynamic, programmatic management of fleets of DER assets

Each of the above components possess specific attack surfaces each of which merit threat modeling in their own right. For example, compromise of developer access for the central VPP management platform, or via compromise of the software supply chain, may allow an adversary to tamper with energy resource operations at scale or further penetrate into environments where DER devices are deployed. Such tampering may be pursued by direct modification of configuration parameters (e.g., setpoints) in devices themselves, or through abuse of rules that govern the VPP's energy management logic. In the onsite context, the inherently distributed nature of DER equipment may permit fairly liberal physical access of adversaries to such devices, and represent an attractive foothold from which to probe the broader VPP architecture for vulnerabilities. The services supply chain for installation and commissioning of DER equipment, in which multiple sets of general contractors, subcontractors, installers, and other third parties may have custody of a VPP-enrolled device throughout its lifecycle, is a common factor in VPP-related deployments which significantly extends the attack surface of the overall VPP.

In order to correct the typical tendency for security to follow in the path of decisions already made, it is emphasised that critical infrastructure owners and operators that seek to benefit from VPP technologies understand their threat model and leverage the threat model to guide better security decisions for such projects. The resulting consolidated VPP threat model (aligned to the MITRE ATT&CK framework) presented in this talk is offered as a template for the community of critical infrastructure asset owners and operators to utilise as they see fit.

It can be difficult to explain SABSA’s value to folk who have not actively become enmeshed in planning for, implementing, or operating information security controls.

I will present a simple (perhaps simplistic?) framework using graphical constructs of Linear Programming (LP) to convey – from a top-down holistic perspective – the value in business terms of adopting the SABSA framework to inform information security architecture development.

By holistic, I mean that not all of SABSA’s value can be easily communicated – even to a technologically erudite audience – using reductionist perspectives, in which the value propositions are explained in terms of itemised lists of specific components and sub-models.

In contrast, from a business and technology senior leadership perspective, key messages are best communicated verbally and visually in a ‘BLUF’ manner: Bottom Line Up Front.

• - What’s in it for those senior business/technology leaders …
• - … Who have the authority to commit resources to address information security concerns?
• - Why should they care?
• - Where and When is it best to advocate for using SABSA?
• - How can graphical LP constructs be used to communicate the answers to the above?

To expand on the graphical LP construct, further details are best presented in subsidiary artefacts which can then be pored over by éminence grise functionaries.

Major incidents can be described as being a form of organised chaos. As the duration of the incident response extends, the risks to your personnel can become extreme. These risks can and do often compromise the efficacy of the Incident responses. Jack has seen people physically collapse or even suffer heart attacks exacerbated by the evil nexus of exhaustion and stress.

For smaller organisations and teams, fatigue management often becomes an afterthought during their first major incident – usually after someone “loses their shit”. By preparing in advance, you can mitigate the adverse effects on your personnel and help to ensure a more rapid and effective response for the harder incidents that run into days weeks and even months.

In this session, Jack will describe the key artifacts required of which your Incident Response Plans, Disaster Response Plans and Business Continuity Plans should all leverage off. These artefacts and the forethought required to create them will maximise the focus your key personnel can bring to bear on the incident at hand and help to ensure your response is not inhibited by mistakes tired people make whilst also helping to minimise the impact on your most important asset – your people.

The session will illustrate how two key attributes can shape the discussion of the Metaverse, what it is in business context, what it means from an end user perspective, the types of metaverses and a sequenced approach in terms of shaping its delivery strategy. This session will show some insights on how to introduce the concept to the organization as a case study, through to creating awareness and balancing compliance and security requirements.

The Markov chain is a well-known mathematical tool for evaluating the probability of a series of interdependent events. Risk-based domains such as reliability and security can make use of this state-based process model to better assess the likelihood of a given fault scenario, but such analyses typically take place in a fashion that is not integrated with the architectural/design model of the system-of-interest. As systems grow in complexity, our ability to fully understand the holistic nature of risks and how to manage them is increasingly challenged by the absence of established methods that can associate risk evaluations with those systems’ authoritative architecture and design models, especially as the pace of engineering development processes quickens.

This topic explores a method for modeling and analyze system security risk using adaptations of the Risk Analysis and Assessment Modeling Language (RAAML). It provides the means to accurately express Markov processes in the same foundational language used for Model-Based Systems Engineering, thereby inherently improving the integration of security analyses and engineering development processes. This enhanced integration of processes can yield results that are both more timely and of better quality, thus increasing our confidence in the engineered system’s security.

The ability of an Enterprise to collect diverse but inter-connected Risk information, integrate it, align it, view it, and consider it holistically, may be the difference between success and failure.

“This capability is what separated the banks that survived the financial crisis from those that failed. The failed companies had relegated risk management to a compliance function.” Harvard Business Review 2012

A complex system such as today’s modern enterprise is composed of many constituent parts which interact, are inter-dependent, with conflicted and systemic relationships. It is an eco-system, changing organically because of the innovations and behaviours of its parts, each of which has its own objectives, success factors, methods, risks and opportunities. The Enterprise and/or its parts also interact with the ever-changing environment in which it exists. A complex Enterprise cannot be defined by reference to its constituent parts alone because no part is completely independent of the behaviour of the other parts.

And yet an Enterprise can spend huge resources and finances on checklist-based, compliance-driven, highly subjective, non-normalised, isolated, siloed risk assessments and treatment plans.

“Insanity is doing the same thing over and over again but expecting different results.” Albert Einstein

The traditional approach to Risk is fundamentally flawed. We know it is broken and not fit-for-purpose in real world complexity, but we continue to blindly do things the way they have always been done simply because they have always been done that way.

When viewing the Enterprise as a complex system, failure to understand the complex nature of risk is itself the greatest risk of all. We cannot predict all failures and cannot model all successes. Pull one end of the spaghetti and all sorts of interesting things start to unravel and fall off the plate. What is good news for one authority may represent horribly bad news for another. But the question is, how do we approach this challenging subject to achieve the systemic understanding that the Harvard Business Review suggests?

Just as a system depends upon subsystems and processes depend upon subprocesses, so each perspective of SABSA (What, Why, How, Who, Where, and When) can be modelled as a layer-independent dependency chain where each dependent element sets the requirements for each dependency, and each dependency meets the needs of each dependent element. At the same time, we can understand the inter-relationships between the perspectives that often present real-world risk tensions or conflicts.

By using this technique, we can more clearly identify complex relationships to articulate clear risk context, empower accurate, meaningful control and enablement decisions strategically, tactically and operationally, and identify true risk owners and decision-making authorities.

In today's landscape of increasingly sophisticated and persistent cyber threats, it is crucial for organisations to leverage Cyber Threat Intelligence (CTI) and effective effectively integrate CTI in to other business units (downstream consumers) such as risk functions, Internal audit, architecture, engineering, sec-ops, security testing, SOC, to enhance the collective decision-making capabilities of the organisation. This presentation emphasizes the importance of leveraging CTI more directly and efficiently in decision making processes with an organization to achieve the desired business outcomes. Attendees will gain valuable insights into the practical steps and best practices required to strengthen their organisation's defenses by integrating CTI within their existing security infrastructure. The following topics will be explored in the presentations.

• - Understand your organization's business and resulting security objectives
• - Understand your downstream organisational consumers and contextualising CTI
• - Define CTI goals and requirements based on security objectives
• - Identify and integrate CTI sources
• - Establish data collection and processing
• - Develop intelligence analysis capabilities
• - Enable threat intelligence sharing and its integration with risk and technology governance
• - Integrate CTI into security operations / incident response
• - Implement CTI led threat hunting capabilities.
• - Foster collaboration and cross-functional engagement
• - Establish feedback loops and continuous improvement
• - Stay updated and adaptive

The ever increasing reliance on technology has drastically shifted how organisations function. The interconnectedness and convergence of the digital solutions, together with the business opportunities they bring, increase the number of critical failure points. The latter explains why regulators, across the globe, have been particularly active in this topic and consequently resilience has become the latest global hot topic in many sectors.

A key premise of building cyber resilience is to develop an in-depth understanding of ‘what is materially important’ for the business. Analysing the important business services into the processes, technology and people defines the quantitative and qualitative characteristics of those assets which need to be preserved even during a successful cyber attack.

This presentation will demonstrate how SABSA methodology can be leveraged to capture the business context and how the business context in turn becomes a strong foundation to build a robust cyber resilience. Instead of addressing the challenge from a theoretical point of view, real-life use-cases will be presented from the financial services and energy sectors. Emphasis will be given on the operationalisation of SABSA methodology to capture the idiosyncrasy of the organisation, demonstrate the relevance of the security services, model the security posture and become the conduit that brings together the risk management framework, threat scenarios, control library and operational controls.

Over the last two years, Axenic has embarked on a journey to modernise aspects of its Governance, Risk and Compliance (GRC) offerings. Almost one million dollars later, coupled with numerous scars, Axenic became the first Archer IRM customer to multi-tenant a single instance of the platform for small and medium customer. This is not the end of the journey, it is the tip of the iceberg.

This session is an automation vs modernisation discussion exploring what to automate (or not to automate), and how to modernise GRC. Axenic will share successes, failures and expensive lessons learnt throughout the process. Whether you represent an organisation that is trying to automate their GRC tasks, and consolidate their governance, risk, assurance and compliance data, or a provider trying to offer modern services, this session should help save you time and money. Even if you are at an advanced stage of your GRC modernisation journey, discussions could enrich your experience, or you may have some lessons to share.

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your question/problem depends on your situation and what you are trying to achieve. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Any SABSA Master’s in attendance at COSAC will be welcome and encouraged to participate as they are available. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the “COSAC way” there will be plenty of group debate and interaction, and no shortage of experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

The Victorian Protective Data Security Framework (VPDSF) is a beast. It’s not just a simple moon, it’s a fully operational space station with all the bells and whistles. All Victorian public sector organisations must report to our Information Commissioner, every two years, on its compliance and maturity against the VPDSF.

Across its 12 standards and 95 elements, it really provides a window into an organisation’s internal operating environment and demonstrates clearly how seriously (or otherwise) organisations are taking information security. It’s like a tractor beam, pulling in several disciplines and there’s literally nowhere to hide. As I audit these firms, I walk a fine line between a Darth Vader compliance approach, and a Yoda-like helpfulness in really unpacking how they need to approach the VPDSF, to understand what it could do for them.

This paper will demonstrate how, by taking the VPDSF seriously, organisations can chart a course that protects them from being abandoned on the outer rim of information security governance, and instead could take them to the stratosphere in terms of compliance and maturity.

The COSAC "rump" has for many years been a hugely popular closing session to COSAC. Now, returning to APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• - Electronic submission: Send email to the rump session chair David Lynas at [email protected]
• - Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 28th February.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.