For 2022, the COSAC Forum presents a room full of industrial strength, battle-hardened, reality-grounded information security veterans. They’ve seen it all, done it all, fixed it all, coped with it all and didn’t even need to get the t-shirt. Of course, you’re one of them. And like the others, you’re always learning, willing to listen to and learn from others who’ve encountered things you might not have, not too shy about sharing strategies and techniques, and committed to our strange and very necessary profession.

This full-day immersion in the COSAC way features a moderator, an ancient, grizzled if not very knowledgeable security veteran himself, who describes some actual recent events or publication or prediction or analysis of security-related activity, then comes up with a question or two about associated issues. But the real stars of the session are the participants. A described event or publication might engender wildly divergent reactions from attending professionals who experienced a similar event, but had different constraints or objectives or working tools or eventual outcomes. The moderator might prod an attendee for their take, but more likely, he’ll try to avoid getting in the way, thus allowing participants to illuminate topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room. And nobody charges consulting fees.

Join us and help solve the information security problems of the world.

In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are aseasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedInPage congratulating them on their achievement! Other spot prizes maybe awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

It has been suggested that we are on the verge of a digital “cold war” but recent events show that such a prospect introduces new characteristics: cyberwar is not limited to the nations in conflict, it involves hacker groups, civilians with personal computing power, corporations in third countries, digital influencers, and a battle of the algorithms to create bias and misinformation.

But what does that mean for us, for corporations, for Information Security leaders? What can we anticipate happening? How should we plan and respond? This COSAC Full-Day MasterClass examines the subject in detail and from multiple perspectives.

A look back and discussion of the most news worth cyber events over the last couple of years and a look forward to what we can anticipate in a digital cold war through the lens of history and the events in Georgia.

Threat modeling and trust relationships are important tools to use with analyzing disinformation.  Trust relationships provide lessons learned that can be applied to other domains, such as military, cyber, information, public health and economic.  Trust solutions are often binary, but in reality trust is often fuzzy, cross-spectrum and can be visualized with a color spectrum.  In this session we explore various aspects of disinformation and current events in considerations of topics, including the Ukraine/Russian conflict and privacy considerations.  The Ukraine conflict offers a unique recent event to have an interactive discussion of disinformation, cyber attacks, information warfare, and the weaponization of fear.

Disinformation stories often have a grain of truth.  Part of the problem with handling disinformation is that even smart people can be fooled and that does not make them less good or credible.  The landscape of disinformation also encompasses group think, biases in algorithms and political bias. propaganda, spies and a lack of journalistic integrity.  Like many challenges with cybersecurity, disinformation is a very serious challenge that is used in nefarious ways by various political actors with various economic and geo political gains.  We will apply threat modeling and trust relationships to this and explore the challenges with disinformation and explore creative approaches to navigate disinformation and future considerations and approaches.   Disinformation is something that has been around for a long time, but made more difficult to detect with technological advancements and requires diligent understanding and analysis by diverse academic backgrounds that are part of the cyber security field of practitioners. 

Title and abstract by Esther Schagen-van Luit

The first real act of cyber war was the DDoS attacks on Estonia in 2007. Over the years we saw more aggressions. Georgia in 2008, Stuxnet in 2009, Saudi Aramco in 2012, Sony in 2014, Ukraine in 2015, NotPetya and Triton in 2017. NotPetya was a novel case as it harmed global organisations as collateral damage. New in this series are the cyber attacks to help Russian physical warfare in Ukraine. This time, involvement is not limited to the conflict countries. International hacker groups such as Anonymous picked a side. Organisations with off-shoring in Ukraine and Russia cut off their networks and people. Civilians from around the globe contributed by volunteering their laptops for DDoS attacks. This is the first time we've come close to a global cyber war. But how to respond?

This session sets out the elements of cyber warfare and uses the Russia-Ukraine conflict as a case study. We take the view of an entity in a third country with operations in both conflict countries. The presenter uses her experience of managing security for an international organization. Next to incident readiness and response, she provided advice on how to engage employees in conflict countries and answer client questions on the situation. She is therefore well-placed to provide an end-2-end security perspective. She will share insights on aspects of incident readiness she had not encountered before and lessons learned on IR preparation for similar future cases. Then the floor is open for the audience to share how their organizations responded to the Russia-Ukraine conflict and how they view the future of cyber warfare.

"The strong do what they can and the weak suffer what they must" -Thucydides, History of the Peloponnesian War,(431 BC),Chapter XVII

Beginning in March 2022 the world saw a broad array of Russian warfare techniques. Ukraine has been Russia's testbed for cyber, but unlike the 2008 invasion of Georgia, cyber attacks did not effectively accompany the initial militaryactivity. Why? And how doescyber align with Russia's strategy for escalation management, or intra-war deterrence, across the spectrum of conflict? What lessons have we learned about the conduct of cyberwar, and what are the implications for future conflicts whether or not they rise to the level of kinetic?What are the appropriate responses to avoid mutualdigital annihilation?What other nation states should we add to this discussionto better prepare for the future.

Pre-pandemic, the common model of work was primarily the on-site working model, where the remote working model was less common. During the pandemic however many organisations pivoted to embrace the remote working model in response to strict lockdown and mandated office closures. As we emerge from the pandemic, organisations are now operating variations of work models, ranging from fully onsite to fully remote. However many organizations now offer a combination of the two, where employees can work part of the time remote/part of the time on site, or where some employees can work onsite full-time while others work remotely full-time. This new model is referred to as the Hybrid Workplace Model (HWM). Instead of structuring work around desks in a physical office space, the HWM introduces a set of privacy challenges associated with data protection, consumer protection, child protection, employee health and safety, and many other pieces of legislation.

This session will share 10 key privacy challenges that this post-pandemic HWM introduces - such as the challenges associated with employee surveillance, health and safety, awareness training, auditing remote workspaces and auditing remote privacy practices.

Key Learning Outcomes:

• - An understanding of the key privacy challenges associated with the HWM
• - An overview of the possible ways to address those challenges
• - An understanding of how to build privacy into the culture of the hybrid workforce

The prominent security breach headlines recently - from SolarWinds to Log4j - have certainly brought a more intense awareness of 3rd Party Risk Management (TPRM) to just about everybody. However, despite a whole lot more attention, eyeballs and even money thrown at rapidly rolling out vendor solutions, it hasn’t really done much to find practical answers to the problem. In fact, according to a recent survey Ponemon of 600 IT professionals:

• Over 60% of them say the processes they use for conducting 3rd-party risk assessments aren’t effective;
• Over 50% of them say the assessments don’t really reflect their actual security posture; and
• Less than 8% of the assessments performed – with an average cost of $1.9 million per year – result in any kind of remedial action being taken.

Not only do these statistics paint a pretty bleak picture of the current “state of the art”, many of the vendor solutions supposedly addressing this problem are simply reducing the time and effort to perform the assessments. In fact, they're basically automating the same, traditional, ineffective approach.

In practice, the true state of TPRM in most organizations is a mess. And it’s a mess not because of the 3rd-parties themselves. It’s a mess because many organizations don’t treat TPRM as an integrated part of their overall cybersecurity program. Unfortunately, a lot of these issues aren’t really apparent until the organization is knee-deep in some kind of security problem-solving exercise, proving once again that security was involved far too late in the process.

In this session, I’m going to use the case study of a fairly common security problem to back into the limitations of the standard approach to TPRM used by many organizations. I’m then going to show how you can get out in front of the problem once and for all if you have the grit and determination required to fight a few organizational political battles and make sure that security is considered from an enterprise perspective for every business project.

Once we’ve exposed the common issues preventing effective integration of TPRM into security, and we’ve identified an architectural approach that can solve the problem, I’m then going to dive deeper into how supplier and 3rd-party risk management really works. Once there, you’ll discover why the way we often try to solve the problem will never really get the results our organizations need. When the full scope of the problem has been unearthed, I’ll present a better, architecture-driven approach to identify and manage your organization’s 3rd-party and supplier risk exposure.

Once we’ve exposed the common issues preventing effective integration of TPRM into security, and we’ve identified an architectural approach that can solve the problem, I’m then going to dive deeper into how supplier and 3rd-party risk management really works. Once there, you’ll discover why the way we often try to solve the problem will never really get the results our organizations need. When the full scope of the problem has been unearthed, I’ll present a better, architecture-driven approach to identify and manage your organization’s 3rd-party and supplier risk exposure.

Concepts such as digital twins and cyber—physical infrastructure (CPI) are receiving increasing attention, with promotional coverage in technology focussed media, accompanied by consultations and investment by governments. There is significant hype around these concepts with little discussion of what they represent in terms of functionality and any associated security risks. For example, the proposed interaction between physical entities and their digital twins presents significant security and safety challenges, with potential conflicts between the measures typically deployed by safety and security professionals.

This session will explore the functional components and conceptual architecture typically required to create a realistic digital representation of a physical entity. It will highlight how differing security and assurance practices may affect the integration of a physical entity with its digital twin, and their subsequent operation. Then, building on the functional and conceptual models, it will explore how SABSA may be used to engineer a safe and secure approach to the digitalisation of the physical world. This session may cause you to think differently about security risks associated with cyber-physical systems. It will provide a better understanding of the potential for unforeseen outcomes arising from adoption and integration of sometimes-immature digital technologies in our physical world.

Despite huge investments cyber security continues to hit the headlines for all the wrong reasons. Report after report claims that human fallibility contributes to most security incidents. Vendors tell you that your people are the weakest link, and then try to sell you some technology to fix the problem. Technology will not save you. People are not the weakest link; they’re involved in just about every link somehow.

“Ok,” you say, “we get it. We’ve got a mature security awareness programme, we’ve abandoned dull CBT, our training is engaging and gamified.” But you’ve reached a plateau with progress slowing to a crawl or stopping entirely. Whatever you do to increase knowledge and understanding, behaviour change stubbornly fails to materialise. Those strange people that don’t align to our expectations, that don’t behave correctly; they’re not irrational or uneducated, they just have different perspectives, and we’re working against them not with them.

In this session we’ll discuss security culture: what it is, how to find the one you already have, how to approach measuring it, the wider culture factors that influence it, and explore the gap between knowledge and behavioural norms.

This two-part presentation explores some unexpected impacts from the Russia / Ukraine conflict on global operations where vendors are moving to protect their assets first more quickly and the importance of including third-party risk management in organizational security architecture.

• When your vendor makes decisions that impact you and informs you later.
• The importance of actrively managing your third parties
• Why real backup plans matter – you can’t rely on “IT will fix it”
• How to build a third-party management program that actually manages your third-party risk

Highlights will include a global manufacturing company with office in Russia, Ukraine, and eastern Europe, a small manufacturer that is dependent on Russian suppliers, a biotech company with a heavy Russian developer population, and other real world examples.

Companies often ask us to improve their cyber security. Even more frequently, many of the organizations cannot answer the question of where they stand with their security today. Many of the organizations have grown in the past without architectural support and have not yet established an enterprise architect or security architects. Quite often, cyber is organized somewhere in the IT department and the various security domains with their experts and their respective tooling needs are very often located in distinct silos.

In this session I will report on how to introduce an enterprise security architecture (ESA) capability without all the relevant prerequisites, such as an architect position, already being in place in the company.

Our framework of cyber capabilities, which comprises domains, subdomains, and their capabilities, serves as the foundation. It encompasses domains such as Incident Recognition and Response and Security Orchestration, as well as the ESA domain. This framework is used to construct specific scenario reports swiftly and efficiently. These reports feature traditional maturity level representations, which help the organization to make well-informed decisions on the appropriate and further development of their ESA capabilities.

For the situational pictures, we methodically use classic architecture visualization patterns. Here I demonstrate what value classical EA tools add to the development of the ESA capability.

The session is interactive, and all the participants are invited to share their experiences concerning this topic.

This unique discussion will address the structural limits of artificial intelligence such as machine learning in comparison to human intelligence. We will also consider the dangers posed by overestimating these systems and the responsibilities of professionals and organizations to manage expectations for their performance and monitor their function.

This session is timely because of the accelerating use of AI systems to determine everything from who to employ to how to treat diseases. While these systems’ decisions have increasingly impactful consequences, scrutiny of their structure and inputs has lagged behind. AI processes are unintelligible to the average IT practitioner or citizen, so it is increasingly important that those with the background and experience to understand its hazards prevent misconceptions, correct misinformation, and ensure responsible use.

The approach will be to outline the current state and direction of artificial intelligence systems in comparison to their fleshy counterparts, suggest actions that individuals and groups can take to mitigate the risks that their operation and perceptions of their operation can pose, and open the floor for discussion of these topics.

The value of this session is in presenting a scientific comparison of the differences between artificial and human intelligence and using that comparison to determine risk and suggest next steps.

The past 2 years have seen several high-profile examples of where information technology products we have purchased have exposed our systems to bad actors. How do we get ahead of this? Is this even possible? We may hire SABSA Architects within our organizations, only to discover that the smaller (and larger!) companies have not exercised the same level of due diligence. This session consists of positing some ideas for getting ahead of these supply chain issues and discussing where they may be useful and their flaws in actual practice. Our environments are no longer inside our walls, or our systems in the cloud, but rather need to include those systems and processes we generally have regarded as external in the past.

The session will be interactive, visual, and use audio/video, props and interactive discussion to discuss an issue that is top of mind for many in 2022. This is a complex issue that will leverage the experienced minds of COSAC.

In the COSAC world, we talk a lot about the SABSA framework and how useful and flexible it is. While that is true, there’s an entire set of other concepts, structures, and practices that are required to build a functioning Enterprise Security Architecture practice.

In early 2021, Richard Morgan had the opportunity (and funding) to build, from the proverbial ground floor, an ESA practice for a Fortune 20 company.

This session will cover the conceptual basis and metamodels that underlie the practice and the practical aspects of operationalizing the capabilities, functions, and principles to create something new and innovative. The work included lots of training, many, many presentations, and the inevitable challenges and lessons learned in showing the value of security architecture work. And for the COSAC audience, we offer credit and thanks for the concepts and experience gleaned from the community since 2018.

As cyber security professionals, we see lots of issues all the time, but we have only limited time and resources to address them. By reporting we get exposure to executive leadership and therefore an opportunity to ask for resources, support, and prioritization. However, reporting is often limited to just a few slides a month. Futher more we can’t over ask, we can’t cry wolve to often and we can’t bring them problems management cannot solve.

Then what can we ask? How can we getexecutive leadership to support our plans, while all we have is 5 minutes and a few slides in the lime lite each quarter?

Those slides can be much more than just a table with the colours red, amber, and green. If you know your audience, you can make the presentation work for you. This to ensure your messages is delivered loud and clear.

In this talk, I dissect several strategies I use to push my agenda for support and buy in towards senior leadership. I’ll share what works for me and what doesn’t. I encourage participation of the attendees, to share their experiences, successes and failures, this in order to expand our collective knowledge.

Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the method of the Chaos Monkey.

• What are the reasons we often discount certain threats, methods, and outcomes as unreasonable, unlikely, or even crazy?
• Are we working with blinders, unable to understand systemic risk around us which may contribute to the motivation and outcome in our threat model?
• Do our countermeasures create opportunities?
• Can we truly understand how the adversaries’ objectives may be different from our perspective?
• How do we adapt to rapid changes in our understanding due to observed or experienced events?

The session will start by exploring what we know and what processes exist to help us unfold this difficult topic. We will then move into a group discussion where we will explore how we can leverage each other’s perspectives and ideas.

SABSA measures the impact of risk on attribute performance targets within a domain and we use these measures in decision support for our control objectives. This SABSA domain model paints a tropical canvas of business attributes isolated deep in a domain jungle with the where-abouts known only to the domain owner. Forging into this domain we might take care to draw upon multi-tiered attributes to describe how risk is systemically transferred from one attribute to another - but can an attribute directly support another attribute or are we searching for the missing link in this view?

In this presentation I will detail all the missing elements needed to properly excavate a multi-tiered attribute view. I’ll demonstrate how systemic risk is really transferred between elements in a multi-tiered attribute view and how this missing link is actually part of the powerhouse that drives the implementation of SABSA in the real world. Attendees will emerge from this domain jungle with a solid gold view of what the multi-tiered attributes view really represents and how it can be used to delegate risk successfully in your next expedition.

The stories we tell about Cyber security often fail to land with the wider community. It is difficult to share stories that allow the cyber risk and security advise to be shared with appropriate nuance and senstitivity. Too often we end up with “scare stories” and “disaster movie tropes and plotlines” that spread “Fear, Uncertainty and Doubt”. This makes it harder to share insights that resonate and have impact on customers. What can we learn from other story telling and narratology techniques to allow us to build communications that resonate more formally. This probably means shifting from some of the disaster and militaristic terminology to others that relate to public health and the way in which people work. This session will explore some of these issues and propose ways in which we could communicate using traditional story telling methods to get business leaders to understand the nuanced aspects of cyber risk and resilience.

This session introduces NIST’s (National Institute of Standards and Technology) newly released standard called Open Security Control Assessment Language or OSCAL.In this session we will survey the three layers and nine models that make the OSCAL standard.  This session will present and discuss examples of how OSCAL helps with defining security control catalogs, management of security profiles (or baselines), and definition of security plans.We will also examine how OSCAL can help to specify security assessment plans, capture assessment results, and help produce Plan of Actions & Milestones (POA&M) reports.

This session will provide hands-on insight into how OSCAL is used and helps to integrate standards and provide opportunities for security control management automation. This session wraps-up with Q&A and a thought-provoking discussion about this new standard and the opportunities it presents.

Agile methodology is driving how businesses innovate, develop products and services, and take them to market. Hyper-personalization is the key ingredient in this recipe that is called success. Security is having a hard time, playing a perpetual game of catch-up and perceived as the blocker for doing business by increasing costs and overcomplicating almost everything it touches. It is essential that security, trust and transparency are adopted as CORE business values at the very top of the organization and is deeply embedded into the DNA of the business through an uncompromising cultural shift that will allow all employees throughout the business to make wise decisions about security.

In this talk we will look at the importance of effecting large-scale cultural change to allow our beneficiaries to use the architectural artefacts that we create for them for the benefit of the business and how SABSA can help us achieve this monumental task.

Ransomware attacks, outages, general failure of your products – how much thought is going into your communications to your customers? Is it fully vetted by your legal counsel – and you aren’t making statements that are untrue or incomplete? How critical is timing? This session addresses the need for establishing a communication protocol in advance and walks through some of the good, the bad and ugly from past incidents. Takeaways will be ideas on what to include, what to avoid, how quickly to communicate and making crisis communication a critical part of your incident response.

“Perfect is the enemy of the good” is usually interpreted in the workplace to mean “better done than perfect”.  But what is good enough in cybersecurity?  Considering the NCSC’s recent blog post on Not perfect, but better, we will explore the arguments and counterarguments for better security.

This new and timely presentation focuses on the gap in guidance for new CISO’s. Current information focuses on the first 90 or 100 days in large organizations where the CISO role is well established or where the CISO is coming in after a breach or other serious cyber security incident.

This is focused on those small and medium sized organizations that do not have the budgets and controls in place that are assumed by the vendors and consultants creating these guides.

This presentation focuses on using an approach using SABSA and layering in controls based on business needs, then gradually growing information security focusing on leveraging SABSA for new projects and the highest risk areas within Information Security itself. This allows the CISO to address the most egregious risks while establishing or reestablishing a security program where information security has been a checkbox driven by vendor promises or compliance requirements.

IT and Information security have in many ways failed everyday users as well as smaller and medium size businesses creating tools that are complex and expensive. This session’s value is in providing guidance that helps new CISO’s, and any small or medium sized business that hires them, to succeed.

On 24 February 2020 Terence Michael Whall was found guilty by a unanimous verdict of the murder of 74-year-old pensioner Gerald Corrigan, who was shot outside his rural home in Anglesey on Good Friday 2019.

Whall thought he had committed the perfect murder, there was no forensic evidence, no direct eye witness to the shooting and no one saw him travelling to and from the murder scene.

During the trial the jury heard evidence of telematics data provided by Jaguar Land Rover showing the location of a suspect vehicle the day before when Whall was reconnoitring the scene of the crime, the boot being opened at 23:11:04 and closed 39 seconds later when he removed the murder weapon.

Evidence provided by Sky proved that Mr Corrigan’s satellite TV system was present at 00:08 at his home on the night he was murdered, at 00:28 he stopped a pre-recorded programme and the satellite signal was no longer present. When he went outside to investigate the problem, he was shot dead.

Again, telematics provided valuable evidence of vehicle movement, the opening and closing of the boot following the murder and Whall making his escape from the scene.

It is a credit to the hard work of those prosecuting this case that they were able to retrieve a body of critical evidence and present it clearly to the jury during the five-week trial.

To many people it was a revelation that such levels of technical data were transmitted to third party companies routinely and without their understanding of the full scale of the activity.

In this talk we will focus on how this example is only one of many instances of such data transfers. In new work we will detail how malicious actors might take advantage of an emerging standardised environment for vehicle to vehicle and vehicle to infrastructure communications to undermine efforts to monitor their activities.

End of 2019 I decided to change my career from the world of mainly digital products in a worldwide financial company to a world of fast moving consumer goods, BEER. Over the past 2 years I have seen some interesting parallels and differences between these two worlds.

The session will explain how a beer company is changing from an offline traditional brewery to a modern connected brewery. We will focus on two aspect (and then mainly on the security aspects) of this transition. We will expand on the IT in the physical world, the so called Operational Technology (OT) or Process Control Domain (PCD). The breweries and warehouses are built to last for a long time and the IT components are never designed with security in mind. This leads to some interesting challenges in both threats to these OT components but also to threats to the physical world that is controlled with these OT components.

The other aspect of the transition to the connected brewer is the fast amounts of data that is collected for analytics in order to improve all parts of the “from barley to bar” processes. This includes the collection of weather data at the farmers to predict raw material quality to the collection of temperature and pressure data in customer installations to control the quality of the beer for the consumers.

The session will conclude with some personal reflections on the security and control aspects of both worlds and where it will become clear that both worlds can learn from each other.

At RSA in 2022, key privacy leaders from Apple, Google, and LinkedIn concurred that privacy and security are set to join environmental, social, and governance (ESG) as important criteria that consumers use to determine if an organizations values align with their own, and investors use to determine the financial health and sustainability of the organization. However what does privacy as an ESG look like and how can we address it as privacy leaders? The speaker has investigated this rather nascent phenomenon for a number of years, and in this discussion presents an insight into the potential influence that privacy as an ESG may have on both consumer and organizational outcomes and discusses a brief outline of the different types of privacy activities associated with ESG.

This paper is about the journey, along a long and winding road, of the evolution of an organization. This organization has security as one of the main business drivers, which has enabled it to be the birthplace of SABSA, but also allowed a very large number of security controls and policies to be put in place such that over the years no one remembered exactly what purpose they actually served. Over the last decade, several steps have been taken to rationalize this situation, the most recent of which again focused on a control framework aligned with ISO 27002, linked to security risks on the classical CIA triad. The question of “Well, how will we report to our executives on how this effort brings value to the organization?” was the catalyst to ensure this control rationalization would be business driven after all, supporting an enterprise risk and opportunity strategy – and sneaking in SABSA concepts without formally calling it entreprise security architecture.

Managing security is human activity impacted by various conflicting interests. These interests can be well justified from the point of view of the person representing them, and often the decision maker does not have a well defined formula to resolve the equation. But security practitioners are obliged to take a position and make decisions –often based on incomplete information and under pressure from different interested parties.

There are various situations in which this difficulty of decision-making manifests itself and the different points of view must be considered: security vs. privacy, trust vs. assurance, threat prevention vs. detection and correction of consequences, carrot vs. stick as motivator, detailed rules vs. principles and problem solving methods ...

The above mentioned situations have something in common –decision must be made between alternatives which both may be justified and the solution cannot be found in the black andwhite scaleor in a detailed rule book. What is the guide in this kind of decision making challenge?

The answer is in the values –personal or organizational. In this session we will study the topic of value-based decision making applied to security management problems. The session participants are challenged by presenting some problems loaded with conflicting interests and by asking them to participate in resolving them.

This timely discussion centers on the structural incentives of social media to allow misinformation to circulate on their platforms. Companies such as Facebook (Meta), YouTube and Twitter have long complained there is no way for them to effectively fight bots or misinformation, yet bot activity significantly decreased when Russian accounts were cut off after the invasion of Ukraine. This demonstrates that there are steps these companies can take if given sufficient incentive.

The problem is that the profit incentive of social media companies is diametrically opposed to some of their mission statements.The success of a social media platform is determined by engagement, whether that engagement is positive or negative. Engagement is easier using the tactics of disinformation. Showing people information that they will react to emotionally increases activity and profits for these corporations, regardless of whether the information is true or not.

This session will be unique in its scientific perspective on misinformation geared specifically toward security professionals. Our approach will be to examine the competing incentives of social media companies and discuss how the scales might be tipped in favor of accurate information. The value of our discussion will come from providing ways to leverage positive engagement and other tools to improve the culture of the internet landscape.

Within most modern organisations data and underpinning services are at the heart of business operations. Increasing attacks on systems to obtain data force business leaders to choose how best to protect these assets. What drives these choices? Do leaders understand security risk relative to other business risks?

At the Office for National Statistics we collect process huge amounts of data – commercial, personal, business, intellectual. Our point in collecting this data is to give it to people to look at, link, match and analyse – it’s what we do as a business. Our security measures are based on the value of the data and the relative risk of access and processing. Can these decisions really reflect risk appetite – the choices that the business have made about the assets it values and how it wants to protect these assets?

This session is a debate about risk appetite using the ONS approach that has emerged. It strongly links what the business care about to the security measures actually implemented, directed by what appetite we’ve all signed up to.

It features a lot of challenges, tests where risk ownership really sits in an organisation but shows positive possibilities from trying to making risk appetite work in a complex environment as a meaningful driver for security. Ultimately it presents a series of hard-won lessons from ONS that bring security and business more closely together, highlights some hard discussions, necessary business trade offs and what risk acceptance means in practice for security measures and mitigations.

This timely presentation addresses the escalation seen in ransomware (wiperware) tied to the Russian Federation, uniquely framed by an experienced hospital system CISO. Healthcare is currently one of the top three sectors being targeted, and healthcare systems are particularly susceptible because basic security controls are not in place within highly integrated systems with limited funds and manufacturers still sell systems with obsolete operating systems.

Organizations are being advised to spend resources on ransomware tabletop exercises, technology solutions, security awareness training, memberships in organizations, and specific technology controls to protect them from ransomware. Recommendations from the FBI include “be[ing] a cautious and conscientious computer user,” implying that the average user is not being conscientious if they fall victim to ransomware.

The approach of this presentation is to discuss the different strategies that should be used in healthcare while providing patient care and finding innovative treatments and cures, with complex systems that are constantly changing. Participants will have the opportunity to challenge or build on these strategies, which can also be leveraged in other business verticals.

The value in this discussion is that it will leverage SABSA to focus on the business requirements to determine which controls help meet the business objectives.

For hundreds of years in times of unrest the people would use demonstrations, angry mobs, flyers, petitions and sometimes revolutions or civil wars as instruments to try and influence current affairs. In the 21st century these are still viable options, however most of these now have digital equivalents and our interconnected lives actually create a lot of new ones as well. We see, social media campaigns, doxing, hacktivism, misinformation, dog whistles and foreign involvement in active elections amongst others.

Some of these are easily spotted, while others are more covert. During this session we will review the current techniques, trends, and impacts. With op to date knowledge, we can educate ourselves, our colleagues, and our families to try and minimize any negative impact to our personal lives, businesses, and society.

Therefore, during this talk we will dive into the most used and most successful digital activism techniques, and we will explore:

• How do they work, how are they used and by whom?
• How successful are they?
• What’s the impact on this on society? Is it ethical?
• Are we aware of the impact this digital activism has on us personally?
• Can you prepare to prevent or counter these actions?
• If you use these actions yourself, what would be the risk associated?

Despite the ever-increasing investment in cyber security, organisations are still struggling to architect an effective, integrated approach to cyber risk management and reporting. More often than not decision makers have to rely on poorly structured reports which are skewed towards technical jargon and as such fail to convey an accurate or consistent articulation of the risk exposure.

This presentation will cover the common pitfalls of attempting cyber risk quantification, even in mature end-client environments, in an attempt to frame the problem and identify its main root causes. It will then move to introduce a more architecture-focused approach on how to build an integrated single data model that encapsulates the security fabric and holds everything together as an interdependent network of nodes. The structure of the data model with its various layers of abstraction, provides a reliable fact base to support effective decision making. Most importantly, it breaks away from the siloed mentality and the disconnected thinking it usually fosters, puts the emphasis on what is materially important and communicates the most essential information for a complete risk profile.

This is a novel and unique discussion on who we hire and how we manage from the perspectives of both neuroscience and information security. Debunking prevalent Human Resource and Information Security thought leadership and training materials, this presentation addresses how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misinterpretation and misunderstanding of how the brain works.

Utilizing the false concept of “left-” and “right-brained thinkers” and other myths about brain differences to explain how we think and decide influences perceptions and detracts from otherwise accurate information and can skew materials to make them entirely incorrect. By establishing a faulty knowledge foundation, this impairs the ability of information security professionals to create appropriate defenses for malicious hacking attempts including hiring and managing diverse teams well-equipped to tackle problems.

The value in this session is providing information from current brain science to use in hiring and managing, including addressing gender bias. This discussion is timely as social engineering, human resource, and behavior experts are spreading misinformation. The approach of this session provides opportunities to challenge and give input while imparting attainable science on the real brain and the importance of diversity.

Since October of last year (2021) when Facebook changed the name of the parent company to Meta, we have heard the word Meta and Metavers a lot. For the first time, this talk wants to review all the vulnerabilities that threaten users and infrastructure owners at different layers.

In general, Metavers is a full-scale digital life experience. This talk will cover all possible attack vectors that threaten Metaverse infrastructure as well as users. I will starting with vulnerabilities in common layers like specific flaws in libraries, basic classes and so on. Then I’ll go one step forward to component layer which I think is very interesting; because we will deep dive into P2P network, database, transaction verification module. “Model Layer” will be the next stop in the session to demonstrate potential vulnerabilities on Ledger and Account which are two main modules in this layer. In addition in “Service Layer” , HTTP/query/subscription services will be under attack which is the most part of Metaverse architecture as they are connecting blockchain core node servers to human-machine interface using APIs, Json RPC and WebSocket. The final section will be dedicated to endpoint clients like browser based attacks and sophisticated attacks on mobile clients. In this talk I will emphasis on both security risks and technical flaws in Metavers from zero to hero. All adversary scenarios will be based on MITRE ATT&CK and vulnerabilities complies both OWASP (Top10, ASVS, MASVS) and NIST standards.

The NIST Cybersecurity Framework (CSF) continues to be one of the de-facto global framework for representing the collection of information security policies, processes and controls for an organization to reduce and manage the risk of cybersecurity threats. Although the NIST CSF is widely adopted, it still lacks some of the elements deemed essential for a comprehensive program to effectively manage all of the business risk facing the organization. That is why many industry, regulatory and other organizations have addressed several shortcomings of the NIST CSF to augment the framework with additional components to fill in the missing pieces. In this session we will review the current state of NIST CSF development, how it has been adapted to a variety of requirements and is positioned to be continually leveraged for expanding adoption.

During COSAC 26, a session was presented to introduce the SABSA Enhanced NIST CSF (SENC) project to apply the SABSA method and thinking to provide a business risk driven foundation to augment the framework of processes, practices and controls defined by the framework for the benefit of the SABSA community. One of the elements to enhance the framework is to apply business attribute profiling to ensure the business risks are well considered and used to manage the risk, and the overall effectiveness of the security program. Too often, the application of the NIST CSF gets a bit lost in the processes, technologies and controls while losing sight of the business value and risks involved.

We will outline some of the interesting issues and challenges in applying SABSA to a framework and the winding path for progress. The session will provide some insight into the problems that the NIST CSF is solving and the benefit that SABSA brings to solve a larger problem. We will conclude with example content from the deliverables of the SENC project and what will be available to the SABSA community.

Your hard work is paying off. You have a successful career and are progressing in the field of cybersecurity or privacy (or both). But there is something standing between you and the next level of achievement. According to Marshall Goldsmith, author of the renowned book ‘What Got You Here Wont Get You There’, that something may just be one of your own annoying habits. Perhaps one small flaw - a behaviour you barely even recognise - is the only thing that's keeping you from where you want to be. It may be that the very characteristic that got you where you are - like the drive to win at all costs - is what's holding you back. Goldsmith explains how you can reach your full potential by eliminating 21 harmful work behaviors. He argues that while engaging in these behaviors may not have stopped you from getting “here”—to your current level of success—they won’t get you “there”—to the heights of success that you ultimately aspire to. For each behaviour – Marshall suggests a healthier choice that may more positively influence ‘getting there’.

In this talk, I present those 21 harmful work behaviours that may negatively influence ‘getting there’ (many of these behaviours actually positively influence ‘getting here’) and discuss Marshall’s recommended healthier choices.

In 2021, Gucci sold a digital version of its Dionysus handbag on the Roblox gaming platform for $4,115, more than the price tag of the physical bag. K-POP supergroup BTS broke the record for the largest paid virtual concert with numbers peaking at 756,000 viewers, which pales in comparison to a Travis Scott virtual concert, held in partnership with Fortnite, that had 12.3 million unique attendees.

In this talk we will be exploring what this means for architecting tomorrow’s continuum securely and how we can start preparing ourselves now for what is to come in the world of virtual and augmented reality. We will discuss the security impacts of full stack programmability, the use of cyber ranges and digital twins in attack simulation and recovery, and of course the importance of how, now more than ever, security needs to be seen as a property of everything else.

Since a means of expressing the security concepts in standard Enterprise Architecture modelling notation was first proposed at COSAC 2018, a great deal of progress has been made: a Working Group has developed, enriched and extended the original White Paper with the collective wisdom and experience of SABSA practitioners, the Security Overlay has been defined as a schema and the approach has been made accessible through webinars, presentations and this year, as a SABSA Training course with basic tool support.

While COSAC 2018-21 has traced the emergence of security modelling as an technique, its early-stage technical readiness meant that conference sessions were limited to discussion of concepts, ideas, possibilities and envisioned benefits based on small scale, proof of concept ‘laboratory models’.

For the first time, we expect to be able to present feedback from the application of this technique at scale in real-world case studies with an honest appraisal of where modelling delivered technical & business benefit, scenarios that were challenging or thought-provoking and where the technique might be headed in light of this experience.

At the time of CfP, the contracts for this work are just being signed with projects set for completion in the summer – so fresh content to be unveiled for the first time at COSAC. In addition to presenting the projects from the security architect’s perspective, we hope to be joined via video-link by a client representative who can present, and answer questions, from the customer viewpoint.

The value to the conference will not only be an awareness of an emerging technology but to stimulate a better understanding of what is increasingly possible, based on what is already being achieved.

The title of Security Architect is used often in many different ways. As a result, people's interpretation of the role varies, leading to many different issues across the industry and within organisations.

You just need to look at job descriptions on any job board to realise that no two definitions are the same.

"So what?" you say, what does it matter?

Well, let’s start with education and recruitment. How does one become an architect if the industry doesn't know what an architect is? And how does an architecture hiring manager know that they are hiring the right people?

More significantly, it can lead to architecture being misunderstood, undervalued or completely ignored. When architects can't clearly describe who we are and what we do, then how will business leaders understand the purpose and value of security architecture in their organisations? As a result, architects are often expected to perform roles that don't actually add value to the architecture. And in turn, the architecture fails to meet business expectations and becomes undervalued and under-invested, sometimes leading to the collapse of the architecture function.

Within this session, we will break down common architecture definitions and misconceptions, explore the constraints this problem presents, and explore how we, as architects, can start fixing the problem. The journey will begin in our own organisations, but we need to explore how to address the issue across industry and education. Ultimately, the aim is to be better at explaining what we do and why it matters to the business.

This session will take a look at the threat quantum computing poses to encryption algorithms. Based on the concepts of Shor’s algorithm, quantum computers should be able to rapidly compromise current encryption algorithmic solutions putting massive quantities of data at risk of breach. However, the threat itself is pretty well defined, though rarely explained. For example, the threat posed by Shor’s algorithm is contained to asymmetric algorithms and does not extend to symmetric algorithms. This is still a major threat however, it demonstrates the need to take an open and honest look at what quantum computing can do in the near term rather than fear the unknown unknowns of quantum technologies.

This presentation will look at strategies for employing both pre- and post-quantum algorithms to address encryption across a notional enterprise. It will discuss the current state of quantum-resistant algorithms, examine how emerging processes and technologies in quantum random number generation, key management, and deployment can and should be addressed by organizations over the next 5-7 years.

I had a brilliant 2019 having embarked on a spiritual pilgrimage walking the Camino in Spain and my intellectual pilgrimage to Ireland but like many of us my follow up experience in 2020 was less than ideal and I came out of that year needing to take stock of my general health and wellbeing.

It is a shared observation of my colleagues, that as we approach retirement, we look back at the last years of our careers to realise too late that we have worked harder, worked longer hours, taken less time for ourselves, managed very stressful jobs and feel like we are about to collapse, exhausted, over the finish line at the end of a marathon.

We have, to a certain extent, let ourselves go and we are no longer the fit young 30 somethings we used to be as we enter the next phase of our lives. Not the greatest when we now have the time to engage and enjoy the good things in life.

In this vein, and following 2020, I sort of undertook a personal health and wellbeing journey in 2021 with the aim of being "retirement fit". I took a haphazard approach and by the end of the year I realised three things:

Firstly, this is not a one-year project – it is going to be an ongoing iterative process.

Secondly, a structured approach to this project (health and wellbeing) should deliver better and more consistent results; and

Thirdly, many of my younger colleagues (those thirty and forty somethings) who are falling into the ‘Working Harder, Working Longer, and Not Looking after themselves’ category might be able to benefit from this structured approach.

So, heading into 2022 I have applied SABSA to my health and wellbeing project to see if that will deliver long term sustainable outcomes.

This presentation uses SABSA as framework for health and well-being and presents the fundamentals of SABSA in a non-security and non-IT context.

The COSAC “rump” has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives.

Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• Electronic submission: Send email to the rump session chair David Lynas at [email protected]

• Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday

5th October.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

This interactive session puts participants in the middle of the legal dilemmas and uncertainties of cyberwar and the application of International Humanitarian Law (IHL) or the Law of Armed Conflict.A very basic primer on IHL based on the International Committee of the Red Cross fundamentals will be presented in the first half the class.

During the second half of the session hypothetical and/or historical vignettes of cyberspace operations will be presented. This may include denial of service attacks on the power grid and health resources as well as phishing and intelligence operations aimed at commercial entities. Other targets and techniques may be used as well.

Charges in the form of potential IHL violations will be developed based on the scenario. Participants will be selected to portray prosecution, defense and a jury. Each side will be allowed to present a 5 minute opening and closing argument. Once these are completed, the jury will render a verdict.

An open Forum will be held to discuss the trial(s) and identify key issues.

They’ve had enough. They just get used to one environment and some SOB changes it. And we security geeks want to add change to the change. No wonder they growl at us. Complex, ever-evolving work environments turn communities of competent, veteran users into fumbling rookies who make new-guy mistakes, some of which impact security. Organizational restructuring is almost a constant. People still resist change, make mistakes, painstakingly follow bad security practices and get socially engineered. And bad guys find creative ways to defeat our newest, most sophisticated security measures.

We’ll give guidance for coping with human foibles, complexity and change in securing our vital assets.

Part 1 – Securing the semi-predictable humans – Phishing, really automated social engineering, has been an element in almost every Ransomware event and a multitude of other egregious breaches. We’ll examine why social engineering works so well on our employees, on all humans, for that matter. We’ll give suggestions for shoring up this most vital link in our security chain.

Part 2 – Securing the ever-changing organization – Change agents that can seriously affect security are gaining traction everywhere. Massive organizations are making their own rules and privacy decisions, at least until governments levy gargantuan fines. Mergers, acquisitions, divestitures, downsizing in many forms, even internal reorganizations can bring danger. We’ll identify areas of security focus and give recommendations for minimizing security incidents and effects in the midst of the upheaval.

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your question/problem depends on your situation and what you are trying to achieve. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Any SABSA Masters in attendance at COSAC will be welcome and encouraged to participate as they are available. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the “COSAC way” there will be plenty of group debate and interaction, and no shortage of experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

At COSAC 2022 we will organise the SABSA World Forum meeting. We hope you will attend while you are there at COSAC.

During the Forum session, we would like to hear your opinion about what the future may hold for SABSA, what can be done, what should be done, for the members, for the Institute, and for SABSA as the framework, and methodology.

If you have any suggestions or ideas to put on the agenda, let us know beforehand.

The SABSA World Forum meeting will be held at COSAC on Thursday October 6 from 1.30pm to 3.30pm.

Looking forward to seeing you there.