Information Safety

Improving technology through lessons from safety.

Secure360 2025

· @jabenninghoff

Secure360 2025 was last week, and I have to say that it was the best one I’ve attended in years!

I got something from each of the sessions I attended. The highlights for me included:

  • A pre-conference session, Encrypted Chaos, a realistic breach simulation where participants took on unfamiliar roles (Legal, HR, Communications, etc.) that showed how organizations (not the security team) need to make decisions and take action during a (cybersecurity) crisis.
  • Jay Jacob’s presentation on Five years of EPSS, the Exploit Prediction Scoring System, and lessons Jay learned from studying vulnerabilities and exploitation data.
  • Not one but two presentations by the FBI, one on the takedown of the Genesis marketplace, and the other a career retrospective from Special Agent Liz Lehrkamp, who worked in cyber crimes (among other assignments) and was an early advocate for community partnership with law enforcement.
  • Two regional representatives from my new favorite government agency, CISA, the Cybersecurity and Infrastructure Security Agency shared the numerous free (taxpayer-funded) resources that CISA has available.

The last session of the conference (for me) was my talk, Getting started with risk quantification using quantrr. We had over 50 attendees, which isn’t bad considering the subject and the time slot. I demoed the latest version of quantrr, which was first presented at SIRAcon 2024. I had great engagement, and the session ran the full hour, most of which was an interactive review of the sample report. A few people expressed their interest in trying out the tool, which has inspired me to work on adding code to support comparison of baseline risk against one or more treatments, which is needed to calculate return on investment. Look for a new release soon!

Slides

My slides with notes, including references, are here. Links to all my work are available at https://jbenninghoff.com.

Session Description

Cyber Risk Quantification (CRQ) is a proven method for helping organizations make better decisions about security investments by summarizing expert knowledge, but getting started can be difficult. Commercial tools are expensive, and free tools have usage restrictions and can be difficult to use. quantrr, a free and open source tool, was created to help people with limited time and no budget get started with CRQ. This talk shows how to forecast risk using expert estimates and Monte Carlo simulation through an interactive demonstration in quantrr using a realistic example scenario, the 30 year old Widget Management System. It covers getting better estimates from experts, modeling loss frequency and magnitude from public breach data, and the critical question to uncover new risks. We close with practical advice from early successes and misses quantifying risk.

Participants are welcome to download and install quantrr and follow along with the session! Instructions can be found at: https://jabenninghoff.github.io/quantrr/.