Information Safety

Improving technology through lessons from safety.

SIRAcon 2026

· @jabenninghoff

SIRAcon 2026 wrapped up 2 weeks ago, and as always, it was worth the trip! This year included a bonus - the conference started the day after Patriot’s Day, which gave me the opportunity to fly out a day early and watch the Boston Marathon, which was great fun and quite the event!

The talks were all recorded, and available for attendees on cvent for a few weeks, and in the SIRA Members Area after that.

Highlights

The talks this year that stood out to me included:

  • Tony Martin-Vegue’s keynote, which (finally) named two different types of risk I’ve been thinking about for some time: Aleatory uncertainty (randomness) and Epistemic uncertainty (lack of knowledge). This distinction helps understand how we can gain leverage over each type: statistics and math for aleatory uncertainty, and research and evidence for epistemic uncertainty.
  • Stephen Shaffer previewed the Exploit Vector Incident Loss (EVIL) Model, which is used to inform vulnerability investment decisions (do I patch a higher EPSS CVE on 50 servers, update signatures across 24,500 workstations, or patch a low EPSS CVE across those 24,500 workstations?)
  • Josh Marker gave a fun talk on dimensional analysis - something I haven’t done since high school, yet he convinced me it’s still useful!
  • Jim Lipkis spoke about measuring the risk of rare events using the Cost of Capital - I found this quite interesting, and am planning to revisiting my own analysis on the value of cybersecurity risk reduction using Jim’s approach.
  • Finally, one of the students, Chelsea Conard, presented her work on the Cyber Incident Severity Score (CISS), designed to help governments prioritize critical infrastructure security incidents, which takes into account not just financial impact but also individual and operational impact. It’s good to see other researchers looking into the larger social impact of cyber incidents!

My own talk, What can we learn from cybersecurity warnings? was well received and I had fun presenting both safety and cybersecurity warnings, and was happy to get some additional examples from other attendees, that I used when I presented at Minnebar 20!

Slides

You can download handouts from my talk with full speaker’s notes and references, and links to all of my work can be found at https://jbenninghoff.com.

Abstract

Security warnings are a risk communication intended to help users make better decisions and improve security performance. This talk covers examples of good and bad warnings, the factors that lead to better outcomes, and how those lessons can be used in a broader risk practice.