Michael Brown

Risk: It’s not just a game from Parker Brothers

As IT Security professionals we know very well the threats and vulnerabilities that affect our clients. But we seldom present this to executives in a form that they understand: RISK. Risk is something that businesses should understand, and it is how we should be communicating issues to them, but many IT Security professionals don’t understand the concepts of IT Risk.

In the session, we will go over a couple of basic frameworks for risk management (ISO 27005/31010 and NIST 800-30R1). We will review the ideas of identifying risk, conducting a risk assessment, and determining what will be the responses to risk. Many of the concepts of risk (appetite, tolerance, register, transfer, avoid, mitigate, accept) will be explained. We will also do a high-level overview of the major risk management frameworks: OCTAVE, FAIR, NIST 800-37. A review of further resources (books, training, etc), will be provided.

At the end of this session, the attendees will come away with a better understanding of the basics of risk, and be on their way to enunciate this to their employers or clients.


Michael Brown, has been involved with IT for over 20 years, more than half in information security. Moving from a security admin to a global security architect, he has been working for the last few of years as an IT security consultant working with clients to implement information security management systems as well as performing security risk assessments, gap analysis, and developing policies and procedures.