Chcon2025

1. Introduction
   - Why risk assessment is the backbone of security strategy
   - Common pitfalls: Overconfidence, vague estimates, and misaligned priorities
   - The cost of poor risk estimation: Wasted resources vs. catastrophic breaches

2. The State of Risk Assessment
   - Overview of existing approaches (ISO 27005, NIST RMF, FAIR, OCTAVE)
   - Key challenges:
   - Qualitative vs. quantitative—when each fails
   - "High/Medium/Low" risks—why they’re often meaningless
   - Cognitive biases in risk estimation (anchoring, over-optimism, groupthink)

3. A Better Way: Calibrated Risk Estimation
   - Introducing probabilistic thinking in security
   - The concept of calibration: Why some people are better estimators
   - Hands-on calibration exercises:
   - Estimating likelihoods of security events (breaches, insider threats)
   - Learning to express uncertainty with confidence intervals

4. Applying Calibration to Real Security Decisions
   - Case studies:
   - Prioritizing patches vs. investing in detection
   - Evaluating ROI on security controls
   - Group exercise: Assessing a fictional company’s risks with calibrated estimates

5. Making Better Security Decisions
   - How to communicate risks effectively to stakeholders
   - Moving from "gut feeling" to evidence-based decisions
   - Tools & techniques to improve risk assessment over time

6. Q&A + Wrap-Up
   - Key takeaways
   - Further learning resources

Workshop Takeaways:
✅ Better Estimation Skills – Avoid common biases and quantify risks more accurately.
✅ Data-Driven Decisions – Justify security investments with clearer reasoning.
✅ Stronger Communication – Explain risks in a way executives and teams understand.

Why Attend?
Most risk frameworks fall short because they don’t address human judgment errors. This workshop gives you practical tools to assess risks more objectively and make smarter security choices.