CanSecWest 2024
Presentations
From March 20 to 22
Applying Physical Discipline to Cybersecurity Challenges
Cybersecurity has failed to learn from the physical world. More and more attacks have real world consequences including shutting down pipelines and casinos. This talk explains how Failure Mode and Effects Analysis (FMEA), which is a disciplined method to design reliable and robust systems and processes, can be applied to cybersecurity. FMEA compliments and goes beyond threat modeling and attack graphs by incorporating the probability of detection into the risk equation.
As professionals, we were taught to calculate risk as probability times impact. While this was good for a start, we now have expensive detection systems that need to be included in the risk equation. Luckily, FMEA already includes detection so we can leverage something that has been around since WWII.
Both attackers and defenders will benefit from analyzing the probability that an attack is detected.