Eva Kuiper, Enterprise Security Services, GRC Consultant, Hewlett Packard Enterprise

A risk assessment should not just end with a known risk state—it should be seen as an opportunity to provide input to business cost decisions. This presentation will show how applying a quantitative risk assessment methodology such as Open FAIR can provide business knowledge which can be used to prioritize security spending. We will review the Open FAIR taxonomy and standard from the Open Group and provide some examples for using Open FAIR to explore control remediation options for improving control effectiveness while providing the necessary rationale for the cost justification.