Since I first posted about my EnergySec class a year ago, it’s evolved quite a bit.  In that time the agenda and topics have evolved as well, so I thought I’d share the present content structure here.  Interested in coming? We only have one more this year, but more are coming next year and Im happy to do custom work in your town!  Check out the current outline here:

FRAMING THE SCOPE AND DISCIPLINE OF CYBERSECURITY:

Theory, Application, and Frameworks

 Problem Space Definition

  • Cybersecurity Scope & Ecosystem
    • What is “Cyber”?
    • Broad Stroke Scoping of Cybersecurity
      • Risks-To vs. Risks-From
      • Technology vs. Humans
      • Risk Response vs. Quality Management
      • Tactics vs. Strategy
      • Protection vs. Enablement
      • Default Handling vs. Error Handling
      • Doing It Once vs. Doing It Consistently
      • Predictable vs. Emergent State
      • Defending vs. Improving
      • Compliance vs. Efficacy
      • Fact vs. Perception
      • Virtual vs. Physical Space
    • A Parasitic Model of Cybersecurity
      • Value Competition
      • Shared Infrastructure
    • Adversaries
      • Shared Attributes
      • Complex Goals
      • Adversary Classification
      • Attack Mechanics and Architecture
      • “Exploitation Opportunities” & Kill Chains
  • State of the World
    • The Bear Has Eaten Us All
    • Demonstrative Real Life Scenarios
    • Bottom Line and Regaining Control
  • A Problem Space Framework
    • The Forest
    • Thesis
    • History
    • Role of InfoSec
    • Problem Spaces
      • Global
      • Body Politic
      • Business
      • Organizational
      • Individual
      • Nature of Risk

Skills Development 

  • Effective Structured Communication
    • Purpose of Frameworks
    • What is Communication?
    • Perspectives
    • Contexts
    • Lenses
    • Inverse Perspectives
    • Using Intersectionality
    • A House Analogy
    • Conceptual Communication Tools (Summary)
  • Intentional Framework Design
    • What are “Frameworks”?
    • Structure vs. Content
    • Structural Framework Design Principles
      • Labels
      • Relationships (Ontologies)
      • Transformations
      • Modularization & Abstraction
      • Lensing
      • Life-cycles
  • Modeling Exposure
    • How is Exposure Generated?
    • New Concept: “Vulnerability Introduction Point Decisions” (VIP’s)
    • Modeling Vulnerability Introduction Point Decision Trees
    • Comprehensive Model of How Organizations can Introduce Vulnerability
    • Threat Modeling Using VIP’s
    • Technical Threat Modeling Translated to Full System Threat Modeling
  • Increasing Decision Making Capacity
    • REAL Defense in Depth
    • Creating a Defense in Depth Kill Zone
    • The Problem with Likelihood: Supply Chains
    • Kill Zone Management Concepts
      • Success Criteria help define
      • Metrics which apply
      • Levers to create
      • Control Specifications that use
      • Convergence of
      • Parenthetical levels of security to manage the
      • Dissonance of human systems 

Solution Approaches

  • A Framework for Organizing Solutions
    • Environment
    • “How Exposure is Created” & “How Exposure is Exploited”
    • Exposure Management Goals
    • “Exposure Management Approaches” & “Exploitation Handling Approaches”
    • “Exposure Mgt Efficacy Testing” & “Exploitation Mgt Efficacy Testing”
  • Integrating Existing Frameworks
    • Background Definitions
      • Risk Management
      • Capabilities
    • Existing Framework Information
      • NIST CSF
      • ES-C2M2
      • NERC CIP

Workshops

  • Framework Structure Design
  • Framework Use for Control Specification
  • Pivoting between Risk and Compliance with an ICE