OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE https://www.owasp.org/index.php/Women_In_AppSec OWASP Women in AppSec Twitter: 2013_Nayak (reach and ask to be added) https://www.tagnw.org/events/ Risk in Infosec   Risk - a situation which involves extreme danger and extensive amount of unrecovered loss     What about risks that are positive in nature?  PMP calls them ‘opportunities’ Risk Analysis - systemic examination of the components and characteristics of risk   Analysis Steps -          Understanding and Assessment             Understand there is a risk             What if a company does not have security standards?                             Identification             Identify and categorize risk -                  Informational risk                 Network risk                 Hardware risk                 Software risk                 Environment risk?   https://en.wikipedia.org/wiki/Routine_activity_theory               Scope of risk analysis?             Threat modeling to find risks?                 https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling              SWOT (strength/weakness/opportunities/threats) analysis will discover risks?             Risk analysis methodologies?                 https://www.project-risk-manager.com/blog/qualitative-risk-techniques/                 https://securityscorecard.com/blog/it-security-risk-assessment-methodology https://en.wikipedia.org/wiki/Probabilistic_risk_assessment   https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration            Estimation             Chance that risk will occur (once a decade, once a week)             Design controls to remediate           Implementation             Risk assessment is a combined approach             Combined approach for a risk analysis                 You mentioned a lot of people, what’s the scope?                 How do you do the risk assessment? Framework?                     Evaluation             Evaluation approach                 Like an agile approach             Provides an informed conclusion             Report must be clear (no jargon)         Decision Making               Examples to Reduce Risk Training and education     what kind of testing? Annual Security training?   Publishing policies Agreement with organization     BAA with 3rd parties Timely testing -