Cody Martin - A Better Way to Threat Matrix

Threat matrices are essential to providing an accurate assessment of organizational risk. They serve as a vehicle for the creation and analysis of attack scenarios that an organization is most likely to face. They also provide defenders with a “heat map” to inform and guide remediation efforts when faced with limited resources. Regardless of the numerous benefits, threat matrices are often criticized for inaccuracies and the meaningfulness of the data they present. Inaccuracies typically stem from a lack of standardized key metrics and as a result the risk ratings for the attack scenarios within the matrix appear to be the product of seemingly random quantifiers. In this presentation, we will cover overt and covert methods for assessing risk and a new, free, and open-source application (Enter The Matrix(ETM)) for creating, analyzing, and rating attacker scenarios.