This discussion will follow this agenda:What is risk analysis and what is it supposed to do?What does it tell you and what does it not tell you?Why are there so many seemingly different “frameworks?Is one better than another?Implementation of Risk Management as a “cultural” aspect in the orgAreas Covered The Essence of Risk Analysis and Risk Management o Examples of Risk Management Frameworks - NIST RMF - FAIR - ISACA IT Risk o Similarities and Differences o How to evaluate, how to choose o Program Development: Evolution, not Revolution o Remediation Strategy: making informed mitigation choicesThe Risk Analysis Process and its greater business valueWho Should Attend CISO, CPO, Legal Counsel, IT Mgmt, Operations officers, Compliance Officers, Privacy Officer, and Security Officers.Why Should You AttendWhat factors should be considered? How to choose the appropriate framework when they vary widely from very qualitative to highly quantitative? What really is the difference between these two types? Is there really a difference between them and why does it matter? How do I explain the methodology, calculations, and results to a non-cybersecurity audience? These and other commonly asked questions will be addressed during this seminarTopic BackgroundThe idea of basing cybersecurity program actions on analyzing the various risks faced by an organization has been around for decades. Over time it has evolved and matured in its structure and approach. Analytical methods have emerged over time to define and structure the various elements and interactions that are germane. What remains as basic questions though is how to choose which method suits a given context and how to overcome the natural resistance to accepting results from this process that is often criticized for its perceived uncertainty when used to drive cybersecurity mitigation strategy.