Carl S. Young
Managing Director and Chief Security Officer
Stroz Friedberg, LLC, New York, NY USA

Carl S. Young, Managing Director and Chief Security Officer at Stroz Friedberg, is a noted security risk consultant and leader in applying science and analytic methods to security risk management.  Prior to joining Stroz Friedberg, Mr. Young was a Vice President at Goldman Sachs in New York and London for ten years where he served as the global head of physical security technology.  Prior to his career at Goldman Sachs, Mr. Young was a Senior Executive and Supervisory Special Agent at the Federal Bureau of Investigation for fifteen years.  He was responsible for developing and deploying sophisticated technologies and managing sensitive national security programs.  Mr. Young also served as a consultant to the JASON Defense Advisory Group where he developed technical security solutions for a variety of government sponsors.  Mr. Young currently instructs on security technology and risk management as an adjunct professor in the Department of Protection Management at the John Jay College of Criminal Justice (CUNY) in New York.  He has published numerous papers in scientific journals on a variety of security-related topics, and is the author of the well-known text, Metrics and Methods for Security Risk Management (Syngress 2010).  Mr. Young holds undergraduate and graduate degrees in mathematics and physics from the Massachusetts Institute of Technology (MIT).

Mr. Young will discuss, Measuring Security Risk (or How I Learned to Love Fear and Uncertainty).

Security is an inherently defensive discipline that is driven by the existence of threats.  The lack of a statistically significant number of security incidents can complicate accurate measurements of risk. Security professionals have an ongoing need to measure the risk associated with threats, yet basic risk measurement techniques have historically been elusive.  The problem is compounded by confusion over the basic definitions of threat and risk as well as a limited awareness of relevant statistical and scientific principles.  This talk focuses on clarifying the key features of threats and security risk as well as the role of science in facilitating security risk measurements.  For example, certain threats are physical in nature and therefore lend themselves to models that obey physical laws and therefore affect vulnerability.  Moreover, statistical distributions have applicability to randomly occurring incidents which can be used to predict likelihood but with an inherent level of uncertainty.  Surprisingly, these distributions have also been used to characterize the vulnerability component of risk.  In addition, email traffic over networks has also been modeled statistically which can yield insights into the risk of virus propagation.  The talk is geared toward non-technical types, and security examples from the “real world” are used to illustrate significant points.