KARMA is a system for rating a system's ability to avoid negative outcomes based on rating a limited number of key attributes. The system is based on SME knowledge of the particular system being rated, and its goal is to find the attributes that most predict negative outcomes in the real world. Analogs exist already in industries like:
In these fields it's possible to learn a relatively small number of things about a system / person / situation and then make informed decisions about how likely that system is to have an undesirable outcome, e.g., premature death, insurance payout, or loan default.
The goal of the KARMA system is to do the same with information security as it pertains to other types of system. These include security program components such as vulnerability management, insider threat, etc, as well as system components such as applications, operating systems, etc. This talk will give an overview of how KARMA can be used in an environment to provide a more accurate view of real-work risk, i.e. knowing your actual attacker-based risk instead of your compliance with arbitrary standards.