You are previewing Measuring and Managing Information Risk.
O'Reilly logo
Measuring and Managing Information Risk

Book Description

Using the factor analysis of information risk (FAIR) methodology developed over ten years and adopted by corporations worldwide, Measuring and Managing Information Risk provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. Intended for organizations that need to either build a risk management program from the ground up or strengthen an existing one, this book provides a unique and fresh perspective on how to do a basic quantitative risk analysis. Covering such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, Measuring and Managing Information Risk helps managers make better business decisions by understanding their organizational risk.



  • Uses factor analysis of information risk (FAIR) as a methodology for measuring and managing risk in any organization.
  • Carefully balances theory with practical applicability and relevant stories of successful implementation.
  • Includes examples from a wide variety of businesses and situations presented in an accessible writing style.

Table of Contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Acknowledgments by Jack Jones
  6. About the Authors
  7. Preface by Jack Jones
  8. Preface by Jack Freund
  9. Chapter 1. Introduction
    1. How much risk?
    2. The bald tire
    3. Assumptions
    4. Terminology
    5. The bald tire metaphor
    6. Risk analysis vs risk assessment
    7. Evaluating risk analysis methods
    8. Risk analysis limitations
    9. Warning—learning how to think about risk just may change your professional life
    10. Using this book
  10. Chapter 2. Basic Risk Concepts
    1. Possibility versus probability
    2. Prediction
    3. Subjectivity versus objectivity
    4. Precision versus accuracy
  11. Chapter 3. The FAIR Risk Ontology
    1. Decomposing risk
    2. Loss event frequency
    3. Threat event frequency
    4. Contact frequency
    5. Probability of action
    6. Vulnerability
    7. Threat capability
    8. Difficulty
    9. Loss magnitude
    10. Primary loss magnitude
    11. Secondary risk
    12. Secondary loss event frequency
    13. Secondary loss magnitude
    14. Ontological flexibility
  12. Chapter 4. FAIR Terminology
    1. Risk terminology
    2. Threat
    3. Threat community
    4. Threat profiling
    5. Vulnerability event
    6. Primary and secondary stakeholders
    7. Loss flow
    8. Forms of loss
  13. Chapter 5. Measurement
    1. Measurement as reduction in uncertainty
    2. Measurement as expressions of uncertainty
    3. But we don’t have enough data…and neither does anyone else
    4. Calibration
    5. Equivalent bet test
  14. Chapter 6. Analysis Process
    1. The tools necessary to apply the FAIR risk model
    2. How to apply the FAIR risk model
    3. Process flow
    4. Scenario building
    5. The analysis scope
    6. Expert estimation and PERT
    7. Monte Carlo engine
    8. Levels of abstraction
  15. Chapter 7. Interpreting Results
    1. What do these numbers mean? (How to interpret FAIR results)
    2. Understanding the results table
    3. Vulnerability
    4. Percentiles
    5. Understanding the histogram
    6. Understanding the scatter plot
    7. Qualitative scales
    8. Heatmaps
    9. Splitting heatmaps
    10. Splitting by organization
    11. Splitting by loss type
    12. Special risk conditions
    13. Unstable conditions
    14. Fragile conditions
    15. Troubleshooting results
  16. Chapter 8. Risk Analysis Examples
    1. Overview
    2. Inappropriate access privileges
    3. Privileged insider/snooping/confidentiality
    4. Privileged insider/malicious/confidentiality
    5. Cyber criminal/malicious/confidentiality
    6. Unencrypted internal network traffic
    7. Privileged insider/confidentiality
    8. Nonprivileged insider/malicious
    9. Cyber criminal/malicious
    10. Website denial of service
    11. Analysis
    12. Basic attacker/availability
  17. Chapter 9. Thinking about Risk Scenarios Using FAIR
    1. The boyfriend
    2. Security vulnerabilities
    3. Web application risk
    4. Contractors
    5. Production data in test environments
    6. Password security
    7. Basic Risk Analysis
    8. Project prioritization
    9. Smart compliance
    10. Going into business
    11. Chapter summary
  18. Chapter 10. Common Mistakes
    1. Mistake categories
    2. Checking results
    3. Scoping
    4. Data
    5. Variable confusion
    6. Mistaking TEF for LEF
    7. Mistaking response loss for productivity loss
    8. Confusing secondary loss with primary loss
    9. Confusing reputation damage with Competitive Advantage loss
    10. Vulnerability analysis
  19. Chapter 11. Controls
    1. Overview
    2. High-level control categories
    3. Asset-level controls
    4. Variance controls
    5. Decision-making controls
    6. Control wrap up
  20. Chapter 12. Risk Management
    1. Common questions
    2. What we mean by “risk management”
    3. Decisions, decisions
    4. Solution selection
    5. A systems view of risk management
  21. Chapter 13. Information Security Metrics
    1. Current state of affairs
    2. Metric value proposition
    3. Beginning with the end in mind
    4. Missed opportunities
  22. Chapter 14. Implementing Risk Management
    1. Overview
    2. A FAIR-based risk management maturity model
    3. Governance, risks, and compliance
    4. Risk frameworks
    5. Root cause analysis
    6. Third-party risk
    7. Ethics
    8. In closing
  23. Index