book

Measuring and Managing Information Risk

by Jack Freund, Jack Jones

August 2014

Intermediate to advanced

408 pages

14h 1m

English

Butterworth-Heinemann

Read now

Unlock full access

Cover image
Title page
Table of Contents
Copyright
Acknowledgments by Jack Jones
About the Authors
Preface by Jack Jones
Preface by Jack Freund
Chapter 1. Introduction
How much risk?The bald tireAssumptionsTerminologyThe bald tire metaphorRisk analysis vs risk assessmentEvaluating risk analysis methodsRisk analysis limitationsWarning—learning how to think about risk just may change your professional lifeUsing this book
Chapter 2. Basic Risk Concepts
Possibility versus probabilityPredictionSubjectivity versus objectivityPrecision versus accuracy

Chapter 3. The FAIR Risk Ontology
Decomposing riskLoss event frequencyThreat event frequencyContact frequencyProbability of actionVulnerabilityThreat capabilityDifficultyLoss magnitudePrimary loss magnitudeSecondary riskSecondary loss event frequencySecondary loss magnitudeOntological flexibility
Chapter 4. FAIR Terminology
Risk terminologyThreatThreat communityThreat profilingVulnerability eventPrimary and secondary stakeholdersLoss flowForms of loss
Chapter 5. Measurement
Measurement as reduction in uncertaintyMeasurement as expressions of uncertaintyBut we don’t have enough data…and neither does anyone elseCalibrationEquivalent bet test
Chapter 6. Analysis Process
The tools necessary to apply the FAIR risk modelHow to apply the FAIR risk modelProcess flowScenario buildingThe analysis scopeExpert estimation and PERTMonte Carlo engineLevels of abstraction
Chapter 7. Interpreting Results
What do these numbers mean? (How to interpret FAIR results)Understanding the results tableVulnerabilityPercentilesUnderstanding the histogramUnderstanding the scatter plotQualitative scalesHeatmapsSplitting heatmapsSplitting by organizationSplitting by loss typeSpecial risk conditionsUnstable conditionsFragile conditionsTroubleshooting results
Chapter 8. Risk Analysis Examples
OverviewInappropriate access privilegesPrivileged insider/snooping/confidentialityPrivileged insider/malicious/confidentialityCyber criminal/malicious/confidentialityUnencrypted internal network trafficPrivileged insider/confidentialityNonprivileged insider/maliciousCyber criminal/maliciousWebsite denial of serviceAnalysisBasic attacker/availability
Chapter 9. Thinking about Risk Scenarios Using FAIR
The boyfriendSecurity vulnerabilitiesWeb application riskContractorsProduction data in test environmentsPassword securityBasic Risk AnalysisProject prioritizationSmart complianceGoing into businessChapter summary
Chapter 10. Common Mistakes
Mistake categoriesChecking resultsScopingDataVariable confusionMistaking TEF for LEFMistaking response loss for productivity lossConfusing secondary loss with primary lossConfusing reputation damage with Competitive Advantage lossVulnerability analysis
Chapter 11. Controls
OverviewHigh-level control categoriesAsset-level controlsVariance controlsDecision-making controlsControl wrap up
Chapter 12. Risk Management
Common questionsWhat we mean by “risk management”Decisions, decisionsSolution selectionA systems view of risk management
Chapter 13. Information Security Metrics
Current state of affairsMetric value propositionBeginning with the end in mindMissed opportunities
Chapter 14. Implementing Risk Management
OverviewA FAIR-based risk management maturity modelGovernance, risks, and complianceRisk frameworksRoot cause analysisThird-party riskEthicsIn closing
Index

Overview

Using the factor analysis of information risk (FAIR) methodology developed over ten years and adopted by corporations worldwide, Measuring and Managing Information Risk provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. Intended for organizations that need to either build a risk management program from the ground up or strengthen an existing one, this book provides a unique and fresh perspective on how to do a basic quantitative risk analysis. Covering such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, Measuring and Managing Information Risk helps managers make better business decisions by understanding their organizational risk.

Uses factor analysis of information risk (FAIR) as a methodology for measuring and managing risk in any organization.
Carefully balances theory with practical applicability and relevant stories of successful implementation.
Includes examples from a wide variety of businesses and situations presented in an accessible writing style.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

The Failure of Risk Management, 2nd Edition

Publisher Resources

ISBN: 9780124202313

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills