Security Risk Management

Security Risk Management, 1st Edition

Building an Information Security Risk Management Program from the Ground Up

Security Risk Management, 1st Edition,Evan Wheeler,ISBN9781597496155






235 X 191

The definitive guide for building or running an information security risk management program.

Print Book + eBook

USD 59.94
USD 99.90

Buy both together and save 40%

Print Book


In Stock

Estimated Delivery Time
USD 49.95

eBook Overview

VST (VitalSource Bookshelf) format

PDF format

USD 49.95
Add to Cart

Key Features

  • Named a 2011 Best Governance and ISMS Book by InfoSec Reviews
  • Includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment
  • Explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk
  • Presents a roadmap for designing and implementing a security risk management program


The goal of Security Risk Management is to teach you practical techniques that will be used on a daily basis, while also explaining the fundamentals so you understand the rationale behind these practices. Security professionals often fall into the trap of telling the business that they need to fix something, but they can’t explain why. This book will help you to break free from the so-called "best practices" argument by articulating risk exposures in business terms. You will learn techniques for how to perform risk assessments for new IT projects, how to efficiently manage daily risk activities, and how to qualify the current risk level for presentation to executive level management. While other books focus entirely on risk analysis methods, this is the first comprehensive guide for managing security risks.


CISOs, Security Managers, IT Managers, Security Consultants, IT Auditors, Security Analysts, and Students in Information Security/Assurance college programs

Evan Wheeler

Evan Wheeler currently is a Director of Information Security for Omgeo (A DTCC | Thomson Reuters Company), an instructor at both Clark and Northeastern Universities, and the author of the Information Security Risk Management course for the SANS Institute. Previously he spent six years as a Security Consultant for the U.S. Department of Defense.

Affiliations and Expertise

currently is a Director of Information Security for Omgeo (A DTCC | Thomson Reuters Company), an instructor at both Clark and Northeastern Universities, and the author of the Information Security Risk Management course for the SANS Institute. Previously he spent six years as a Security Consultant for the U.S. Department of Defense.

Security Risk Management, 1st Edition

Part I - Introduction to Risk Management
Chapter 1. The Security Evolution
How We Got Here
A Risk Focused Future
Information Security Fundamentals
The Death of Information Security

Chapter 2. Risky Business
Applying Risk Management to Information Security
Business Driven Security Program
Security as an Investment
Qualitative vs. Quantitative

Chapter 3. The Risk Management Lifecycle
Stages of the Risk Management Lifecycle
Business Impact Assessment
A Vulnerability Assessment Is Not A Risk Assessment
Making Risk Decisions
Mitigation Planning & Long-term Strategy
Process Ownership

Part II - Risk Assessment and Analysis Techniques

Chapter 4. Risk Profiling
How Risk Sensitivity is Measured
Asking the Right Questions
Assessing Risk Appetite

Chapter 5. Formulating a Risk
Breaking Down a Risk
Who or What is the Threat?

Chapter 6. Risk Exposure Factors
Qualitative Risk Measures

Chapter 7. Security Controls & Services
Fundamental Security Services
Recommended Controls

Chapter 8. Risk Evaluation & Mitigation Strategies
Risk Evaluation
Risk Mitigation Planning
Policy Exceptions and Risk Acceptance

Chapter 9. Reports & Consulting
Risk Management Artifacts
A Consultant’s Perspective
Writing Audit Responses

Chapter 10. Risk Assessment Techniques
Operational Assessments
Project-based Assessments
Third-Party Assessments

Part III - Building and Running a Risk Management Program

Chapter 11. Threat & Vulnerability Management
Building Blocks
Threat Identification
An Efficient Workflow
The FAIR Approach

Chapter 12. Security Risk Reviews
Assessing the State of Compliance
Implementing a Process
Process Optimization: A Review of Key Points
The NIST Approach

Chapter 13. A Blueprint for Security
Risk in the Development Lifecycle
Security Architecture
Patterns & Baselines
Architectural Risk Analysis

Chapter 14. Building a Program from Scratch
Designing a Risk Program
Prerequisites for a Risk Management Program
Risk at the Enterprise Level
Linking the Program Components
Program Roadmap

Appendix A. Security Risk Profile
Appendix B. Risk Models and Scales
Appendix C - Architectural Risk Analysis Reference Tables


















Quotes and reviews

"Evan Wheeler has developed a much needed new approach to the field of security risk management. Readers familiar with this field of study will find that it does what he says he wants it to do: shake the old risk paradigms out of their roots and plant something fresh and useful today."--Dennis Treece, Colonel, US Army (Retired)/Chief Security Officer, Massachusetts Port Authority-Boston

"Wheeler’s book is predominantly a practitioner’s guide to security risk management but can also be used as a teaching text to help engineers, students of security, information assurance, or information systems more broadly. The key message that Wheeler is emphasizing is that risk is at the core of security, and at the heart of every business. Despite that the book lacks key referencing from academic literature, it can still be used as the basis for setting a large-scale team assignment on devising a risk management program from the ground up for a real organisation. Security professionals in banks will particularly find the book relevant."--Computers and Security

"This book is packed with practical?tips and the information contained throughout provides a good overview of the subject matter. The author explains the fundamentals of risk identification, assessment and management, exploring the differences between a vulnerability assessment and a risk assessment, and also providing rationales behind each of the subjects covered. This is not a technical book and the author generally avoids detailed technical analysis; rather it is an aide-memoir for Security Risk Management. …his book is recommended, in particular, for those beginning a career in Risk Management. It also provides a useful reference for current risk professionals who perhaps could benefit from a book that helps refine and further improve their current skillset."--Best Governance and ISMS Books in InfoSecReviews Book Awards

"Evan Wheeler’s book, Security Risk Management, provides security and business continuity practitioners with the ability to thoroughly plan and build a solid security risk management program. The buzz words that are used throughout the corporate risk management industry today are often misused or overused. Wheeler breaks down such terms, translating them for the reader and articulating how they apply to a security risk management program. He believes risk managers should consider banning the term "best practices" from their vocabulary; he doesn’t think one size fits all when creating a security risk management program… Building an information security risk management program from the ground up is a monumental task that requires various business units to react and adopt change to move a business forward. This book provides valuable information for security, IT, and business continuity professionals on creating such a program."--Security Management

Free Shipping
Shop with Confidence

Free Shipping around the world
▪ Broad range of products
▪ 30 days return policy

Contact Us