Save up to 30% on Elsevier print and eBooks with free shipping. No promo code needed.
Save up to 30% on print and eBooks.
Measuring and Managing Information Risk
A FAIR Approach
1st Edition - August 22, 2014
Authors: Jack Freund, Jack Jones
Language: English
Paperback ISBN:9780124202313
9 7 8 - 0 - 1 2 - 4 2 0 2 3 1 - 3
eBook ISBN:9780127999326
9 7 8 - 0 - 1 2 - 7 9 9 9 3 2 - 6
Using the factor analysis of information risk (FAIR) methodology developed over ten years and adopted by corporations worldwide, Measuring and Managing Information Risk provides…Read more
Purchase options
LIMITED OFFER
Save 50% on book bundles
Immediately download your ebook while waiting for your print delivery. No promo code is needed.
Using the factor analysis of information risk (FAIR) methodology developed over ten years and adopted by corporations worldwide, Measuring and Managing Information Risk provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity.
Intended for organizations that need to either build a risk management program from the ground up or strengthen an existing one, this book provides a unique and fresh perspective on how to do a basic quantitative risk analysis. Covering such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, Measuring and Managing Information Risk helps managers make better business decisions by understanding their organizational risk.
Uses factor analysis of information risk (FAIR) as a methodology for measuring and managing risk in any organization.
Carefully balances theory with practical applicability and relevant stories of successful implementation.
Includes examples from a wide variety of businesses and situations presented in an accessible writing style.
Security and risk executives, directors, managers, and analysts; IT risk managers; information security professionals; students of OpenGroup’s FAIR Certified Risk Analyst Certification Exam; graduate business or IT students taking courses in risk management and IT security.
Acknowledgments by Jack Jones
About the Authors
Preface by Jack Jones
Preface by Jack Freund
Chapter 1. Introduction
How much risk?
The bald tire
Assumptions
Terminology
The bald tire metaphor
Risk analysis vs risk assessment
Evaluating risk analysis methods
Risk analysis limitations
Warning—learning how to think about risk just may change your professional life
Using this book
Chapter 2. Basic Risk Concepts
Possibility versus probability
Prediction
Subjectivity versus objectivity
Precision versus accuracy
Chapter 3. The FAIR Risk Ontology
Decomposing risk
Loss event frequency
Threat event frequency
Contact frequency
Probability of action
Vulnerability
Threat capability
Difficulty
Loss magnitude
Primary loss magnitude
Secondary risk
Secondary loss event frequency
Secondary loss magnitude
Ontological flexibility
Chapter 4. FAIR Terminology
Risk terminology
Threat
Threat community
Threat profiling
Vulnerability event
Primary and secondary stakeholders
Loss flow
Forms of loss
Chapter 5. Measurement
Measurement as reduction in uncertainty
Measurement as expressions of uncertainty
But we don’t have enough data…and neither does anyone else
Calibration
Equivalent bet test
Chapter 6. Analysis Process
The tools necessary to apply the FAIR risk model
How to apply the FAIR risk model
Process flow
Scenario building
The analysis scope
Expert estimation and PERT
Monte Carlo engine
Levels of abstraction
Chapter 7. Interpreting Results
What do these numbers mean? (How to interpret FAIR results)
Understanding the results table
Vulnerability
Percentiles
Understanding the histogram
Understanding the scatter plot
Qualitative scales
Heatmaps
Splitting heatmaps
Splitting by organization
Splitting by loss type
Special risk conditions
Unstable conditions
Fragile conditions
Troubleshooting results
Chapter 8. Risk Analysis Examples
Overview
Inappropriate access privileges
Privileged insider/snooping/confidentiality
Privileged insider/malicious/confidentiality
Cyber criminal/malicious/confidentiality
Unencrypted internal network traffic
Privileged insider/confidentiality
Nonprivileged insider/malicious
Cyber criminal/malicious
Website denial of service
Analysis
Basic attacker/availability
Chapter 9. Thinking about Risk Scenarios Using FAIR
The boyfriend
Security vulnerabilities
Web application risk
Contractors
Production data in test environments
Password security
Basic Risk Analysis
Project prioritization
Smart compliance
Going into business
Chapter summary
Chapter 10. Common Mistakes
Mistake categories
Checking results
Scoping
Data
Variable confusion
Mistaking TEF for LEF
Mistaking response loss for productivity loss
Confusing secondary loss with primary loss
Confusing reputation damage with Competitive Advantage loss
Vulnerability analysis
Chapter 11. Controls
Overview
High-level control categories
Asset-level controls
Variance controls
Decision-making controls
Control wrap up
Chapter 12. Risk Management
Common questions
What we mean by “risk management”
Decisions, decisions
Solution selection
A systems view of risk management
Chapter 13. Information Security Metrics
Current state of affairs
Metric value proposition
Beginning with the end in mind
Missed opportunities
Chapter 14. Implementing Risk Management
Overview
A FAIR-based risk management maturity model
Governance, risks, and compliance
Risk frameworks
Root cause analysis
Third-party risk
Ethics
In closing
Index
No. of pages: 408
Language: English
Edition: 1
Published: August 22, 2014
Imprint: Butterworth-Heinemann
Paperback ISBN: 9780124202313
eBook ISBN: 9780127999326
JF
Jack Freund
Dr. Jack Freund is a leading voice in cyber risk measurement and management. As VP, Head of Cyber Risk Methodology for BitSight, Jack has overall responsibility for the systemic development and application of frameworks, algorithms, and quantitative and qualitative methods to measure cyber risk. Previously, Jack was Director of Risk Science at quantitative risk management startup RiskLens and Director of Cyber Risk for TIAA. Jack holds a Ph.D. in Information Systems from Nova Southeastern University, a Masters in Telecommunication and Project Management, and a BS in CIS. Jack has been named a Senior Member of the IEEE and ACM, a Fellow of the IAPP and FAIR Institute, and a Distinguished Fellow of the ISSA. He is the 2020 recipient of the (ISC)2 Global Achievement Award, 2018 recipient of ISACA’s John W. Lainhart IV Common Body of Knowledge Award, and the FAIR Institute’s 2018 FAIR Champion Award.
Affiliations and expertise
VP, Head of Cyber Risk Methodology for BitSight, US.
JJ
Jack Jones
Jack Jones has worked in information security for over 35 years, serving as a CISO with three different companies, including a Fortune 100 company. His work was recognized in 2006 with the ISSA Excellence in the Field of Security Practices award, and in 2012 he received the CSO Compass award. As an Adjunct Professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs. Jones also created the Factor Analysis of Information Risk (FAIR) model, as well as the FAIR Controls Analytics Model (FAIR-CAM), since adopted as international standards. Jones is the Chief Risk Scientist at RiskLens and Chairman of the FAIR Institute, an award-winning global non-profit organization.
Affiliations and expertise
Co-founder and president of CXOWARE, Inc. , US.
Read Measuring and Managing Information Risk on ScienceDirect