What do you think?
Rate this book
Measuring and Managing Information Risk: A FAIR Approach
Using the factor analysis of information risk (FAIR) methodology developed over ten years and adopted by corporations worldwide, Measuring and Managing Information Risk provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. Intended for organizations that need to either build a risk management program from the ground up or strengthen an existing one, this book provides a unique and fresh perspective on how to do a basic quantitative risk analysis. Covering such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, Measuring and Managing Information Risk helps managers make better business decisions by understanding their organizational risk.
Uses factor analysis of information risk (FAIR) as a methodology for measuring and managing risk in any organization. Carefully balances theory with practical applicability and relevant stories of successful implementation. Includes examples from a wide variety of businesses and situations presented in an accessible writing style.
- GenresBusinessNonfiction
393 pages, Kindle Edition
First published January 1, 2014
137 people are currently reading
244 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 8 of 8 reviews
August 23, 2019
Initially I was skeptical about this book. I wanted to know more about FAIR after taking a SANS course hosted by David Musselwhite. David was an outstanding instructor in conveying the importance of FAIR. So in preparation for the OpenFAIR Certification exam, I wanted to know more and re-enforce what I learned.
The book starts out by teaching you the basics of FAIR. So this was a rehash for me from the course. Chapter 8 goes into some good scenarios and examples. But after Chapter 8 this is where the book starts to shine.
Page 215 is a excellent discussion on inherent risk and how it does not exist. Going to a scenario with no controls is not reasonable. Rather you should evaluate your inherent risk based on your environment and the controls in place.
Page 227 has a good discussion on compliance risk and the effort / cost to be compliant. The authors argue its impossible. As you enter more and more jurisdictions with sometimes competing laws and regulations you need to realize that the cost of 100% compliance is cost prohibitive and instead you should start managing your compliance risk, which you should have been doing anyway.
Chapter 11 looks at controls in depth and includes several mind maps detailing thought processes and dependencies between controls. The chapter ends with one of the most important and looked over items in corporate america today, accountability. Accountability should include signing on the dotted line, that yes I am accountable for this risk.
Chapter 13 looks at metrics and discusses what works, what does not, and how to do it in your environment. There is no magic bullet, especially with development of KRI and KPIs. However, your metrics need to be giving you a feedback loop so you know whats working and what is not..
Finally Chapter 14 looks at a FAIR Risk Management maturity model.
All in all I was very happy with what I will call the FAIR+ and highly recommend this book to any information security CISO, risk manager, or anyone with an interest in the topic.
The book starts out by teaching you the basics of FAIR. So this was a rehash for me from the course. Chapter 8 goes into some good scenarios and examples. But after Chapter 8 this is where the book starts to shine.
Page 215 is a excellent discussion on inherent risk and how it does not exist. Going to a scenario with no controls is not reasonable. Rather you should evaluate your inherent risk based on your environment and the controls in place.
Page 227 has a good discussion on compliance risk and the effort / cost to be compliant. The authors argue its impossible. As you enter more and more jurisdictions with sometimes competing laws and regulations you need to realize that the cost of 100% compliance is cost prohibitive and instead you should start managing your compliance risk, which you should have been doing anyway.
Chapter 11 looks at controls in depth and includes several mind maps detailing thought processes and dependencies between controls. The chapter ends with one of the most important and looked over items in corporate america today, accountability. Accountability should include signing on the dotted line, that yes I am accountable for this risk.
Chapter 13 looks at metrics and discusses what works, what does not, and how to do it in your environment. There is no magic bullet, especially with development of KRI and KPIs. However, your metrics need to be giving you a feedback loop so you know whats working and what is not..
Finally Chapter 14 looks at a FAIR Risk Management maturity model.
All in all I was very happy with what I will call the FAIR+ and highly recommend this book to any information security CISO, risk manager, or anyone with an interest in the topic.
February 24, 2018
A very good book with great insights into where the information risk management community needs to evolve. Information security professionals will likely have boardroom attention for the next couple of years, and we need to make the most out of this opportunity. Applying the concepts and advice from this book will put you in a great position with C-level executives.
April 12, 2019
Excellent book on how to create qualitative risk analysis instead of just red, yellow, green. Definitely business oriented - not a book to take on vacation.
October 31, 2020
Excellent book on quantitative infosec risk management, FAIR method. Brilliantly written making this topic entertaining!
May 10, 2015
It is not often that I read a book that expands my mind as much as this. Being 42 and having been around the block a few times, it takes quite a bit to make me take notice. This is one of those books.
If you are involved in the management side of information security, cyber security, risk management, etc. you MUST read this book.
If you are involved in info/cyber security, but more as a practitioner in the trenches doing pentest, forensics, incident response, you might be able to skip this book, but I would still say that you should read it.
This book will expand your mind and make you think about information security in a new light. It will show you how to move away from the implicit risk management of just following a control framework and towards an explicit risk management approach where you decisions are meaningful, measurable and defensible.
Jack & Jack (the authors) where have you been all my career? I hope they publish some of the other things they mention in this book.
If you are involved in the management side of information security, cyber security, risk management, etc. you MUST read this book.
If you are involved in info/cyber security, but more as a practitioner in the trenches doing pentest, forensics, incident response, you might be able to skip this book, but I would still say that you should read it.
This book will expand your mind and make you think about information security in a new light. It will show you how to move away from the implicit risk management of just following a control framework and towards an explicit risk management approach where you decisions are meaningful, measurable and defensible.
Jack & Jack (the authors) where have you been all my career? I hope they publish some of the other things they mention in this book.
September 29, 2019
Factor Analysis of Information Risk is a very different approach to look at Information Risk as it doesn't look first at the control - but first looks at the assets to protect. The theories make total sense as I've read them and can't imagine why more companies aren't using this method.
I found the examples, charts, diagrams and detailed lists very helpful. There is so much I want to share with our IT group.
Now I will be looking for training to get a better grasp of the process to be able to speak to the process clearly and completely from our companies perspective.
I found the examples, charts, diagrams and detailed lists very helpful. There is so much I want to share with our IT group.
Now I will be looking for training to get a better grasp of the process to be able to speak to the process clearly and completely from our companies perspective.
June 3, 2016
This is the book that all cybersecurity professionals should read. Our profession is categorically bad at assessing risk. Jack and Jack describe the model, FAIR, that will make your life easier. This is the future. It is so important that the book was inducted into the Cybersecurity Canon in April 2016.
June 12, 2021
After reading this, I am almost convinced that risk management doesn't yield much value vs the amount of time/effort it needs.
Displaying 1 - 8 of 8 reviews