Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet or computer—no Kindle device required.
Read instantly on your browser with Kindle for Web.
Using your mobile phone camera, scan the code below and download the Kindle app.
Follow the authors
OK
Measuring and Managing Information Risk: A FAIR Approach Paperback – 22 August 2014
There is a newer edition of this item:
$117.38
This item has not yet been released.
Purchase options and add-ons
- ISBN-100124202314
- ISBN-13978-0124202313
- Edition1st
- PublisherButterworth-Heinemann
- Publication date22 August 2014
- LanguageEnglish
- Dimensions19.05 x 2.36 x 23.5 cm
- Print length410 pages
Frequently bought together
Related items viewed by customers
Product description
Review
"...informative and insightful―and surprisingly engaging. Using examples, anecdotes, and metaphors, the writers keep this educational work from becoming difficult... Professionals new to thorough information risk analysis or using more simplified approaches will find this book extremely useful." --Security Management
Review
A comprehensive resource that provides a much-needed, flexible methodology for measuring and managing information risk.
About the Author
Jack Jones has worked in information security for over 35 years, serving as a CISO with three different companies, including a Fortune 100 company. His work was recognized in 2006 with the ISSA Excellence in the Field of Security Practices award, and in 2012 he received the CSO Compass award. As an Adjunct Professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs. Jones also created the Factor Analysis of Information Risk (FAIR) model, as well as the FAIR Controls Analytics Model (FAIR-CAM), since adopted as international standards. Jones is the Chief Risk Scientist at RiskLens and Chairman of the FAIR Institute, an award-winning global non-profit organization.
Product details
- Publisher : Butterworth-Heinemann; 1st edition (22 August 2014)
- Language : English
- Paperback : 410 pages
- ISBN-10 : 0124202314
- ISBN-13 : 978-0124202313
- Dimensions : 19.05 x 2.36 x 23.5 cm
- Best Sellers Rank: 144,098 in Books (See Top 100 in Books)
- 140 in Business Information Management
- 545 in Computer Security & Encryption (Books)
- 2,374 in Industries
- Customer Reviews:
About the authors
Jack has worked in technology for thirty years, and information security and risk management for twenty-four years. He has over nine years of experience as a CISO with three different companies, including five years at Nationwide Insurance. His work there was recognized in 2006 when he received the ISSA Excellence in the Field of Security Practices award at that year’s RSA conference. In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012 was honored with the CSO Compass award for leadership in risk management. He is also the creator of the Factor Analysis of Information Risk (FAIR) framework.
Currently, Jack is President and co-founder of CXOWARE, Inc. which provides risk management and risk analytics software based on FAIR. He currently holds the CRISC, CISM, CISA, and CISSP certifications and is on the ISACA CRISC Committee and the ISC2 Ethics Committee.
Dr. Jack Freund is an expert in IT risk management specializing in analyzing and communicating complex IT risk scenarios in plain language to business executives. He currently leads a team of risk analysts at TIAA-CREF. Jack has over 16 years in IT and technology working for organizations such as Nationwide Insurance, CVS/Caremark, Lucent Technologies, Sony Ericsson, AEP, Wendy’s International, and The State of Ohio. He holds a BS in CIS, Masters in Telecom and Project Management, a PhD in Information Systems, and the CISSP, CISA, CISM, CRISC, CIPP, and PMP certifications. Jack is a Visiting Professor at DeVry University and a Senior Member of the ISSA, IEEE, and ACM. Jack chairs a CRISC subcommittee for ISACA and is a member of the Open Group’s risk analyst certification committee.
Jack’s writings have appeared in the ISSA Journal, Bell Labs Technical Journal, Columbus CEO Magazine, and he currently writes a risk column for @ISACA. Jack is also authoring a book entitled Measuring and Managing Information Risk: A FAIR Approach under contract with Elsevier. You can follow all Jack’s work and writings at riskdr.com.
Customer reviews
-
Top reviews
Top reviews from Australia
There was a problem filtering reviews right now. Please try again later.
Top reviews from other countries
1. Ok, it is a good point that it is not a book supposed to teach Monte-Carlo-simulations. I get this part. There are good study materials that do the job. But, and this is the big but, there is no explanation or any kind of useful information on how the variables interact from a mathematical viewpoint. Knowing this would allow to program it yourself, for example with python or r. Of course, understanding the math behind Monte-Carlo-simulations and how they work, it is possible to come with a solution (your solution). But that is my point, you must came up with the (your) solution, it is no shown or descripted in the book. Therefore you cannot be sure whether you “solution” on how you have interpreted the FAIR model is somewhat right or not.
2. The book is just to “hook” you up. In order to go further you need the FAIR training. Many information bits are missing in the book, preventing you to actually using it. I know that because of my “aha” moments during “a product” presentation by a certain company, offering there FAIR “Tool”. During the presentation, certain aspects on how to use FAIR become clearer.
Reading the book is not helpful to actually use FAIR in a useful manner. In order to do that (well guess what, yes that’s right!) you need the offered training, provided (guess again) by the same company, that is behind FAIR (yes a company, check out who is behind the training and FAIR, too!).
The book is therefore only partially useful, more to hook you up, even if you do understand Monte-Carlo-simulations, so do not expect too much from the book.
Consider how radical it is to promise a truly quantitative approach to cyber risk management in a world dominated by numerous qualitative “frameworks,” red-yellow-green heat maps, thousand-item one-size-fits-all questionnaires, subjective and qualitative scales of likelihood and impact, and fake math like “red times green equals yellow”. And then consider how transformational it is to deliver on the promise.
Other reviewers have nicely discussed the book’s coverage of the FAIR taxonomy. Suffice it to say that MMIR is your best friend in understanding the Open Group FAIR standards. Freund and Jones bring a potentially dry subject alive with many “Talking About Risk” sidebars that tell of their experience with FAIR methods in practice. These war stories make the content accessible and relevant. I especially appreciate the authors’ informal style that is conversational without being verbose and humorous without being patronizing or cute. What the war stories leave out chapter 8 fills in with numerous example analyses. A worked example is better than a thousand war stories.
If giving a thorough rationale for and introduction to FAIR were all that MMIR did, it would be worth its weight in gold. But wait! There’s more!
It’s the “managing” part, chapters 11-14, that constitutes another breakthrough beyond FAIR. There Freund and Jones begin laying out (one senses it is a work in progress) a risk management ontology, built on the FAIR risk measurement ontology. In rethinking the classification of controls in the context of threat event frequency, vulnerability, and loss mitigation, they provide ways to assess and – yikes! – quantify the potential value of control improvements, in isolation or in combination. This gives the CISO the beginning of a way to manage the control environment, not just the threats.
But controls not consistently adhered to are both false comfort and all too common. Therefore F&J suggest that variance in the application of controls is perhaps the single most important set of infosec management metrics. As the old saw goes, if you cannot measure it you cannot manage it, and if you do not know how well your controls are operating on a continuing basis, then what confidence can you have in the millions of dollars invested in technology and staff?
Which brings us to metrics. It is perhaps not surprising that a methodology based on quantitative analysis lends itself to meaningful metrics. F&J offer many concrete suggestions far superior to the grab-bag of metrics found in vendor dashboards (measure what’s cheap and looks cool) and other books. These are real metrics that the CISO can use to … manage risk.
And managing risk is really why we do all this stuff. Making good decisions on both operational and strategic levels requires good data derived from reliable instruments and methods. It is in managing risk that MMIR is truly seminal and profound.
If they do another edition Freund and Jones should consider adding a subtitle, “The CISO’s Bible,” because CISOs will find themselves coming back to it time and again. Or maybe that is the next book.
The principle is good - leading people through the things they should consider when evaluating risk, but after that it turns to a very prescriptive method that does not allow for non-financial risks, or mitigations, etc.