Book Review: Measuring and Managing Information Risk: a FAIR Approach

benrothke writes It's hard to go a day without some sort of data about information security and risk. Research from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources. The current panic around Ebola shows how people are ill-informed about risk. While stressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like. When it comes to information security, it's not that much better. With myriad statistics, surveys, data breach reports, and global analyses of the costs of data breaches, there is an overabundance of data, and an under abundance of meaningful data. In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have written a magnificent book that will change the way (for the better) you think about and deal with IT risk. Keep reading for the rest of Ben's review. Measuring and Managing Information Risk: A FAIR Approach author Jack Freund and Jack Jones pages 408 publisher Butterworth-Heinemann rating 10/10 reviewer Ben Rothke ISBN 978-0124202313 summary Superb overview to the powerful FAIR risk management methodology The book details the factor analysis of information risk (FAIR) methodology, which is a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. An Open Group standard, FAIR is a methodology and a highly effective quantitative analysis tool.

The power of FAIR is immense: it enables the risk practitioner to make well-informed decisions based on meaningful measurements. While that seems obvious, in practicality, it is a challenging endeavor.

FAIR is invaluable in that it helps the risk professional understand the language that the corporate board and senior executives speak. Understanding that and communicating in their language can make it much easier for information security to be perceived as a valued asset, as opposed to using Chicken Little statistics.

FAIR takes the risk professional out of the realm of the dealing with risk via the checklist; which only serves to produce meaningless measurements, into the world of quantitative, defendable results.

For those that are looking for a tool to create pretty executive summary charts with lots of colors, FAIR will sorely disappoint them. For those that are looking for a method to understand how to calculate qualitative risk to support a formal enterprise risk management program, they won't find a better guide than this book.

The book is an incredibly good reference that will force you to look again at how you view risk management. Jones writes in the preface that the book is not about checklists and formulas, but about critical thinking. The authors note that information security and operational risk has operated for far too long as an art, with not enough science. This is the gap that FAIR attempts to fill.

The authors write that risk decision making quality boils down to the quality of information decision makers are operating from, and the decision makers themselves. The book does a remarkable job of showing how a person can become a much better decision maker.

A subtle but important point the book makes early on is that many risk professionals confuse risk possibilities with risk probabilities. The FAIR method forces you to focus on probabilities and not to obsess with Ebola like possibilities. Such a quantitative analysis approach is what makes FAIR so beneficial.

The book spends a few chapters on going through FAIR risk ontology and terminology. Inconsistent and poorly defined terminology is one of the most significant challenges the information security and operational risk profession faces. Having a consistent set of logical terms and definitions that make up the FAIR framework significantly improves the quality of risk relations communications within an organization.

The value of having a consistent set of logical terms and definitions is significant. For example, the book notes that many people use the term threat. In the context of risk analysis, it might not be a real threat if there is no resulting loss. In that case, it would be considered a vulnerability event.

The challenge of FAIR is acclimating to its dialect. But once done, it creates an extremely powerful methodology for risk communication and management. And therein lays its power. Setting up a common framework for risk management becomes and invaluable tool to present risk ideas. In addition, it makes the findings much more objective and defendable.

In chapter 5, the authors address the biggest objections to quantitative risk management that it can't be measured or is simply unknowable. They agree that risk can't be measured at the micro level, but it can be effectively measured to the degree to reduce management's uncertainly about risk. They also importantly note that risk is a forward-looking statement about what may or come to pass in the future. With that, perfect accuracy is impossible; but effective quantitative risk management is very possible.

The power of FAIR is that is helps add clarity to ambiguous risk situations by giving you the tools to add data points to a situation that is purported to be unknowable.

Chapter 8 is an extremely enlightening chapter in that it provides 11 risk analysis examples. The examples do a great job of reinforcing the key FAIR concepts and methods.

In chapter 10, the authors write that the hardest part of learning FAIR is having to overcome bad habits. For most people, FAIR represents a recalibration of your mental model about what risk is and how it works. The chapter deals with common mistakes and stumbling blocks when performing a FAIR analysis. The 5 high-level categories of mistakes the chapter notes are: checking results, scoping, data, variable confusion and vulnerability analysis.

FAIR is a powerful methodology that can revolutionize risk management. The challenge is that it takes a village to make such a change. Management may be reticent to invest in what is perceived as yet another risk management framework.

But once you start using the language of FAIR and validate your findings, astute management will likely catch on. Over time, FAIR can indeed be a risk management game changer.

The book is flawless in its execution and description of the subject. The only critique is that in that the author's should have been a bit more transparent in the text when (especially in chapter 8) mentioning the FAIR software, in that it is their firm that makes the software.

For those that are willing to put in the time to understanding FAIR, this book it will make their jobs much easier. It will help them earn the trust of senior management, and make them much better risk management professionals in the process.

Reviewed by Ben Rothke.

You can purchase Measuring and Managing Information Risk: A FAIR Approach from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know

ISBN

[cwt137]

The ISBN is wrong. It is 978-0124202313

Re:ISBN

full info:

Product Details

        Paperback: 408 pages
        Publisher: Butterworth-Heinemann; 1 edition (August 22, 2014)
        Language: English
        ISBN-10: 0124202314
        ISBN-13: 978-0124202313

Re:ISBN

[benrothke]

Thanks. Will see if the editor can make the change.

Risk assessment

[i+kan+reed]

To me risk assessment, even though I know it's important, will always be something MBAs force on developers because they are jealous of people who might actually have fun doing their job.

Re:Risk assessment

[bluefoxlucid]

My experience is business-type people see risk assessment as one of those duh things that doesn't need all this overhead. They then ask for inane, stupid shit, and parrot whatever they heard this week. Middle managers then just go by feel--what gives them the willies is unacceptable, and what they're comfortable about seems acceptable.

This is a sick and dysfunctional atmosphere; as an engineer, I find it appalling that you would build anything--software, business processes, machines--without a strong risk management plan.

If you're installing a TV transmitter, you have a device at 2000 feet that, if broken open and unshielded, produces enough energy to melt people's faces off at ground level 500 meters away from the tower base. This means all installation considerations must involve reflection on how the integrity of the transmitter is protected or put at-risk, and anything which threatens its integrity requires further examination.

If you're installing computer server software, you open yourself up for any number of cyber security risks, and may open yourself up to legal risks. Before building a cluster on a public Web server that uses VMware fencing and thus logs into vSphere on a server farm that also holds HIPPA or SOX regulated data, If you go ahead and do that, knowing that a compromise of the server and a new VMware vulnerability could allow access to or destruction of these legally-protected data, you *personally* could go to prison.

New business processes run the risk of incurring legal liabilities, process slow-downs, costs, or even injury. Business processes include things like operation of a sheet metal producer (how often is it inspected? This temporarily pauses production, and is costly; but going out of tolerance could result in non-uniform sheets or injury to workers), the stocking of shelves (giant double-door refrigerators on the top shelf in a customer aisle?), and so on. Bed, Bath, and Beyond institutes a business process for using a ladder on store shelves, such that another floor employee must check the other side of the shelf; occasionally, the employee operating the ladder will bump the shelf and cause an item to fall, which can and has involved in injury (and death!).

Risk Management is a trivial topic. Kepner-Tregoe Potential Problem/Opportunity Analysis is nothing more than Operational Risk Management in a long-winded manner (what could happen? What is the probability? What is the severity? What should we do about it?). Project Management involves Project Risk Management, which starts with identifying risks (what could go wrong? What could happen that we could take advantage of?), then performing qualitative risk analysis (which of these does our experience tell us is most likely and most important?), then performing quantitative risk analysis on those most important things (how likely, what impact?), and then planning what actions to take. Many business studies follow a similar risk analysis methodology.

None of these things is particularly complex; the complex methodologies are long-winded, redundant expansions of simple, well-established methods. These are things which should be done.

Re:Risk assessment

Gotta be careful when you do risk assessment for security. It's essential keep your list of acceptable risks really, really secret.

If I'm an attacker and know you have accepted risk X, which means you aren't going to spend to defend against attack X because it's "too hard" or "too exotic" or whatever, guess where I put my effort? Solving X. Your list of acceptable risks is my research agenda.

I wonder how the FAIR software addresses this problem. It's like the old story of crypto keys being more valuable to an attacker than the contents of a single message. Get a message, I learn one thing. Get a key, I learn many things.

Re:Risk assessment

If you're installing a TV transmitter, you have a device at 2000 feet that, if broken open and unshielded, produces enough energy to melt people's faces off at ground level 500 meters away from the tower base. This means all installation considerations must involve reflection on how the integrity of the transmitter is protected or put at-risk, and anything which threatens its integrity requires further examination.

Yeah, I would like to see how you could accidentally break a TV transmitter, and heavily focus it so as to be harmful at 2000 ft. Dipole transmitters don't just beam energy like a laser beam. Even if you had a ~1 m vertical focus on a 5000 kW ERP transmitter, and it some how fell loose to point at a ground, the already contrived situation would produce less than 100 W per square m^2, something like being a foot away from an incandescent bulb. This is out of regulation, but not melting a person's face. You would need it to magically turn into a 35+ dB antenna to just compete with the energy flux of sunlight.

For complaining about people shooting from the guy and going off of feelings of what is scary, you're sure setting an example of what not to do.

Re:Risk assessment

[flargleblarg]

If you're installing a TV transmitter, you have a device at 2000 feet that, if broken open and unshielded, produces enough energy to melt people's faces off at ground level 500 meters away from the tower base.

I call bullshit.

Re:Risk assessment

[bluefoxlucid]

These transmitters are 500,000 watts. I did the math once and figured the transmitter 3 miles from my house would expose people to 2000W of microwave radiation on the ground for several blocks. This would ignite trees and houses, and melt people.

Helicopters aren't legally allowed near the tower.

Re:Risk assessment

These transmitters are 500,000 watts.

Learn what ERP is, as no TV station uses anywhere near an actual 500 kW for a 500 kW ERP station. A crappy antenna means they would be using at most about 100 kW. But lets assume it is 500 kW, and go with the original 2000 ft instead of the three miles you say now. If you wanted to get 2000 W, you would need a collection area of nearly 20000 m^2, or about the area of three football fields. If you wanted to concentrate that into a square meter, something closer to the size of a person, you would need a 40+ dB antenna, which is nothing like the dipole antennas used by a TV station. Even then, as another post was pointing out, you're dealing with a power only twice that of sunlight. Change the 2000 ft to 3 miles, and you are even more disjoint from the reality of such a setup.

Media Coverage of Risk

[TomRC]

"The current panic around Ebola shows how people are ill-informed about risk. While stressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like."

Nonsense.

The media are focusing on Ebola because it is a relatively *unknown* risk for most, which makes it novel, which makes it news. They have extensively covered all of the other risks, and the public are generally well informed of the risks - or as informed as they are individually capable of being informed without one-on-one tutoring or coaching.

Re:Media Coverage of Risk

[operagost]

This was an pointlessly provocative opening line for a review. We can't treat known threats like heart disease as if they are a daily emergency. FWIW, search Google News for "heart disease" and you get 129,000 results-- which is much better than "oblivious".

Re:Media Coverage of Risk

Also, media != the people. Media coverage doesn't only depend on what people want to read about, and it's not a good measure for what people are most worried about. If everybody was really freaking out about Ebola there would have been a significant effort to fight it in Africa.

Re:Media Coverage of Risk

I disagree a lot on this.
I just want to say: everybody panic!
We need to panic more about ebola.
everybody panic!
More!
everybody panic!
More.
everybody panic!

Re:Media Coverage of Risk

You know what they say when you use a pointlessly provocative opening line..

Re:Media Coverage of Risk

[Jane+Q.+Public]

Nonsense.

I agree with OP's sentiment, but the examples given are not good examples. People actually know the risks of mundane things like obesity and heart disease, because they're around us every day. It is unusual things about which people are terrible at assessing risk.

For example: people in the U.S. and Europe have allowed the government to terrify them about terrorists (sort-of-pun intended), when in fact their risk of death from a fall in the bathtub is many times greater. They have allowed government and media to terrify them about climate change when years of recent scientific evidence suggest it is probably not a danger at all, but at least mostly a political agenda.

As others have mentioned, these things are "unknown" to them, so they suck up any media hysteria that is thrown their way, rather than attempting to rationally assess the risks based on solid statistics and other information. But sometimes the problem is that they just don't have proper information with which to work.

Another example: many people have tended to believe overstated, propaganda claims about gun violence in the United States, when according to the actual statistics, if you aren't a gang member or drug dealer, guns present little if any more danger to you in the U.S. than in any other major Western country.

I could go on and on. But the point is: when people don't know how to assess a risk, or don't actually have good information on which to make an assessment, they tend to believe whatever they are told about it. Heart disease and diabetes are simply not in this category: people do know the risks, but often choose to ignore them. That is a different thing altogether.

Re:Media Coverage of Risk

It is unusual things about which people are terrible at assessing risk.

People are horrible at estimating the risk of very usual things too, including heart disease, for a long list of reasons. Some of it is denial, failing to see how bad it is for someone they care about (or themselves). Some of it is inability to see the impact of it, because they attribute additional things to people they know that were impacted, e.g. "he was kind of old" or "he was rather unhealthy because of X" when not realizing that the person wasn't that old or that X wasn't a big factor. It isn't about being common or uncommon, but an issue with having little immediate feedback (even then people screw up risk assessment on things like games and gambling too).

Try asking some people what they think their chances of getting heart disease or diabetes is. Also ask about what risks they perceive for other people they know. There will be plenty that way underestimate it, and way over estimate it in other cases (e.g. think one family member is at a high risk, when really several are, or that family member is not much above average). Try asking about cancer and sources of cancer, which is also a rather common cause of death, but befuddles people. I've watch numerous people struggle to deal with a loved one's death to cancer by trying to insist they could pinpoint the exact cause of cancer, and insisting that everyone who's lost someone to cancer could do the same.

Re:Media Coverage of Risk

[benrothke]

Bruce Schneier has a good essay on this topic - Virginia Tech Lesson: Rare Risks Breed Irrational Responses - https://www.schneier.com/essay...

He sums it up with novelty + dread = overreaction.

Ebola fits that. From a public heath perspective for the US, Ebola is for the most part a non-issue.

Re:Media Coverage of Risk

[benrothke]

I guess a better term would have been ‘uninterested’.

The fact that a few people have died to Ebola makes it a novelty.

The fact that 10,000+ people have been killed annually in DUI related offences has jaded the media.

What happend to that guy that used to always post

book reviews here? What was his name? Dent?

WHO - 1.5 million died from heart disease in 2012

[Killer+Instinct]

WHO estimates 20k will be infected with ebola and around 2/3 may die dues to it. Yet it is all over the news. meanwhile WHO states 1.5 million died from heart disease in 2012
makes you wonder who is trying to cover up what these days

And where is the MH370 plane?

KI

Re:WHO - 1.5 million died from heart disease in 20

[Killer+Instinct]

*7.4 million died of heart disease in 2012

Re:WHO - 1.5 million died from heart disease in 20

[i+kan+reed]

Yeah, but heart disease kills you slowly and totally expectedly.

People aren't going to panic over legitimate pragmatic threats to their health they can(but won't) do something about.

WHO - 1.5 million died from heart disease in 2012

Yeah well Heart Disease may kill more but its only because people eat so much damn food.

Hey joe wanna come to my house for the Super Bowl, we'll have 14 layer bean dip.We'll eat ourselves to death
Nahh I'm going to Ed's house, he is bleeding from his eyes because his team didn't make it to the big game, also he has ebola.

Re:WHO - 1.5 million died from heart disease in 20

[Killer+Instinct]

ebola is transmitted when you touch an infected person who is dying or died from it or get their bodily fluid in you. we know this now. what is so unexpected about that? even the people living in the affected areas are changing their behavior. 6k people a year die from texting while driving...its the media driving the ebola hysteria. enough already.

It's because Republicans hate us.

That is why their media is spreading these lies. They claim thousands have Ebola here when it has been proven that only a single person has it. The others were exposed as lies by McCain. He is a horrible person. He lies lies lies lies. That is what his kind does. They lie and kill children. That is why they reduced EBT so children will starve. The media is not covering this because they own every single paper in this shithole. Our country is dead. It died and now it is taking us down with it.

Re:It's because Republicans hate us.

Finallya rationalists amongst us.

Re:It's because Republicans hate us.

[Killer+Instinct]

I took this as hilarious. if i had mod points and you werent AC id mod you funny. good stuff there. thank you for the smile today :)

Re:WHO - 1.5 million died from heart disease in 20

[Spy+Handler]

heart disease isn't contagious. Also if you take care of yourself (or if you're young) heart disease has little to no risk for you. Also heart disease doesn't make you bleed out from every orifice in your body. Also heart disease doesn't trash every organ in your body, just the heart. Need I go on?

Re:WHO - 1.5 million died from heart disease in 20

[Killer+Instinct]

er ya, mis-read your post. i think we are on the same page... carry on

What is FAIR?

[phantomfive]

I read the review, and appreciate it, but I'm still not entirely sure what FAIR is. It's a RISK management and communication technique, but I was hoping for a little more than that.....

Re:What is FAIR?

[benrothke]

Sorry.... this web site provides a good overview: http://www.cxoware.com/what-is...

Re:What happend to that guy that used to always po

[phantomfive]

Anyone can post book reviews. Read the book, write the review, it's great.

I think this is a contradiction

[phantomfive]

I think these two statements are a contradiction:

FAIR is invaluable in that it helps the risk professional understand the language that the corporate board and senior executives speak....For those that are looking for a tool to create pretty executive summary charts with lots of colors, FAIR will sorely disappoint them.

Re: President Obola isnt done trying to be a maois

>> President Obola isnt done trying to be a maoist dictator,

Actually a Marxist dictatorbut u r rights on the other the other points.

Re:What happend to that guy that used to always po

not realty true. I once posted a 10 word book review for slashsdot and it was rejected. i don't have a lot to say.

Do you know chris roberts? He is the worst reviewer on amazonranked 25,000,00.

He is at http://www.amazon.com/gp/cdp/member-reviews/AH62BQTCMR3BR/ref=cm_pdp_rev_all?ie=UTF8&sort_by=MostRecentReview

i would like to see his reviews here.

News = News, who knews

[Tablizer]

Great point. Heart disease, diabetes, etc. are not "news". New risks are news by definition, and that's why they are covered in "the news".

If you want to read about diabetes, read "the olds" (AKA archives), not "the news". Thus, in the ebola case, "the news" are mostly doing their jobs. If you don't want to see "the news", but "the olds" instead, then don't fricken read/watch the news.

Maybe The Olds need catchier theme songs or voicings to make them more appealing. "Important things you already know about, but for...got [dramatic pause]. We'll help you remember this very important old information. The Olds![TM] Get it now, or, die of the known! The choice is yours and yours alone! [cue intense music]"

Re:HRC is our only hope

HRC = Her Royal ???

Strawman

[SAN1701]

"While stressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like."

No, it's not. Actually, no matter how much the media repeat warnings about these issues, PEOPLE (a part of them) is oblivious to these public health issues. I dare you to watch CNN or read MSN, HuffPo or any news aggregator a day without something being said about at least one of these issues, mostly (in US) obesity. We even had a mayor on NYC that went into a series of highly controversial steps to prevent obesity (limiting size of sodas, really? Coach potatoes would buy 2 of them). it's just that some people doesn't pay attention because they don't want to change their lifestyle.

Ebola is something "new", so gets more flash from news outlets since people will cringe for, well, news. It's the way people work, unfortunately. In a BTVS season, the much bigger issues above would be the Big Bad. Ebola is just the monster of the week. Granted, it gets full attention now, but once current crisis is gone, I doubt you'll hear about it until another outbreak.

The solution doesn't address the problem

[yorgo]

"Research from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources."
"With myriad statistics, surveys, data breach reports, and global analyses of the costs of data breaches, there is an overabundance of data, and an under abundance of meaningful data."
Unchecked sources. Abundance of meaningless data. These are problems.

"The authors note that information security and operational risk has operated for far too long as an art, with not enough science. This is the gap that FAIR attempts to fill."
Yet, the book doesn’t seem to address those problems.

Re:What happend to that guy that used to always po

Waddy Wachtel was the dude.

Risk is not an unpleasant event

But rather, a measure of its likelihood expressed with level of uncertainty. Other authors who have written about this subject urge us to be pedantic, while happily admitting that it is easier to say, "I am exposed to fraud risk", than "I am exposed to the risk of loss from fraud events". (http://www.soa.org/files/research/projects/research-new-approach.pdf)

It seems Freund and Jones get this right, yes. Good review.

It's Clinton

Stop being an ass and pretending you don't know who she is. I know your kind hates women and wants to kill us, but pretending you don't know who the most powerful woman in the history of our country is, is just a lie. I KNOW YOU HATE US AND WANT US DEAD, BUT STOP BEING AN ASSHOLE. WE KNOW YOU DAMN WELL KNOW WHO BILL CLINTON IS. Why lie? Why does your kind constantly lie? Fuck you and your violence.