Book Review: Measuring and Managing Information Risk: a FAIR Approach 46
benrothke writes It's hard to go a day without some sort of data about information security and risk. Research from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources. The current panic around Ebola shows how people are ill-informed about risk. While stressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like. When it comes to information security, it's not that much better. With myriad statistics, surveys, data breach reports, and global analyses of the costs of data breaches, there is an overabundance of data, and an under abundance of meaningful data. In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have written a magnificent book that will change the way (for the better) you think about and deal with IT risk. Keep reading for the rest of Ben's review.
The book details the factor analysis of information risk (FAIR) methodology, which is a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. An Open Group standard, FAIR is a methodology and a highly effective quantitative analysis tool. | Measuring and Managing Information Risk: A FAIR Approach | |
| author | Jack Freund and Jack Jones |
| pages | 408 |
| publisher | Butterworth-Heinemann |
| rating | 10/10 |
| reviewer | Ben Rothke |
| ISBN | 978-0124202313 |
| summary | Superb overview to the powerful FAIR risk management methodology |
The power of FAIR is immense: it enables the risk practitioner to make well-informed decisions based on meaningful measurements. While that seems obvious, in practicality, it is a challenging endeavor.
FAIR is invaluable in that it helps the risk professional understand the language that the corporate board and senior executives speak. Understanding that and communicating in their language can make it much easier for information security to be perceived as a valued asset, as opposed to using Chicken Little statistics.
FAIR takes the risk professional out of the realm of the dealing with risk via the checklist; which only serves to produce meaningless measurements, into the world of quantitative, defendable results.
For those that are looking for a tool to create pretty executive summary charts with lots of colors, FAIR will sorely disappoint them. For those that are looking for a method to understand how to calculate qualitative risk to support a formal enterprise risk management program, they won't find a better guide than this book.
The book is an incredibly good reference that will force you to look again at how you view risk management. Jones writes in the preface that the book is not about checklists and formulas, but about critical thinking. The authors note that information security and operational risk has operated for far too long as an art, with not enough science. This is the gap that FAIR attempts to fill.
The authors write that risk decision making quality boils down to the quality of information decision makers are operating from, and the decision makers themselves. The book does a remarkable job of showing how a person can become a much better decision maker.
A subtle but important point the book makes early on is that many risk professionals confuse risk possibilities with risk probabilities. The FAIR method forces you to focus on probabilities and not to obsess with Ebola like possibilities. Such a quantitative analysis approach is what makes FAIR so beneficial.
The book spends a few chapters on going through FAIR risk ontology and terminology. Inconsistent and poorly defined terminology is one of the most significant challenges the information security and operational risk profession faces. Having a consistent set of logical terms and definitions that make up the FAIR framework significantly improves the quality of risk relations communications within an organization.
The value of having a consistent set of logical terms and definitions is significant. For example, the book notes that many people use the term threat. In the context of risk analysis, it might not be a real threat if there is no resulting loss. In that case, it would be considered a vulnerability event.
The challenge of FAIR is acclimating to its dialect. But once done, it creates an extremely powerful methodology for risk communication and management. And therein lays its power. Setting up a common framework for risk management becomes and invaluable tool to present risk ideas. In addition, it makes the findings much more objective and defendable.
In chapter 5, the authors address the biggest objections to quantitative risk management that it can't be measured or is simply unknowable. They agree that risk can't be measured at the micro level, but it can be effectively measured to the degree to reduce management's uncertainly about risk. They also importantly note that risk is a forward-looking statement about what may or come to pass in the future. With that, perfect accuracy is impossible; but effective quantitative risk management is very possible.
The power of FAIR is that is helps add clarity to ambiguous risk situations by giving you the tools to add data points to a situation that is purported to be unknowable.
Chapter 8 is an extremely enlightening chapter in that it provides 11 risk analysis examples. The examples do a great job of reinforcing the key FAIR concepts and methods.
In chapter 10, the authors write that the hardest part of learning FAIR is having to overcome bad habits. For most people, FAIR represents a recalibration of your mental model about what risk is and how it works. The chapter deals with common mistakes and stumbling blocks when performing a FAIR analysis. The 5 high-level categories of mistakes the chapter notes are: checking results, scoping, data, variable confusion and vulnerability analysis.
FAIR is a powerful methodology that can revolutionize risk management. The challenge is that it takes a village to make such a change. Management may be reticent to invest in what is perceived as yet another risk management framework.
But once you start using the language of FAIR and validate your findings, astute management will likely catch on. Over time, FAIR can indeed be a risk management game changer.
The book is flawless in its execution and description of the subject. The only critique is that in that the author's should have been a bit more transparent in the text when (especially in chapter 8) mentioning the FAIR software, in that it is their firm that makes the software.
For those that are willing to put in the time to understanding FAIR, this book it will make their jobs much easier. It will help them earn the trust of senior management, and make them much better risk management professionals in the process.
Reviewed by Ben Rothke.
You can purchase Measuring and Managing Information Risk: A FAIR Approach from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know
ISBN (Score:1)
Re: (Score:2)
Thanks. Will see if the editor can make the change.
Risk assessment (Score:2)
To me risk assessment, even though I know it's important, will always be something MBAs force on developers because they are jealous of people who might actually have fun doing their job.
Re: (Score:2)
My experience is business-type people see risk assessment as one of those duh things that doesn't need all this overhead. They then ask for inane, stupid shit, and parrot whatever they heard this week. Middle managers then just go by feel--what gives them the willies is unacceptable, and what they're comfortable about seems acceptable.
This is a sick and dysfunctional atmosphere; as an engineer, I find it appalling that you would build anything--software, business processes, machines--without a strong ri
Re: (Score:2)
If you're installing a TV transmitter, you have a device at 2000 feet that, if broken open and unshielded, produces enough energy to melt people's faces off at ground level 500 meters away from the tower base.
I call bullshit.
Re: (Score:2)
These transmitters are 500,000 watts. I did the math once and figured the transmitter 3 miles from my house would expose people to 2000W of microwave radiation on the ground for several blocks. This would ignite trees and houses, and melt people.
Helicopters aren't legally allowed near the tower.
Media Coverage of Risk (Score:5, Insightful)
"The current panic around Ebola shows how people are ill-informed about risk. While stressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like."
Nonsense.
The media are focusing on Ebola because it is a relatively *unknown* risk for most, which makes it novel, which makes it news. They have extensively covered all of the other risks, and the public are generally well informed of the risks - or as informed as they are individually capable of being informed without one-on-one tutoring or coaching.
Re: (Score:1)
Re: (Score:2)
I guess a better term would have been ‘uninterested’.
The fact that a few people have died to Ebola makes it a novelty.
The fact that 10,000+ people have been killed annually in DUI related offences has jaded the media.
News = News, who knews (Score:1)
Great point. Heart disease, diabetes, etc. are not "news". New risks are news by definition, and that's why they are covered in "the news".
If you want to read about diabetes, read "the olds" (AKA archives), not "the news". Thus, in the ebola case, "the news" are mostly doing their jobs. If you don't want to see "the news", but "the olds" instead, then don't fricken read/watch the news.
Maybe The Olds need catchier theme songs or voicings to make them more appealing. "Important things you already know about,
Re: (Score:2)
Nonsense.
I agree with OP's sentiment, but the examples given are not good examples. People actually know the risks of mundane things like obesity and heart disease, because they're around us every day. It is unusual things about which people are terrible at assessing risk.
For example: people in the U.S. and Europe have allowed the government to terrify them about terrorists (sort-of-pun intended), when in fact their risk of death from a fall in the bathtub is many times greater. They have allowed government and m
Re: (Score:2)
Bruce Schneier has a good essay on this topic - Virginia Tech Lesson: Rare Risks Breed Irrational Responses - https://www.schneier.com/essay... [schneier.com]
He sums it up with novelty + dread = overreaction.
Ebola fits that. From a public heath perspective for the US, Ebola is for the most part a non-issue.
Re: (Score:2)
WHO - 1.5 million died from heart disease in 2012 (Score:2)
makes you wonder who is trying to cover up what these days
And where is the MH370 plane?
KI
Re: (Score:2)
Re: (Score:2)
Yeah, but heart disease kills you slowly and totally expectedly.
People aren't going to panic over legitimate pragmatic threats to their health they can(but won't) do something about.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
heart disease isn't contagious. Also if you take care of yourself (or if you're young) heart disease has little to no risk for you. Also heart disease doesn't make you bleed out from every orifice in your body. Also heart disease doesn't trash every organ in your body, just the heart. Need I go on?
Re: (Score:2)
What is FAIR? (Score:2)
Re: (Score:2)
Sorry.... this web site provides a good overview: http://www.cxoware.com/what-is... [cxoware.com]
I think this is a contradiction (Score:4, Funny)
FAIR is invaluable in that it helps the risk professional understand the language that the corporate board and senior executives speak....For those that are looking for a tool to create pretty executive summary charts with lots of colors, FAIR will sorely disappoint them.
Strawman (Score:2)
No, it's not. Actually, no matter how much the media repeat warnings about these issues, PEOPLE (a part of them) is oblivious to these public health issues. I dare you to watch CNN or read MSN, HuffPo or any news aggregator a day without something being said about at least one of these issues, mostly (in US) obesity. We even had a mayor on NYC that went int
The solution doesn't address the problem (Score:1)
"Research from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources."
"With myriad statistics, surveys, data breach reports, and global analyses of the costs of data breaches, there is an overabundance of data, and an under abundance of meaningful data."
Unchecked sources. Abundance of meaningless data. These are problems.
"The authors note that information security and operational risk has operated for far too long as an art, with not e