Measuring and Managing Information Risk: A FAIR Approach Paperback – 22 Aug. 2014

Great way to break down InfoSec Risks into tangible impacts and provide credible articulations of risk. A much needed move away from pure prescriptive best practice controls (implicit risk management) to focused controls to assets that matter most. (Explicit risk management).

If you are looking for a new way of efficiently articulating risk to your senior execs, I would highly recommend adding this to your reading list.

OK so I haven’t finished this book yet but am a good half way through. I can’t say so far that I have learnt a single way to change my approach, but I have picked up a number of good tips and different ways of thinking about risk. Perhaps that is the foundation I need though to change my approach? Or perhaps my current approach is satisfactory? Either way, I’ll take a view when I have finished it.One thing I will say though about this book that I find annoying is the overuse of a small handful of words. Ontology for example is one, but there are a few others. It’s like the author had a quota to reach using each of these words so many times. Ontology is even used twice in the same short sentence in what I have read so far. It has reached the stage where it has become annoying and distracting as I sit here thinking surely a different word (obviously with the same meaning) could’ve been used in many places, and then find my mind drifting and realising I didn’t take in what I just read. The author is obviously smart so has no need in my opinion of using fancy words in such frequency when an everyday commonly spoken word will suffice.I’ll try to update this review once I have finished the entire book, and providing I have not gone mad playing spot the ontology.

Excellent, should be compulsory reading for all those charlatans claiming to do risk management. ;-)

The Factor analysis is of great value. However the LEAP from factor Min, Most Likely, Max to the output of Monte Carlo needs alot more Explanation. Simply stating a figure "looks about right" does not really help understanding as the figures from the App do not make sense in any literal/vertical way, requiring an understanding of formula and maths used in the App.The content explain the factors for each sample scenario very well. Shame the APP / Magic derails confidence IMO.I would stick to the Most Likely values and the let the client move the range to suit there internal needs.The content will be very useful as a checklist when establishing Factors for likleihood and impact for scenarios