I first came across Factor Analysis of Information Risk (FAIR) in around 2007 when I was looking into various
risk analysis methods but couldn't find too much about it other than a white paper and a high level Cisco presentation.
Then in 2010, I did my MSc thesis on investigating quantifying information security investment decisions and this led me closer and closer towards FAIR and the approaches used by it such as quantified estimates, subject matter expert calibration and Monte Carlo simulations.
At the time I had a great chat with Jack Jones (one of the authors of this book and original creator of FAIR) and even attended the FAIR Basic Analyst training course delivered by CXOWARE.
However, most people aren't this lucky and while FAIR has been adopted by the Open Group and even has a certification in place with the OpenFAIR program, there hasn't been great material to self study for the exam. So when I heard this book was going to be published, I was really excited.
The book starts off by first explaining what FAIR is, walks through the FAIR model and explains each variable within the model. The authors highlight some of the changes to the model since the original whitepaper on FAIR and cover why the changes have taken place.
It then moves on to provide a number of different worked scenarios using the FAIR approach, covering discussions on assets, threat communities, threat profiles, scenario building and actual analysis. This is the first time I've seen someone other than myself really walk through some FAIR analysis examples and these are great to see if you've never touched on FAIR before.
The book then shifts tact a little and looks at how controls are viewed from the authors' perspectives; covering asset level controls, variance controls and decision making controls. The sections on variance and decision controls will definitely require a second read before I fully get to grips with the nuances of what the authors were highlighting. However, these chapters bring a level of depth of discussion on controls that I've never seen elsewhere, and something that I think would feed very well into ISACA or other similar groups with a strong control focus.
The book then goes on to cover risk management briefly, and the moves to risk metrics, using the Goal, Question, Metric approach. What I liked particularly about the metrics section is that they didn't simply just list a long number of metrics, but approached is more like a worked example of the approach to defining the metrics. First they look at the goals of risk management, then break these down into sub-goals in order find the questions that match these sub-goals, and finally identify the metrics that you may wish to gather. This chapter also introduces probably the best description of the difference between risk appetite and risk tolerance; comparing risk appetite with the speed limit on a motorway, and risk tolerance the variance around that speed limit in which the police would accept.
What's fantastic is that throughout the book there's a real sense of practical, real world application of this risk analysis approach. There are practical examples of analysis scenarios and even an entire chapter outlying where you can go wrong. This is something that I've often seen lacking other books on information or IT risk analysis, which are often full of theoretical approaches, but which lack any relevant examples and definitely don't outline where you'll have problems. This gives the book a practical credibility that I believe will find favor with info sec professionals who normally would shy away from risk management books.
I would say that the book definitely assumes some prior knowledge in approaches such as Monte Carlo simulations and why you may use them, but if you haven't come across these before, then I'd highly recommend The Failure of Risk Management by Doug Hubbard to get you up to speed.
Overall, this is the book I was looking for on information risk analysis four years ago… and I'm thrilled to see it's finally arrived. Even if you never plan to use FAIR as your risk analysis methodology, there's enough in this book that it will help anyone's critical thinking in relation to information security and I can't recommend it highly enough. Everyone in info sec should read it!
Links:
Elsevier http://store.elsevier.com/product.jsp?isbn=9780124202313
Amazon http://www.amazon.com/Measuring-Managing-Information-Risk-Approach/dp/0124202314/
Then in 2010, I did my MSc thesis on investigating quantifying information security investment decisions and this led me closer and closer towards FAIR and the approaches used by it such as quantified estimates, subject matter expert calibration and Monte Carlo simulations.
At the time I had a great chat with Jack Jones (one of the authors of this book and original creator of FAIR) and even attended the FAIR Basic Analyst training course delivered by CXOWARE.
However, most people aren't this lucky and while FAIR has been adopted by the Open Group and even has a certification in place with the OpenFAIR program, there hasn't been great material to self study for the exam. So when I heard this book was going to be published, I was really excited.
The book starts off by first explaining what FAIR is, walks through the FAIR model and explains each variable within the model. The authors highlight some of the changes to the model since the original whitepaper on FAIR and cover why the changes have taken place.
It then moves on to provide a number of different worked scenarios using the FAIR approach, covering discussions on assets, threat communities, threat profiles, scenario building and actual analysis. This is the first time I've seen someone other than myself really walk through some FAIR analysis examples and these are great to see if you've never touched on FAIR before.
The book then shifts tact a little and looks at how controls are viewed from the authors' perspectives; covering asset level controls, variance controls and decision making controls. The sections on variance and decision controls will definitely require a second read before I fully get to grips with the nuances of what the authors were highlighting. However, these chapters bring a level of depth of discussion on controls that I've never seen elsewhere, and something that I think would feed very well into ISACA or other similar groups with a strong control focus.
The book then goes on to cover risk management briefly, and the moves to risk metrics, using the Goal, Question, Metric approach. What I liked particularly about the metrics section is that they didn't simply just list a long number of metrics, but approached is more like a worked example of the approach to defining the metrics. First they look at the goals of risk management, then break these down into sub-goals in order find the questions that match these sub-goals, and finally identify the metrics that you may wish to gather. This chapter also introduces probably the best description of the difference between risk appetite and risk tolerance; comparing risk appetite with the speed limit on a motorway, and risk tolerance the variance around that speed limit in which the police would accept.
What's fantastic is that throughout the book there's a real sense of practical, real world application of this risk analysis approach. There are practical examples of analysis scenarios and even an entire chapter outlying where you can go wrong. This is something that I've often seen lacking other books on information or IT risk analysis, which are often full of theoretical approaches, but which lack any relevant examples and definitely don't outline where you'll have problems. This gives the book a practical credibility that I believe will find favor with info sec professionals who normally would shy away from risk management books.
I would say that the book definitely assumes some prior knowledge in approaches such as Monte Carlo simulations and why you may use them, but if you haven't come across these before, then I'd highly recommend The Failure of Risk Management by Doug Hubbard to get you up to speed.
Overall, this is the book I was looking for on information risk analysis four years ago… and I'm thrilled to see it's finally arrived. Even if you never plan to use FAIR as your risk analysis methodology, there's enough in this book that it will help anyone's critical thinking in relation to information security and I can't recommend it highly enough. Everyone in info sec should read it!
Links:
Elsevier http://store.elsevier.com/product.jsp?isbn=9780124202313
Amazon http://www.amazon.com/Measuring-Managing-Information-Risk-Approach/dp/0124202314/
