Measuring and Managing Information Risk: A FAIR Approach

Great way to break down InfoSec Risks into tangible impacts and provide credible articulations of risk. A much needed move away from pure prescriptive best practice controls (implicit risk management) to focused controls to assets that matter most. (Explicit risk management).

If you are looking for a new way of efficiently articulating risk to your senior execs, I would highly recommend adding this to your reading list.

OK so I haven’t finished this book yet but am a good half way through. I can’t say so far that I have learnt a single way to change my approach, but I have picked up a number of good tips and different ways of thinking about risk. Perhaps that is the foundation I need though to change my approach? Or perhaps my current approach is satisfactory? Either way, I’ll take a view when I have finished it. One thing I will say though about this book that I find annoying is the overuse of a small handful of words. Ontology for example is one, but there are a few others. It’s like the author had a quota to reach using each of these words so many times. Ontology is even used twice in the same short sentence in what I have read so far. It has reached the stage where it has become annoying and distracting as I sit here thinking surely a different word (obviously with the same meaning) could’ve been used in many places, and then find my mind drifting and realising I didn’t take in what I just read. The author is obviously smart so has no need in my opinion of using fancy words in such frequency when an everyday commonly spoken word will suffice. I’ll try to update this review once I have finished the entire book, and providing I have not gone mad playing spot the ontology.

Excellent, should be compulsory reading for all those charlatans claiming to do risk management. ;-)

Superb book. I bought it after seeing Jack speak in Sydney. His talk immediately "clicked" in my mind, connecting a lot of dots, that in retrospect were obvious.

In a world where seemingly everything is oversold, this is the rare exception that is undersold. The title succinctly states, without drama, the authors’ broad ambit. They over-deliver. The book is nothing less than a manifesto for quantitative management of information security risk. Consider how radical it is to promise a truly quantitative approach to cyber risk management in a world dominated by numerous qualitative “frameworks,” red-yellow-green heat maps, thousand-item one-size-fits-all questionnaires, subjective and qualitative scales of likelihood and impact, and fake math like “red times green equals yellow”. And then consider how transformational it is to deliver on the promise. Other reviewers have nicely discussed the book’s coverage of the FAIR taxonomy. Suffice it to say that MMIR is your best friend in understanding the Open Group FAIR standards. Freund and Jones bring a potentially dry subject alive with many “Talking About Risk” sidebars that tell of their experience with FAIR methods in practice. These war stories make the content accessible and relevant. I especially appreciate the authors’ informal style that is conversational without being verbose and humorous without being patronizing or cute. What the war stories leave out chapter 8 fills in with numerous example analyses. A worked example is better than a thousand war stories. If giving a thorough rationale for and introduction to FAIR were all that MMIR did, it would be worth its weight in gold. But wait! There’s more! It’s the “managing” part, chapters 11-14, that constitutes another breakthrough beyond FAIR. There Freund and Jones begin laying out (one senses it is a work in progress) a risk management ontology, built on the FAIR risk measurement ontology. In rethinking the classification of controls in the context of threat event frequency, vulnerability, and loss mitigation, they provide ways to assess and – yikes! – quantify the potential value of control improvements, in isolation or in combination. This gives the CISO the beginning of a way to manage the control environment, not just the threats. But controls not consistently adhered to are both false comfort and all too common. Therefore F&J suggest that variance in the application of controls is perhaps the single most important set of infosec management metrics. As the old saw goes, if you cannot measure it you cannot manage it, and if you do not know how well your controls are operating on a continuing basis, then what confidence can you have in the millions of dollars invested in technology and staff? Which brings us to metrics. It is perhaps not surprising that a methodology based on quantitative analysis lends itself to meaningful metrics. F&J offer many concrete suggestions far superior to the grab-bag of metrics found in vendor dashboards (measure what’s cheap and looks cool) and other books. These are real metrics that the CISO can use to … manage risk. And managing risk is really why we do all this stuff. Making good decisions on both operational and strategic levels requires good data derived from reliable instruments and methods. It is in managing risk that MMIR is truly seminal and profound. If they do another edition Freund and Jones should consider adding a subtitle, “The CISO’s Bible,” because CISOs will find themselves coming back to it time and again. Or maybe that is the next book.

Reading the book is a start, but it is not really helpful. Yes, certain information are supplemented to the free material that can be found on the internet. Here are my main points, why the book is just partially useful: 1. Ok, it is a good point that it is not a book supposed to teach Monte-Carlo-simulations. I get this part. There are good study materials that do the job. But, and this is the big but, there is no explanation or any kind of useful information on how the variables interact from a mathematical viewpoint. Knowing this would allow to program it yourself, for example with python or r. Of course, understanding the math behind Monte-Carlo-simulations and how they work, it is possible to come with a solution (your solution). But that is my point, you must came up with the (your) solution, it is no shown or descripted in the book. Therefore you cannot be sure whether you “solution” on how you have interpreted the FAIR model is somewhat right or not. 2. The book is just to “hook” you up. In order to go further you need the FAIR training. Many information bits are missing in the book, preventing you to actually using it. I know that because of my “aha” moments during “a product” presentation by a certain company, offering there FAIR “Tool”. During the presentation, certain aspects on how to use FAIR become clearer. Reading the book is not helpful to actually use FAIR in a useful manner. In order to do that (well guess what, yes that’s right!) you need the offered training, provided (guess again) by the same company, that is behind FAIR (yes a company, check out who is behind the training and FAIR, too!). The book is therefore only partially useful, more to hook you up, even if you do understand Monte-Carlo-simulations, so do not expect too much from the book.

The. FAIR methodology is an important part of the toolkit for Risk Management practitioners. This book does a superb job of introducing FAIR as a quantitative assessment methodology. Among other things, it deals with the practical reality of doing risk assessments in a large organization and communicating results to executives.

A great book! I bought this after hearing Jack Jones speak at a conference in October, and it has changed the way I look at risk, for our own company and those we help