E-Book, Englisch, 408 Seiten
Freund / Jones Measuring and Managing Information Risk
1. Auflage 2014
ISBN: 978-0-12-799932-6
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
A FAIR Approach
E-Book, Englisch, 408 Seiten
ISBN: 978-0-12-799932-6
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Using the factor analysis of information risk (FAIR) methodology developed over ten years and adopted by corporations worldwide, Measuring and Managing Information Risk provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. Intended for organizations that need to either build a risk management program from the ground up or strengthen an existing one, this book provides a unique and fresh perspective on how to do a basic quantitative risk analysis. Covering such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, Measuring and Managing Information Risk helps managers make better business decisions by understanding their organizational risk. - Uses factor analysis of information risk (FAIR) as a methodology for measuring and managing risk in any organization. - Carefully balances theory with practical applicability and relevant stories of successful implementation. - Includes examples from a wide variety of businesses and situations presented in an accessible writing style.
Dr. Jack Freund is a leading voice in cyber risk measurement and management. As VP, Head of Cyber Risk Methodology for BitSight, Jack has overall responsibility for the systemic development and application of frameworks, algorithms, and quantitative and qualitative methods to measure cyber risk. Previously, Jack was Director of Risk Science at quantitative risk management startup RiskLens and Director of Cyber Risk for TIAA. Jack holds a Ph.D. in Information Systems from Nova Southeastern University, a Masters in Telecommunication and Project Management, and a BS in CIS. Jack has been named a Senior Member of the IEEE and ACM, a Fellow of the IAPP and FAIR Institute, and a Distinguished Fellow of the ISSA. He is the 2020 recipient of the (ISC)2 Global Achievement Award, 2018 recipient of ISACA's John W. Lainhart IV Common Body of Knowledge Award, and the FAIR Institute's 2018 FAIR Champion Award.
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;Measuring and Managing Information Risk;4
3;Copyright;5
4;Contents;6
5;Acknowledgments by Jack Jones;10
6;About the Authors;12
7;Preface by Jack Jones;14
7.1;WHAT THIS BOOK IS NOT, AND WHAT IT IS;14
8;Preface by Jack Freund;16
9;Chapter 1 - Introduction;20
9.1;HOW MUCH RISK?;20
9.2;THE BALD TIRE;21
9.3;ASSUMPTIONS;21
9.4;TERMINOLOGY;22
9.5;THE BALD TIRE METAPHOR;24
9.6;RISK ANALYSIS VS RISK ASSESSMENT;24
9.7;EVALUATING RISK ANALYSIS METHODS;25
9.8;RISK ANALYSIS LIMITATIONS;27
9.9;WARNING—LEARNING HOW TO THINK ABOUT RISK JUST MAY CHANGE YOUR PROFESSIONAL LIFE;28
9.10;USING THIS BOOK;29
10;Chapter 2 - Basic Risk Concepts;32
10.1;POSSIBILITY VERSUS PROBABILITY;32
10.2;PREDICTION;35
10.3;SUBJECTIVITY VERSUS OBJECTIVITY;36
10.4;PRECISION VERSUS ACCURACY;42
11;Chapter 3 - The FAIR Risk Ontology;44
11.1;DECOMPOSING RISK;46
11.2;LOSS EVENT FREQUENCY;47
11.3;THREAT EVENT FREQUENCY;48
11.4;CONTACT FREQUENCY;49
11.5;PROBABILITY OF ACTION;50
11.6;VULNERABILITY;51
11.7;THREAT CAPABILITY;52
11.8;DIFFICULTY;53
11.9;LOSS MAGNITUDE;54
11.10;PRIMARY LOSS MAGNITUDE;56
11.11;SECONDARY RISK;57
11.12;SECONDARY LOSS EVENT FREQUENCY;58
11.13;SECONDARY LOSS MAGNITUDE;59
11.14;ONTOLOGICAL FLEXIBILITY;59
12;Chapter 4 - FAIR Terminology;62
12.1;RISK TERMINOLOGY;62
12.2;THREAT;64
12.3;THREAT COMMUNITY;67
12.4;THREAT PROFILING;69
12.5;VULNERABILITY EVENT;81
12.6;PRIMARY AND SECONDARY STAKEHOLDERS;81
12.7;LOSS FLOW;82
12.8;FORMS OF LOSS;84
13;Chapter 5 - Measurement;94
13.1;MEASUREMENT AS REDUCTION IN UNCERTAINTY;94
13.2;MEASUREMENT AS EXPRESSIONS OF UNCERTAINTY;96
13.3;BUT WE DON’T HAVE ENOUGH DATA…AND NEITHER DOES ANYONE ELSE;99
13.4;CALIBRATION;103
13.5;EQUIVALENT BET TEST;104
14;Chapter 6 - Analysis Process;110
14.1;THE TOOLS NECESSARY TO APPLY THE FAIR RISK MODEL;110
14.2;HOW TO APPLY THE FAIR RISK MODEL;111
14.3;PROCESS FLOW;112
14.4;SCENARIO BUILDING;112
14.5;THE ANALYSIS SCOPE;115
14.6;EXPERT ESTIMATION AND PERT;118
14.7;MONTE CARLO ENGINE;120
14.8;LEVELS OF ABSTRACTION;122
15;Chapter 7 - Interpreting Results;124
15.1;WHAT DO THESE NUMBERS MEAN? (HOW TO INTERPRET FAIR RESULTS);124
15.2;UNDERSTANDING THE RESULTS TABLE;126
15.3;VULNERABILITY;128
15.4;PERCENTILES;128
15.5;UNDERSTANDING THE HISTOGRAM;129
15.6;UNDERSTANDING THE SCATTER PLOT;129
15.7;QUALITATIVE SCALES;130
15.8;HEATMAPS;132
15.9;SPLITTING HEATMAPS;134
15.10;SPLITTING BY ORGANIZATION;135
15.11;SPLITTING BY LOSS TYPE;136
15.12;SPECIAL RISK CONDITIONS;137
15.13;UNSTABLE CONDITIONS;138
15.14;FRAGILE CONDITIONS;138
15.15;TROUBLESHOOTING RESULTS;139
16;Chapter 8 - Risk Analysis Examples;142
16.1;OVERVIEW;142
16.2;INAPPROPRIATE ACCESS PRIVILEGES;142
16.3;PRIVILEGED INSIDER/SNOOPING/CONFIDENTIALITY;147
16.4;PRIVILEGED INSIDER/MALICIOUS/CONFIDENTIALITY;149
16.5;CYBER CRIMINAL/MALICIOUS/CONFIDENTIALITY;161
16.6;UNENCRYPTED INTERNAL NETWORK TRAFFIC;169
16.7;PRIVILEGED INSIDER/CONFIDENTIALITY;172
16.8;NONPRIVILEGED INSIDER/MALICIOUS;183
16.9;CYBER CRIMINAL/MALICIOUS;190
16.10;WEBSITE DENIAL OF SERVICE;194
16.11;ANALYSIS;196
16.12;BASIC ATTACKER/AVAILABILITY;205
17;Chapter 9 - Thinking about Risk Scenarios Using FAIR;212
17.1;THE BOYFRIEND;213
17.2;SECURITY VULNERABILITIES;214
17.3;WEB APPLICATION RISK;217
17.4;CONTRACTORS;219
17.5;PRODUCTION DATA IN TEST ENVIRONMENTS;221
17.6;PASSWORD SECURITY;222
17.7;BASIC RISK ANALYSIS;224
17.8;PROJECT PRIORITIZATION;233
17.9;SMART COMPLIANCE;244
17.10;Going into business;246
17.11;CHAPTER SUMMARY;249
18;Chapter 10 - Common Mistakes;250
18.1;MISTAKE CATEGORIES;250
18.2;CHECKING RESULTS;250
18.3;SCOPING;251
18.4;DATA;254
18.5;VARIABLE CONFUSION;254
18.6;MISTAKING TEF FOR LEF;255
18.7;MISTAKING RESPONSE LOSS FOR PRODUCTIVITY LOSS;255
18.8;CONFUSING SECONDARY LOSS WITH PRIMARY LOSS;256
18.9;CONFUSING REPUTATION DAMAGE WITH COMPETITIVE ADVANTAGE LOSS;256
18.10;VULNERABILITY ANALYSIS;257
19;Chapter 11 - Controls;260
19.1;OVERVIEW;260
19.2;HIGH-LEVEL CONTROL CATEGORIES;260
19.3;ASSET-LEVEL CONTROLS;264
19.4;VARIANCE CONTROLS;272
19.5;DECISION-MAKING CONTROLS;281
19.6;CONTROL WRAP UP;291
20;Chapter 12 - Risk Management;292
20.1;COMMON QUESTIONS;293
20.2;WHAT WE MEAN BY “RISK MANAGEMENT”;294
20.3;DECISIONS, DECISIONS;298
20.4;SOLUTION SELECTION;305
20.5;A SYSTEMS VIEW OF RISK MANAGEMENT;306
21;Chapter 13 - Information Security Metrics;312
21.1;CURRENT STATE OF AFFAIRS;312
21.2;METRIC VALUE PROPOSITION;313
21.3;BEGINNING WITH THE END IN MIND;314
21.4;MISSED OPPORTUNITIES;338
22;Chapter 14 - Implementing Risk Management;354
22.1;OVERVIEW;354
22.2;A FAIR-BASED RISK MANAGEMENT MATURITY MODEL;355
22.3;GOVERNANCE, RISKS, AND COMPLIANCE;369
22.4;RISK FRAMEWORKS;375
22.5;ROOT CAUSE ANALYSIS;384
22.6;THIRD-PARTY RISK;392
22.7;ETHICS;393
22.8;IN CLOSING;394
23;Index;396
23.1;A;396
23.2;B;396
23.3;C;397
23.4;D;398
23.5;E;398
23.6;F;399
23.7;G;399
23.8;H;400
23.9;I;400
23.10;J;400
23.11;K;400
23.12;L;400
23.13;M;401
23.14;N;402
23.15;O;403
23.16;P;403
23.17;Q;404
23.18;R;404
23.19;S;407
23.20;T;408
23.21;U;409
23.22;V;409
23.23;W;410
23.24;Z;410
Preface by Jack Freund
While writing this book, Jack Jones and I had a conversation about some of the difficulties faced by those in this profession, and especially those who are interested in bringing quantitative methods into common practice. During this discussion I did what I always do when I’m full of myself and waxing eloquent: I use Socratic Method to help summarize and build analogies to help illustrate key points. I have one friend who called me “The Great Distiller” (with tongue firmly planted in cheek). Jack liked the point I made, and suggested that I write about it here to help frame the book and the work being done on FAIR. Essentially, the point I made went something like this. What is one of the first things that a new leader in IT risk and security needs to do? Well, there are a lot of tasks to be sure: building relationships, hiring staff, diagnosing problem areas, and building out new and/or enhanced processes. This list could be written about most leadership jobs in any profession. However one task that will show up on that list is something like “identify risk assessment methodology.” How unique that is to our profession! Think about that for a minute: you could have a fully implemented risk function that is rating issues and risk scenarios everyday. Yet, when a new leader joins your organization, they may wipe all of that away because they disagree with the method being used. And this may be for reasons as simple as it’s unfamiliar to them, they prefer another method more, or a little from column A and a little from column B. I was discussing this with someone who runs a chemistry lab. She has a PhD in organic chemistry, runs a peptide laboratory, and who modestly refers to herself simply as “a chemist.” I asked her if this is a routine practice in chemistry. “Does one of the early tasks of a new lab manager involve choosing the method of chemical interaction they are going to use? Do they define their own approach and methodology for handling volatile chemicals?” “Certainly not,” she replied. Once it is determined the type of chemistry they are going to be doing (organic, inorganic, nuclear, etc.), they will need to supply the lab with the materials necessary to do their job. She said there are five basic chemicals she uses in her peptide lab and once those are selected, it is a matter of outfitting the lab with the correct safety devices and handling precautions (fume hoods, storage containers, etc.). “Do any of these tasks involve explaining to your staff your view on how these chemicals interact? Do you have to have conversations to get their minds right on how to do chemistry?” I asked. She told me this is not the case (although we had a good chuckle over those that still insist on pipetting by mouth). There are well-known principles that govern how these chemicals work and interact. In areas where there is dispute or cutting-edge work, those involved in its practice use the scientific method to gain a better understanding of what “truth” looks like and present their work for peer review. We may never get to the equivalent of a periodic table of risk, but we need to try. We need to set stakes in the ground on what truth looks like, and begin to use scientific method to engage each other on those areas where we disagree. I genuinely want to get better at the practice of IT risk, and I know that Jack Jones does too. It is for this reason that FAIR has been publicly reviewed and vetted for several years now and why Jack Jones placed the basic FAIR taxonomy discussed in chapter 3 in the hands of a neutral standards body (The Open Group). By all means, let us have an open dialogue about what works and what does not. But let us also use impartial, unbiased evidence to make these decisions. I wrote this book to accomplish several things. First, it is a great honor to be able to author a book with one’s mentor. It is an even bigger honor to help your mentor write a book about their life’s work. That really is significant to me, but it is also a weighty responsibility. I learned FAIR from Jack early on in the part of my career where I was beginning to do Governance, Risk, and Compliance (GRC) work in earnest. By that time, I had been studying, training in, and writing about various methods of risk assessment and it was becoming clear to me that what passed for a method was more process than calculation. Indeed, if you compare most major risk assessment methods, they all bear a striking resemblance: you should consider your assets, threats to them, vulnerabilities, and the strength of the controls. Somehow (although rarely ever explicitly identified), you should relate them to one another. The end result is some risk rankings and there you go. Except that is the problem: no one tells you how to do this exactly, and often times you are encouraged to make up your own solution, as if we all know the right way to go about doing that. What I learned from Jack was simple and straightforward. The relationship between the variables was well reasoned and well designed. It was easy to understand and explain. It also included some sophisticated math, yet was still easy for me to use (I always scored higher on verbal than math sections on any standardized test). I have often been accused of knowing only a single method for assessing risk (a statement that is wildly inaccurate). I know many methods for assessing risk, yet only one that seeks to calculate and analyze risk in a defensible way. Knowing how to do that gives you a sense of composure, and perhaps even some bravado. You do not shy away from difficult or hard problems because you have learned how to model these scenarios even when you do not have the best data available. This can be off-putting to some people. But you will come back to the FAIR taxonomy and calculation method over and over again. It is like learning the quadratic formula after years of solving quadratic equations using factoring. Why go back to something that is harder to do and takes longer to complete? I will tease Jack often by saying that he has “ruined me” for other types of risk analysis methods. He takes my good-natured ribbing well. What I mean is that he has showed me the right way to do it, and it is difficult for me to go back to other approaches since their flaws have been laid bare before me. So to that end, yes I only know one (good) method for practicing risk and I have been thoroughly ruined for all the other (not as good) methods for doing risk assessments. And for that I thank you Jack Jones. The second major reason I decided to write this book is because I believe we are on the precipice of something really amazing in our profession. IT risk is really starting to become its own distinct function that is slowly separating from Information Security proper while simultaneously becoming more intertwined with it. In my role as an educator, I often have discussions with students who are looking to break into the risk and security profession I often tell them that these jobs are really IT specialties and what they really need is to gain some experience in a reference discipline; they need a strong foundation in networking or application development as an example. Only after a few years of work in these roles will they be able to provide useful security work to a future employer. This used to be the way that people entered the security function. Often it was only after many years of work administering servers or working on network routing tables that you were given the chance to be a security practitioner full time. The industry is changing now, and more and more I find that there are paths into risk and security that do not involve even a moderate level of knowledge of something else first. This is not necessarily bad, however it has some implications. Since we can no longer depend on someone having a solid skillset to draw upon, they may not know a lot about the environments they are now charged with assessing. Second, if they were trained with specific security knowledge that often means that they missed some of the foundational elements that are a part of a core liberal arts education (critical thinking and scientific method as an example). It is also important to learn how to be more autodidactic (a word I learned while being an autodidact). This book is written in part to help fill out the knowledge gap that a lot of people have when faced with a job that is primarily risk-based. I often draw a diagram for people, which I think adequately reflects the real nature of the skills necessary for working in this job (Figure P.1):
FIGURE P.1 IT risk job skills. By and large, most of the job is talking to people. You have to learn how to perform technical interviews of IT people and business process reviews with business people. You have to learn how to talk with the person running backups on mainframes, as well as to be able to present risk information to the board of directors. Do not forget the importance of being able to write: risk communication also includes the ability to write e-mails and reports. Essentially, you have to develop a skillset that includes general soft skills and some specialized techniques. This book will aid with some of this. Good risk practitioners also have technical knowledge. Most of this is not covered here. Like my (aging) advice to college kids, find some way to gain that knowledge either by education or practice. This is probably the easiest of the three to get better at, given the proliferation of free and near-free training available today. Lastly are the risk skills...
