Measuring and Managing Information Risk : A FAIR Approach / Jack Jones, Jack Freund.

Format:

Book

Author/Creator:

Jones, Jack (Risk management executive), author.

Freund, Jack, author.

Language:

English

Subjects (All):

Data protection.

Information technology--Management.

Information technology.

Risk management.

Computer security.

Physical Description:

1 online resource (469 pages) : illustrations

Edition:

Second edition.

Other Title:

FAIR approach

Place of Publication:

London : Butterworth Heinemann, 2026.

Summary:

Measuring and Managing Information Risk, second edition provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity using the Factor Analysis of Information Risk (FAIR) methodology developed over ten years and adopted by corporations worldwide.

Measuring and Managing Information Risk: A FAIR Approach, Second Edition provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity using the Factor Analysis of Information Risk (FAIR) methodology developed over ten years and adopted by corporations worldwide. This new edition covers such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, and also includes new chapters and essays from industry professionals. It provides a step-by-step guide to help managers make better business decisions by understanding their organizational risk.The field has advanced significantly in the past 10 years and this all-new edition reiterates the importance of the foundations of risk measurement but adds information about modern methods to integrate quantitative risk assessment methods into your security programs. This includes the integration of security telemetry data, outside data sources, approaches to automating FAIR assessments, and how to align methods and programs to security standards and regulations. Further discussed is how such approaches are being used by third-party agencies to provide CRQ data to the investors, underwriters, and regulators. This book is a valuable resource for all those who need the foundations, methods, and techniques for measuring, assessing, and communicating cyber risk to enable an organization to build an organizational IT risk management program. It serves as both a practical how-to guide for those new to the industry as well as tenured professionals that need a formalized guide for implementation.

Contents:

Front Cover

Measuring and Managing Information Risk

Measuring and Managing Information Risk: A FAIR Approach

Copyright

Contents

1. Introduction

The "why?"

How much risk?

The bald tire

Assumptions

Terminology

The bald tire metaphor

Risk analysis versus risk assessment

Evaluating risk analysis methods

Risk analysis limitations

Warning-learning how to think about risk just may change your professional life

Using this book

2 - Basic risk concepts and misperceptions

Precision versus accuracy

Possibility versus probability

Subjectivity versus objectivity

Two ends of a continuum

How objectivity and subjectivity really work

Measurement quality

Repeatability

Measurement validity

Making up numbers

Prediction

3 - The FAIR risk model

Decomposing risk

Loss event frequency

Threat event frequency

Contact frequency

Thinking about controls

Probability of action

Susceptibility (formerly vulnerability)

Threat capability

Resistance Strength (difficulty)

Loss magnitude

Stakeholders and perspective

Loss factors versus loss forms

Primary loss magnitude

Secondary risk

Secondary loss event frequency

Secondary loss magnitude

Model flexibility

4 - FAIR terminology

Risk terminology

Asset

Threat

Threat community

Threat profiling

Threat agent library

Examples of a standard set of threat profiles

Threat event

Loss event

Susceptibility event

Primary and secondary stakeholders

Loss flow

Forms of loss

Productivity

Response

Replacement

Competitive advantage

Fines and judgments

Reputation.

Mission-oriented organizations

5 - Measurement

Measurement as a reduction in uncertainty

Measurement as expressions of uncertainty

But we DON'T have enough data … and neither does anyone else

Calibration

Equivalent bet test

Anchoring

I have no idea

Estimating groups of things

Confidence does not equal accuracy

6 - Analysis process

The tools necessary to apply the FAIR risk model

How to apply the FAIR risk model

Process flow

Scenario building

Assets

Threat communities

Threat type

Adverse outcome

The analysis scope

FAIR factors

Expert estimation and Program Evaluation and Review Technique (PERT)

Talking about risk

Monte Carlo engine

Levels of abstraction

Loss Event Frequency (LEF) level

Susceptibility

TEF level

Deeper levels

7 - Interpreting results

What do these numbers mean? (How to interpret FAIR results)

Understanding the results

Percentiles

Qualitative scales

Heatmaps

Splitting heatmaps

Splitting by organization

Splitting by loss type

Troubleshooting results

8 - Risk analysis examples

Overview

Inappropriate access privileges

Purpose

Context

Asset(s) at risk

Threat type(s)

Threat effect(s) (a.k.a., adverse outcomes)

Scope

Analysis

Privileged insider/snooping/confidentiality

Privileged insider/malicious/confidentiality

Secondary loss

Fines &amp

judgments

Reputation

Cybercriminal/malicious/confidentiality

Analysis wrap up

Ransomware

Primary Loss magnitude

Response costs

Replacement costs

Productivity Loss

Secondary Loss event frequency.

Secondary Loss magnitude

Fines and Judgments

Reputation damage

Wrapping up

9 - Common mistakes

Mistake categories

Checking results

Scoping

Analysis depth

Analysis breadth

Misalignment with purpose

Shifting scope in midanalysis

Data

Variable confusion

Mistaking contact frequency for TEF

Mistaking TEF for LEF

Mistaking response loss for productivity loss

Confusing secondary loss with primary loss

Confusing reputation damage with competitive advantage loss

Susceptibility analysis

Striving for perfect data

10 - Controls

Note

Factor Analysis of Information Risk Controls Analytics Model use cases

Treating causes, not symptoms

Meaningful and actionable control metrics

Bridging two communities

Evolving regulations

Evolving security solutions

Laying a basic foundation

A new bicycle

Defining value

How controls affect risk

Control performance

Key takeaways

Managing operational performance

When there's more than one control

A brief review of decision-making

Wrapping up the bicycle scenario

Anatomy versus physiology

Controls

Control function(s)

Functional domains

Intended efficacy

Variance

Intrinsic variance

Extrinsic variance

Variance frequency

Variance duration

Reliability

Coverage

Variant efficacy

Operational efficacy

Loss event control functions

Variance management control functions

Decision support control functions

Context matters-a lot

Relationships and dependencies

Units of measurement

Laying a foundation for operational efficacy

Binary versus nonbinary controls

Individual controls versus a population of controls

Understanding how operational efficacy works

Variance frequency, variance duration, and threat event frequency.

Deriving operational efficacy

Loss event prevention

Avoidance controls

Deterrence controls

Resistive controls

Loss event detection

Visibility controls

Monitoring controls

Recognition controls

Loss event response

Containment

Resilience

Loss minimization

Adding coverage to the equation

Aggregating layered controls

The role of variance management and decision support

Access management problems

Factor Analysis of Information Risk Controls Analytics Model versus commonly used control frameworks

11 - Standards and regulatory alignment

Mapping FAIR to security, risk, and control standards

ISO 27000 series

NIST CSF

Regulatory alignment

SEC Cyber Disclosure Rule

Damage assessment use case

Risk analysis use case

Leveraging framework assessment results in FAIR

Using NIST-CSF control assessment ratings in risk analysis

Subcategory descriptions

Subcategory assignments

Ordinal scales

Lack of a defined rating scale

12 - Organizational risk decision-making

Common questions

What we mean by "risk management"

… Cost-effectively…

… Achieving and maintaining …

… An acceptable level of loss exposure …

The risk management stack

Decisions, decisions

Decision categories

Expectation setting

Risk appetite setting

Most organizations

Quantitative risk appetite(s)

Policies

Initiatives

Prioritization

Solution selection

A systems view of risk management

The risk management system

13 - Cybersecurity metrics

Setting the stage

A caution about metrics

The "Flaw of Averages"

Goodhart's Law

Metrics for who?

Common metrics we encounter

Benchmarking

Mean Time to Patch (MTTP).

Mean Time to Detect (MTTD)

Mean Time to Resolve (MTTR)

Number of outstanding patches

Number of systems with critical vulnerabilities

Number of privileged accounts

Security training completion rate

Failed logins

Phishing click rates and phishing reporting rates

Malware detections

Third-party scores

Other metrics to consider

Repeat findings (and their causes)

Number of end-point compromises

Closure rate of findings

Number of shadowIT systems

Control efficacy metrics

Crown jewel metrics

Number of crown jewels

Number of noncompliant crown jewels

KRIs and KPIs

What makes a metric "key"?

Differentiating KRIs and KPIs

One metric to rule them all?

The big picture

What level of abstraction?

Why 12 months?

In summary

14 - Overcoming barriers to cyber risk quantification

Outline placeholder

Depth

Breadth

Speed

Challenges and strategies

Personal objections

Cultural objections

Politics

Security budget justification

Capital allocation

Risk transfer

Risk acceptance and security exceptions

Methodology and statistical literacy

Maturity

Standards

One example of what a CRQ program looks like

Risk identification

Security policy, standards, and procedures (controls)

Control assessments

Treatment

Program Reporting and Governance

Stealthy adoption

15 - Assessment automation

Jack Freund on the basic principles of a top-down approach to quantitative risk assessment automation

Scenarios

Control data

Internal data

Self-attested data

External data

Using data

Jack Jones's perspective on automating CRQ

Fair warning (pun intended)

A quick overview

You can't automate all of your analyses

Automation can scale poor decision-making

Diving in

Which decisions is ROM designed to support?.

Scoping.

Notes:

Includes index.

Description based on publisher supplied metadata and other sources.

Part of the metadata in this record was created by AI, based on the text of the resource.

ISBN:

0-443-13485-5

9780443134852

OCLC:

1559222096