Measuring and Managing Information Risk - Jack Freund, Jack Jones

Measuring and Managing Information Risk (eBook)

A FAIR Approach

Jack Freund, Jack Jones (Autoren)

eBook Download: PDF | EPUB

2014 | 1. Auflage
408 Seiten
Elsevier Science (Verlag)
978-0-12-799932-6 (ISBN)

Using the factor analysis of information risk (FAIR) methodology developed over ten years and adopted by corporations worldwide, Measuring and Managing Information Risk provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. Intended for organizations that need to either build a risk management program from the ground up or strengthen an existing one, this book provides a unique and fresh perspective on how to do a basic quantitative risk analysis. Covering such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, Measuring and Managing Information Risk helps managers make better business decisions by understanding their organizational risk. - Uses factor analysis of information risk (FAIR) as a methodology for measuring and managing risk in any organization. - Carefully balances theory with practical applicability and relevant stories of successful implementation. - Includes examples from a wide variety of businesses and situations presented in an accessible writing style.

Dr. Jack Freund is a leading voice in cyber risk measurement and management. As VP, Head of Cyber Risk Methodology for BitSight, Jack has overall responsibility for the systemic development and application of frameworks, algorithms, and quantitative and qualitative methods to measure cyber risk. Previously, Jack was Director of Risk Science at quantitative risk management startup RiskLens and Director of Cyber Risk for TIAA. Jack holds a Ph.D. in Information Systems from Nova Southeastern University, a Masters in Telecommunication and Project Management, and a BS in CIS. Jack has been named a Senior Member of the IEEE and ACM, a Fellow of the IAPP and FAIR Institute, and a Distinguished Fellow of the ISSA. He is the 2020 recipient of the (ISC)2 Global Achievement Award, 2018 recipient of ISACA's John W. Lainhart IV Common Body of Knowledge Award, and the FAIR Institute's 2018 FAIR Champion Award.

Front Cover 1
Measuring and Managing Information Risk 4
Copyright 5
Contents 6
Acknowledgments by Jack Jones 10
About the Authors 12
Preface by Jack Jones 14
WHAT THIS BOOK IS NOT, AND WHAT IT IS 14
Preface by Jack Freund 16
Chapter 1 - Introduction 20
HOW MUCH RISK? 20
THE BALD TIRE 21
ASSUMPTIONS 21
TERMINOLOGY 22
THE BALD TIRE METAPHOR 24
RISK ANALYSIS VS RISK ASSESSMENT 24
EVALUATING RISK ANALYSIS METHODS 25
RISK ANALYSIS LIMITATIONS 27
WARNING—LEARNING HOW TO THINK ABOUT RISK JUST MAY CHANGE YOUR PROFESSIONAL LIFE 28
USING THIS BOOK 29
Chapter 2 - Basic Risk Concepts 32
POSSIBILITY VERSUS PROBABILITY 32
PREDICTION 35
SUBJECTIVITY VERSUS OBJECTIVITY 36
PRECISION VERSUS ACCURACY 42
Chapter 3 - The FAIR Risk Ontology 44
DECOMPOSING RISK 46
LOSS EVENT FREQUENCY 47
THREAT EVENT FREQUENCY 48
CONTACT FREQUENCY 49
PROBABILITY OF ACTION 50
VULNERABILITY 51
THREAT CAPABILITY 52
DIFFICULTY 53
LOSS MAGNITUDE 54
PRIMARY LOSS MAGNITUDE 56
SECONDARY RISK 57
SECONDARY LOSS EVENT FREQUENCY 58
SECONDARY LOSS MAGNITUDE 59
ONTOLOGICAL FLEXIBILITY 59
Chapter 4 - FAIR Terminology 62
RISK TERMINOLOGY 62
THREAT 64
THREAT COMMUNITY 67
THREAT PROFILING 69
VULNERABILITY EVENT 81
PRIMARY AND SECONDARY STAKEHOLDERS 81
LOSS FLOW 82
FORMS OF LOSS 84
Chapter 5 - Measurement 94
MEASUREMENT AS REDUCTION IN UNCERTAINTY 94
MEASUREMENT AS EXPRESSIONS OF UNCERTAINTY 96
BUT WE DON’T HAVE ENOUGH DATA…AND NEITHER DOES ANYONE ELSE 99
CALIBRATION 103
EQUIVALENT BET TEST 104
Chapter 6 - Analysis Process 110
THE TOOLS NECESSARY TO APPLY THE FAIR RISK MODEL 110
HOW TO APPLY THE FAIR RISK MODEL 111
PROCESS FLOW 112
SCENARIO BUILDING 112
THE ANALYSIS SCOPE 115
EXPERT ESTIMATION AND PERT 118
MONTE CARLO ENGINE 120
LEVELS OF ABSTRACTION 122
Chapter 7 - Interpreting Results 124
WHAT DO THESE NUMBERS MEAN? (HOW TO INTERPRET FAIR RESULTS) 124
UNDERSTANDING THE RESULTS TABLE 126
VULNERABILITY 128
PERCENTILES 128
UNDERSTANDING THE HISTOGRAM 129
UNDERSTANDING THE SCATTER PLOT 129
QUALITATIVE SCALES 130
HEATMAPS 132
SPLITTING HEATMAPS 134
SPLITTING BY ORGANIZATION 135
SPLITTING BY LOSS TYPE 136
SPECIAL RISK CONDITIONS 137
UNSTABLE CONDITIONS 138
FRAGILE CONDITIONS 138
TROUBLESHOOTING RESULTS 139
Chapter 8 - Risk Analysis Examples 142
OVERVIEW 142
INAPPROPRIATE ACCESS PRIVILEGES 142
PRIVILEGED INSIDER/SNOOPING/CONFIDENTIALITY 147
PRIVILEGED INSIDER/MALICIOUS/CONFIDENTIALITY 149
CYBER CRIMINAL/MALICIOUS/CONFIDENTIALITY 161
UNENCRYPTED INTERNAL NETWORK TRAFFIC 169
PRIVILEGED INSIDER/CONFIDENTIALITY 172
NONPRIVILEGED INSIDER/MALICIOUS 183
CYBER CRIMINAL/MALICIOUS 190
WEBSITE DENIAL OF SERVICE 194
ANALYSIS 196
BASIC ATTACKER/AVAILABILITY 205
Chapter 9 - Thinking about Risk Scenarios Using FAIR 212
THE BOYFRIEND 213
SECURITY VULNERABILITIES 214
WEB APPLICATION RISK 217
CONTRACTORS 219
PRODUCTION DATA IN TEST ENVIRONMENTS 221
PASSWORD SECURITY 222
BASIC RISK ANALYSIS 224
PROJECT PRIORITIZATION 233
SMART COMPLIANCE 244
Going into business 246
CHAPTER SUMMARY 249
Chapter 10 - Common Mistakes 250
MISTAKE CATEGORIES 250
CHECKING RESULTS 250
SCOPING 251
DATA 254
VARIABLE CONFUSION 254
MISTAKING TEF FOR LEF 255
MISTAKING RESPONSE LOSS FOR PRODUCTIVITY LOSS 255
CONFUSING SECONDARY LOSS WITH PRIMARY LOSS 256
CONFUSING REPUTATION DAMAGE WITH COMPETITIVE ADVANTAGE LOSS 256
VULNERABILITY ANALYSIS 257
Chapter 11 - Controls 260
OVERVIEW 260
HIGH-LEVEL CONTROL CATEGORIES 260
ASSET-LEVEL CONTROLS 264
VARIANCE CONTROLS 272
DECISION-MAKING CONTROLS 281
CONTROL WRAP UP 291
Chapter 12 - Risk Management 292
COMMON QUESTIONS 293
WHAT WE MEAN BY “RISK MANAGEMENT” 294
DECISIONS, DECISIONS 298
SOLUTION SELECTION 305
A SYSTEMS VIEW OF RISK MANAGEMENT 306
Chapter 13 - Information Security Metrics 312
CURRENT STATE OF AFFAIRS 312
METRIC VALUE PROPOSITION 313
BEGINNING WITH THE END IN MIND 314
MISSED OPPORTUNITIES 338
Chapter 14 - Implementing Risk Management 354
OVERVIEW 354
A FAIR-BASED RISK MANAGEMENT MATURITY MODEL 355
GOVERNANCE, RISKS, AND COMPLIANCE 369
RISK FRAMEWORKS 375
ROOT CAUSE ANALYSIS 384
THIRD-PARTY RISK 392
ETHICS 393
IN CLOSING 394
Index 396
A 396
B 396
C 397
D 398
E 398
F 399
G 399
H 400
I 400
J 400
K 400
L 400
M 401
N 402
O 403
P 403
Q 404
R 404
S 407
T 408
U 409
V 409
W 410
Z 410

Preface by Jack Freund

While writing this book, Jack Jones and I had a conversation about some of the difficulties faced by those in this profession, and especially those who are interested in bringing quantitative methods into common practice. During this discussion I did what I always do when I’m full of myself and waxing eloquent: I use Socratic Method to help summarize and build analogies to help illustrate key points. I have one friend who called me “The Great Distiller” (with tongue firmly planted in cheek). Jack liked the point I made, and suggested that I write about it here to help frame the book and the work being done on FAIR. Essentially, the point I made went something like this.

What is one of the first things that a new leader in IT risk and security needs to do? Well, there are a lot of tasks to be sure: building relationships, hiring staff, diagnosing problem areas, and building out new and/or enhanced processes. This list could be written about most leadership jobs in any profession. However one task that will show up on that list is something like “identify risk assessment methodology.” How unique that is to our profession! Think about that for a minute: you could have a fully implemented risk function that is rating issues and risk scenarios everyday. Yet, when a new leader joins your organization, they may wipe all of that away because they disagree with the method being used. And this may be for reasons as simple as it’s unfamiliar to them, they prefer another method more, or a little from column A and a little from column B.

I was discussing this with someone who runs a chemistry lab. She has a PhD in organic chemistry, runs a peptide laboratory, and who modestly refers to herself simply as “a chemist.” I asked her if this is a routine practice in chemistry. “Does one of the early tasks of a new lab manager involve choosing the method of chemical interaction they are going to use? Do they define their own approach and methodology for handling volatile chemicals?” “Certainly not,” she replied. Once it is determined the type of chemistry they are going to be doing (organic, inorganic, nuclear, etc.), they will need to supply the lab with the materials necessary to do their job. She said there are five basic chemicals she uses in her peptide lab and once those are selected, it is a matter of outfitting the lab with the correct safety devices and handling precautions (fume hoods, storage containers, etc.). “Do any of these tasks involve explaining to your staff your view on how these chemicals interact? Do you have to have conversations to get their minds right on how to do chemistry?” I asked. She told me this is not the case (although we had a good chuckle over those that still insist on pipetting by mouth). There are well-known principles that govern how these chemicals work and interact. In areas where there is dispute or cutting-edge work, those involved in its practice use the scientific method to gain a better understanding of what “truth” looks like and present their work for peer review.

We may never get to the equivalent of a periodic table of risk, but we need to try. We need to set stakes in the ground on what truth looks like, and begin to use scientific method to engage each other on those areas where we disagree. I genuinely want to get better at the practice of IT risk, and I know that Jack Jones does too. It is for this reason that FAIR has been publicly reviewed and vetted for several years now and why Jack Jones placed the basic FAIR taxonomy discussed in chapter 3 in the hands of a neutral standards body (The Open Group). By all means, let us have an open dialogue about what works and what does not. But let us also use impartial, unbiased evidence to make these decisions.

I wrote this book to accomplish several things. First, it is a great honor to be able to author a book with one’s mentor. It is an even bigger honor to help your mentor write a book about their life’s work. That really is significant to me, but it is also a weighty responsibility. I learned FAIR from Jack early on in the part of my career where I was beginning to do Governance, Risk, and Compliance (GRC) work in earnest. By that time, I had been studying, training in, and writing about various methods of risk assessment and it was becoming clear to me that what passed for a method was more process than calculation. Indeed, if you compare most major risk assessment methods, they all bear a striking resemblance: you should consider your assets, threats to them, vulnerabilities, and the strength of the controls. Somehow (although rarely ever explicitly identified), you should relate them to one another. The end result is some risk rankings and there you go. Except that is the problem: no one tells you how to do this exactly, and often times you are encouraged to make up your own solution, as if we all know the right way to go about doing that.

What I learned from Jack was simple and straightforward. The relationship between the variables was well reasoned and well designed. It was easy to understand and explain. It also included some sophisticated math, yet was still easy for me to use (I always scored higher on verbal than math sections on any standardized test). I have often been accused of knowing only a single method for assessing risk (a statement that is wildly inaccurate). I know many methods for assessing risk, yet only one that seeks to calculate and analyze risk in a defensible way. Knowing how to do that gives you a sense of composure, and perhaps even some bravado. You do not shy away from difficult or hard problems because you have learned how to model these scenarios even when you do not have the best data available. This can be off-putting to some people. But you will come back to the FAIR taxonomy and calculation method over and over again. It is like learning the quadratic formula after years of solving quadratic equations using factoring. Why go back to something that is harder to do and takes longer to complete? I will tease Jack often by saying that he has “ruined me” for other types of risk analysis methods. He takes my good-natured ribbing well. What I mean is that he has showed me the right way to do it, and it is difficult for me to go back to other approaches since their flaws have been laid bare before me. So to that end, yes I only know one (good) method for practicing risk and I have been thoroughly ruined for all the other (not as good) methods for doing risk assessments. And for that I thank you Jack Jones.

The second major reason I decided to write this book is because I believe we are on the precipice of something really amazing in our profession. IT risk is really starting to become its own distinct function that is slowly separating from Information Security proper while simultaneously becoming more intertwined with it. In my role as an educator, I often have discussions with students who are looking to break into the risk and security profession I often tell them that these jobs are really IT specialties and what they really need is to gain some experience in a reference discipline; they need a strong foundation in networking or application development as an example. Only after a few years of work in these roles will they be able to provide useful security work to a future employer. This used to be the way that people entered the security function. Often it was only after many years of work administering servers or working on network routing tables that you were given the chance to be a security practitioner full time. The industry is changing now, and more and more I find that there are paths into risk and security that do not involve even a moderate level of knowledge of something else first.

This is not necessarily bad, however it has some implications. Since we can no longer depend on someone having a solid skillset to draw upon, they may not know a lot about the environments they are now charged with assessing. Second, if they were trained with specific security knowledge that often means that they missed some of the foundational elements that are a part of a core liberal arts education (critical thinking and scientific method as an example). It is also important to learn how to be more autodidactic (a word I learned while being an autodidact).

This book is written in part to help fill out the knowledge gap that a lot of people have when faced with a job that is primarily risk-based. I often draw a diagram for people, which I think adequately reflects the real nature of the skills necessary for working in this job (Figure P.1):

FIGURE P.1 IT risk job skills.

By and large, most of the job is talking to people. You have to learn how to perform technical interviews of IT people and business process reviews with business people. You have to learn how to talk with the person running backups on mainframes, as well as to be able to present risk information to the board of directors. Do not forget the importance of being able to write: risk communication also includes the ability to write e-mails and reports. Essentially, you have to develop a skillset that includes general soft skills and some specialized techniques. This book will aid with some of this.

Good risk practitioners also have technical knowledge. Most of this is not covered here. Like my (aging) advice to college kids, find some way to gain that knowledge either by education or practice. This is probably the easiest of the three to get better at, given the proliferation of free and near-free training available today.

Lastly are the risk skills...

Erscheint lt. Verlag	23.8.2014
Sprache	englisch
Themenwelt	Informatik ► Netzwerke ► Sicherheit / Firewall
Themenwelt	Wirtschaft ► Betriebswirtschaft / Management ► Wirtschaftsinformatik
ISBN-10	0-12-799932-9 / 0127999329
ISBN-13	978-0-12-799932-6 / 9780127999326

Haben Sie eine Frage zum Produkt?

PDF (Adobe DRM)
Größe: 8,6 MB

Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM

Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.

Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine Adobe-ID und die Software Adobe Digital Editions (kostenlos). Von der Benutzung der OverDrive Media Console raten wir Ihnen ab. Erfahrungsgemäß treten hier gehäuft Probleme mit dem Adobe DRM auf.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine Adobe-ID sowie eine kostenlose App.
Geräteliste und zusätzliche Hinweise

Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.

EPUB (Adobe DRM)
Größe: 9,6 MB

Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.

Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.

Print-Ausgabe

Buch | Softcover

49,85 €