Information Security Risk Analysis [Paperback]

Thomas R. Peltier (Author)

Book Description

Publication Date: January 23, 2001

Risk is a cost of doing business. The question is, "What are the risks, and what are their costs?" Knowing the vulnerabilities and threats that face your organization's information and systems is the first essential step in risk management.

Information Security Risk Analysis shows you how to use cost-effective risk analysis techniques to identify and quantify the threats--both accidental and purposeful--that your organization faces. The book steps you through the qualitative risk analysis process using techniques such as PARA (Practical Application of Risk Analysis) and FRAP (Facilitated Risk Analysis Process) to:

Evaluate tangible and intangible risks

Use the qualitative risk analysis process

Identify elements that make up a strong Business Impact Analysis

Conduct risk analysis with confidence

Management looks to you, its information security professional, to provide a process that allows for the systematic review of risk, threats, hazards, and concerns, and to provide cost-effective measures to lower risk to an acceptable level. You can find books that cover risk analysis for financial, environmental, and even software projects, but you will find none that apply risk analysis to information technology and business continuity planning or deal with issues of loss of systems configuration, passwords, information loss, system integrity, CPU cycles, bandwidth, and more. Information Security Risk Analysis shows you how to determine cost effective solutions for your organization's information technology.

Product Details

• Paperback: 296 pages
• Publisher: Auerbach Publications; 1st edition (January 23, 2001)
• Language: English
• ISBN-10: 0849308801
• ISBN-13: 978-0849308802
• Product Dimensions: 9.9 x 7 x 0.8 inches
• Shipping Weight: 1.6 pounds
• Average Customer Review: 3.9 out of 5 stars  See all reviews (10 customer reviews)
• Amazon Best Sellers Rank: #1,648,205 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

34 of 34 people found the following review helpful:

3.0 out of 5 stars Painfull but good, September 18, 2001

By 

Eric Parent (Chateauguay, Quebec Canada) - See all my reviews

This review is from: Information Security Risk Analysis (Paperback)

This book contains some great information for performing risk analysis. The content however appears to have never been reread and contains many errors and typos. The book also contains about 100 pages of regular text and approx. 300 pages of tables which are not available in an electronic format. So basically if your going to use the book for real life analysis, be prepared to retype all the tables that appeal to you. It is truely unfortunate that there is no mechanism for obtaining an electronic version of the tables in this book.
As far as technical content, the book is very good and does a great job of breaking in someone new to the world of risk analysis.

38 of 39 people found the following review helpful:

5.0 out of 5 stars Completely changed my way of thinking, April 22, 2001

By 

Mike Tarrani "www.tarrani.com" (Deltona, FL USA) - See all my reviews
(COMMUNITY FORUM 04)    (REAL NAME)   

Amazon Verified Purchase

This review is from: Information Security Risk Analysis (Paperback)

This book has radically influenced my approach to security risk management. In the past I had nothing but disdain for any qualitative approach to risk assessment, whether it was for security, project management or disaster recovery. My philosophy was that if you couldn't produce a probability curve you didn't have the full picture. The problem with that philosophy is the very people for whom you are doing the assessment typically do not care about probability curves - if they understand them at all.

Mr. Peltier's approach, while not as scientific, is far more powerful because it involves all stakeholders through his unique facilitated risk analysis process (FRAP), and produces findings and assessments that are clear and easy for non-technical people to understand. His approach is also thorough and business-focused. From the beginning this book grabs your attention. By page four I was completely drawn in by his use of a life cycle of the risk analysis process, and how he closely tied it to tasks and deliverables, and quality. He explains the strengths and weaknesses of qualitative analysis, then moves into a chapter that describes his approach to performing it. This is where I became sold. The approach is comprehensive and task-oriented. Every key factor, from financial loss to legal implications, are covered and qualitatively assessed using a valuation score. This section also has numerous checklists, tables and data with which to perform the analysis. These are augmented in the next chapter on value analysis, and by the time I finished it I was not only "sold", but a proponent of this approach.

The heart of this book and approach is the facilitated risk analysis process that extends the process to a team of stakeholders. The value is that the business itself is an active participant and assumes ownership of the findings, deliverables and action plan. I contrasted this with my past approach and saw that one of the reasons why assessments done by "experts" were difficult to move into the implementation phase is because the so-called beneficiaries of the work couldn't relate to the reasons or importance. Using Mr. Peltier's approach, information security becomes everyone's responsibility - an ideal situation in the eyes of any security professional.

The remainder of the book is filled with case studies and more tables and checklists. In fact, if you purchased this book for the tables and checklists alone you would be getting a bargain. My only complaint is these were not provided in electronic format as well.

If you perform information security risk analysis, or business continuity or disaster recovery planning this book is "must reading". Others outside of the primary audience who will find this book valuable include project managers (the qualitative risk approach will be equally effective in project planning and control), and facilities managers. This book earns a solid 5 stars and Mr. Peltier earns my gratitude for showing me a better way.

14 of 14 people found the following review helpful:

5.0 out of 5 stars Superb book - explains the details, September 25, 2001

By 

Linda Zarate "IT Ops Consultant" (Azusa, CA United States) - See all my reviews

This review is from: Information Security Risk Analysis (Paperback)

This is an excellent introduction to risk analysis in general and a highly effective guide for conducting a security risk analysis.

Of the 281 pages in this book, 156 pages are devoted to the seven chapters comprising the "how to" and case study, with the remaining pages allocated to six highly valuable appendices.

Chapter 1, Effective Risk Analysis, starts the book by discussing risk analysis in general, including common approaches, and leads into the author's approach. The next chapter covers qualitative risk analysis, followed by a chapter on value analysis. By this point it's clear that the author's philosophy is to capture major risks, cost data and develop impact without getting bogged down in complex methods. I liked chapter 4, which discusses other qualitative methods, their strengths and weaknesses, which adds context to the heart of this book: Chapter 5, Facilitated Risk Analysis Process. In a nutshell, this approach involves all stakeholders and spreads the responsibility and accountability for identifying, analyzing and prioritizing risks. This is as it should be because security should be everyone's job, and the stakeholders (led by subject matter experts) are the best source of authority for making trade-offs and allocating resources to ensure the degree of security that consensus dictates. Since security is, in part, a function of trade-offs, the Facilitated Analysis Risk Process proposed by the author is an effective and essential process supporting security. Chapter 6 covers other uses of qualitative risk analysis, and is though-provoking and informative. The case study in chapter 7 ties together the preceding chapters and concludes the text on risk analysis.

The appendices are, in my opinion, invaluable. Like a previous reviewer I lament the fact that the tables and forms were not included in electronic format, but this is a minor quibble on my part. Appendix A is a comprehensive, 25-page questionnaire that covers every facet of security risks. Appendix B contains a reproduction of every form associated with the Facilitated Risk Analysis Process (Scope/Business Process Identification, Action Plan, Final Report, Controls List, Risk List and Controls/Risk Cross-Reference List). Business Impact Analysis forms are provided in Appendix C, and a sample report is provided in Appendix D. Threat definitions are provided in Appendix E, and three short papers authored by other experts giving other opinions of risk analysis are the subject of Appendix F.

Overall this is a highly focused book that should not be ignored by anyone who is responsible for security, business continuity or disaster recovery planning. Even if you are more apt to use quantitative methods instead of the qualitative methods proposed by the author, this book is still an important work on security risk analysis. The appendices alone are worth the price of the book.