Customer Reviews

Information Security Risk Analysis, Second Edition

5 star:		(4)
4 star:		(2)
3 star:		(3)
2 star:		(1)
1 star:		(0)

 

 

This book contains some great information for performing risk analysis. The content however appears to have never been reread and contains many errors and typos. The book also contains about 100 pages of regular text and approx. 300 pages of tables which are not available in an electronic format. So basically if your going to use the book for real life analysis, be prepared to retype all the tables that appeal to you. It is truely unfortunate that there is no mechanism for obtaining an electronic version of the tables in this book.
As far as technical content, the book is very good and does a great job of breaking in someone new to the world of risk analysis.

This book has radically influenced my approach to security risk management. In the past I had nothing but disdain for any qualitative approach to risk assessment, whether it was for security, project management or disaster recovery. My philosophy was that if you couldn't produce a probability curve you didn't have the full picture. The problem with that philosophy is the very people for whom you are doing the assessment typically do not care about probability curves - if they understand them at all.

Mr. Peltier's approach, while not as scientific, is far more powerful because it involves all stakeholders through his unique facilitated risk analysis process (FRAP), and produces findings and assessments that are clear and easy for non-technical people to understand. His approach is also thorough and business-focused. From the beginning this book grabs your attention. By page four I was completely drawn in by his use of a life cycle of the risk analysis process, and how he closely tied it to tasks and deliverables, and quality. He explains the strengths and weaknesses of qualitative analysis, then moves into a chapter that describes his approach to performing it. This is where I became sold. The approach is comprehensive and task-oriented. Every key factor, from financial loss to legal implications, are covered and qualitatively assessed using a valuation score. This section also has numerous checklists, tables and data with which to perform the analysis. These are augmented in the next chapter on value analysis, and by the time I finished it I was not only "sold", but a proponent of this approach.

The heart of this book and approach is the facilitated risk analysis process that extends the process to a team of stakeholders. The value is that the business itself is an active participant and assumes ownership of the findings, deliverables and action plan. I contrasted this with my past approach and saw that one of the reasons why assessments done by "experts" were difficult to move into the implementation phase is because the so-called beneficiaries of the work couldn't relate to the reasons or importance. Using Mr. Peltier's approach, information security becomes everyone's responsibility - an ideal situation in the eyes of any security professional.

The remainder of the book is filled with case studies and more tables and checklists. In fact, if you purchased this book for the tables and checklists alone you would be getting a bargain. My only complaint is these were not provided in electronic format as well.

If you perform information security risk analysis, or business continuity or disaster recovery planning this book is "must reading". Others outside of the primary audience who will find this book valuable include project managers (the qualitative risk approach will be equally effective in project planning and control), and facilities managers. This book earns a solid 5 stars and Mr. Peltier earns my gratitude for showing me a better way.

This is an excellent introduction to risk analysis in general and a highly effective guide for conducting a security risk analysis.

Of the 281 pages in this book, 156 pages are devoted to the seven chapters comprising the "how to" and case study, with the remaining pages allocated to six highly valuable appendices.

Chapter 1, Effective Risk Analysis, starts the book by discussing risk analysis in general, including common approaches, and leads into the author's approach. The next chapter covers qualitative risk analysis, followed by a chapter on value analysis. By this point it's clear that the author's philosophy is to capture major risks, cost data and develop impact without getting bogged down in complex methods. I liked chapter 4, which discusses other qualitative methods, their strengths and weaknesses, which adds context to the heart of this book: Chapter 5, Facilitated Risk Analysis Process. In a nutshell, this approach involves all stakeholders and spreads the responsibility and accountability for identifying, analyzing and prioritizing risks. This is as it should be because security should be everyone's job, and the stakeholders (led by subject matter experts) are the best source of authority for making trade-offs and allocating resources to ensure the degree of security that consensus dictates. Since security is, in part, a function of trade-offs, the Facilitated Analysis Risk Process proposed by the author is an effective and essential process supporting security. Chapter 6 covers other uses of qualitative risk analysis, and is though-provoking and informative. The case study in chapter 7 ties together the preceding chapters and concludes the text on risk analysis.

The appendices are, in my opinion, invaluable. Like a previous reviewer I lament the fact that the tables and forms were not included in electronic format, but this is a minor quibble on my part. Appendix A is a comprehensive, 25-page questionnaire that covers every facet of security risks. Appendix B contains a reproduction of every form associated with the Facilitated Risk Analysis Process (Scope/Business Process Identification, Action Plan, Final Report, Controls List, Risk List and Controls/Risk Cross-Reference List). Business Impact Analysis forms are provided in Appendix C, and a sample report is provided in Appendix D. Threat definitions are provided in Appendix E, and three short papers authored by other experts giving other opinions of risk analysis are the subject of Appendix F.

Overall this is a highly focused book that should not be ignored by anyone who is responsible for security, business continuity or disaster recovery planning. Even if you are more apt to use quantitative methods instead of the qualitative methods proposed by the author, this book is still an important work on security risk analysis. The appendices alone are worth the price of the book.

This is the only book that provides a general overview of what a Risk Analysis is, and I consider it a very good basis for learning how to perform a Risk Analysis and evaluate the risks. Anyway, it is my personal opinion that there are no standard methods to be used: a good Risk Analyst stays to a good Risk Analysis, like a good tailor stays to a good suit. Every time that you will have to perform a Risk Analysis, you will decide with the team or with the customer what kind of methods are going to be used and wich kind of evaluation parameters are going to be taken into consideration. Another thing that I disagree about, is the time that should be spent on the Risk Analysis: to perform a good analysis in ten days, is like expecting a persian carpet to be made in one week or a good italian meal to be served in three minutes.

After having read the book, I was left with a mixed feeling. The content of the book is OK. Not special, just OK. If this book changed your way of thinking about risk, then this is probably one of your first books you read on the subject. I give the book content 4 stars, since it's decent, easy to follow and fairly complete. Besides that, the author included three good articles at the end of the book, one of which (by Caroline Hamilton) is particularly well-written.

Now for the style. I can only agree with one of the other reviewers regarding the comment he made about proofreading the book. I wonder if the book was proofread at all. There are so many errors and annoyances in this book, it starts working on my nerves fairly quickly. To name but a few:


The writer contradicts himself on several occasions. Sometimes this gets hilarious:
- Page 30: [The cost/benefit analysis] is the most important step of any risk analysis process.
- Page 35: As discussed in the previous example, the scope statement is the most important element of the risk analysis process.
- Page 39: The most important element of any risk analysis process is the recommendations of controls and safeguards... etc etc.


I understand that mister O'Leary is his mentor, but don't tell me five $%^$@ times that he is the Director of the Education Resource Center (pages ix, 12, 13, 65, 66).


The spelling errors are a real pain in the butt:

- page 217: "Aurebach" instead of "Auerbach" (my favorite; it's his own publisher).
- page 16: "can shared" instead of "can be shared"
- page 36: ".appropriate" instead of "appropriate"
- page 43: "their role" instead of "his role"
- page 45: "control" instead of "risk" (last word on the page)
- page 46: "these" instead of "there"
- page 47: "guideline" instead of "guidelines"
- page 55: "their" instead of "its" (it refers back to "job")
- page 64: wrong comma usage
- page 71: "in" instead of "it"
- .....
- page 162: "Originizational" instead of "Organizational"
- page 217: "Ozierz's" instead of "Ozier's"


The writer uses the Ctrl+C and Ctrl+V too many times. Definitions should be reworded, not blindly copied. See pages 7 and 57, pages 47 and 72 etc.

Sometimes bulleted items in the same list have a trailing dot, sometimes they haven't.

I can go on and on.

To wrap it up, the writing gets 1 star. Equals 5 stars. Which will be rounded to 2 stars, simply because of his sloppy writing. If the writing were better, I might give it 3 or 4 stars.

I believe that this book was pushed out to the presses much too quickly. Be prepared to rewrite some of the processes because of poor writing (and/or proof reading). Some of the steps in the Qualitative Risk Analysis just strait up don't make sense.

However I give it two thumbs up for content. This book helped me with disaster planning tremendously.

Bottom line this book is worth the money and deserves/needs a second edition.

An excellent resource on risk analysis techniques and methodolgies. The breadth and depth of coverage fits a wide range of audience. I work in information security and found the concepts and details very very helpful and ones I could relate to in my work. The organization of the chapters and overall book is very logical and facilitates overall readability. I wuld highly recommend this book to anyone working in any aspect of risk assessment/management.

2 thumbs up!

The book outlines - over the course of about 50 pages - a simple and qualitative risk metric. IF one is looking for a method to quantify risk then look elsewhere; perhaps to a professional actuary.

Overall it is a decent book for an introduction to qualitative risk analysis.

After reading a large number of security books and papers, you come to an uncanny realization: if an author does not misspell HIPAA in his entire work, he's gotta be good! But then again, if a guy was a CSO when I was just finishing my elementary school, I am sure he knows something about security...

Here is what I have to say about this title: it is good, but pretty dry. And I happen to hate dry books. However, I am willing to make an exception for this one, since it is a management book about security risk. It won't teach you how to hack, scan, exploit or protect and firewall, but rather how to define, document, manage, organize and facilitate.

I would recommend the book for those involved with formal risk assessment for organizations. Admittedly, I do not fit this profile myself, but I enjoyed it since the author presents a somewhat novel approach to security risk assessment (called FRAAP) and I was curious about it. I also liked the section on mapping controls, such as HIPAA to ISO17799, etc.

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II" and the upcoming "Hacker's Challenge III". In his spare time, he maintains his security portal info-secure.org and his blog at O'Reilly. His next book will be about security log analysis.

This is a great book about risk. Very valuable. Written in a clear and easy to understand style.

A bargain at 5 times the price. You can't get this info and data anywhere else.