Customer Reviews

Security Risk Management Body of Knowledge (Wiley Series in Systems Engineering and Management)

5 star:		(5)
4 star:		(1)
3 star:		(0)
2 star:		(0)
1 star:		(0)

 

 

Since 2001 attention has become understandably more focused on matters of security. Billions of dollars and millions of hours have been spent on devising responses to current and future threats. In this environment the discipline of security risk management (SRM) has received much more attention from business and government. However, to my knowledge the "Security Risk Management Body of Knowledge" is the first comprehensive attempt at summarizing the complex and varied elements that make up the discipline of SRM.

This book, which was originally published by the Risk Management Institution of Australasia and which draws on the contributions of almost 100 SRM specialists, provides a holistic overview of SRM, combining a broad survey of the major areas of SRM with a wealth of practical details and advice on how to use SRM tools.

It attempts to put some structure around the idea of "security risk management". For example, it postulates four strategic Knowledge Areas (Exposure, Risk, Resources, Quality) and four operational Competency Areas (Business Integration, Functional Design, Implementation, Assurance) that together contain important knowledge that any security team in any organization needs to have.

The "Security Risk Management Body of Knowledge" uses models (such as the "Swiss Cheese" and the "Bow Tie" models), checklists and templates to help practitioners develop analyses and action plans specifically related to the organizations whose security they are attempting to improve.

This book includes a comprehensive lexicon (50 pages of text and illustrations) of SRM terms and definitions. The book also incorporates a generous quantity of color diagrams which aid greatly in the understanding of complex SRM processes.

The "Security Risk Management Body of Knowledge" also contains a thoughtful discussion on the human factors in SRM and asks questions regarding the underlying root causes of security failures and regarding the roles of culture and organizational psychology in risk management. This approach broadens the whole concept of personnel security away from just employment screening and security vetting towards asking more difficult (but vital) questions such as why would well-intentioned, conscientious people deliberately put themselves at risk by doing "irrational" things such as sharing passwords or chocking a fire door open when they should know better.

In conclusion, this book can be highly recommended not only for security risk management professionals but also for all who work in any area of risk management and security. Its tools, templates and concepts are also helpful for people with responsibilities in fields such as safety, health, business continuity, intelligence, and fraud prevention.

Moreover, this book, with its logical layout, its case studies, its abundance of color diagrams, its lexicon and its bibliography, would be an ideal educational textbook in SRM for use in technical school and college courses and for use in consulting situations.

A body of knowledge in this age is something which seems to expand at a frightening and sometimes unmanageable pace but a foundation needs to be put down somewhere, a place where people can launch off into that ever expanding interest. The Security Risk Management Body of Knowledge or SRMBOK does just this, it is a foundational text and reference library for professionals interested in security and risk management. For those who want to understand and develop their knowledge in security risk management, this is the place to start. The book is very well structured and provides excellent guides at the front to help navigate through the text, contingent on reading purpose. Like many text books SRMBOK is not for the faint hearted, its not the kind of test for a slow read on a sunny afternoon. SRMBOK is the kind of book to which you refer again and again, that sits beside the encyclopedia and other reference books.

SRMBOK is not, as it states, about "guns, gates and guards" or "ciphers, safety and society" but explores the dynamic concept of "providing resilience". The approach of the book is to help the reader map and navigate a way through the evolving and challenging landscape of security and risk.

SRMBOK explains the fundamentals of security and risk in clear language with excellent illustrations and graphics. The explanation of standards (eg. AZ/NZS4360:2004), legislative requirements and governance issues is articulated through plain (non-technical) language and complementary illustrations. A range of helpful tools such as the "swiss cheese", ALARP, Hierarchy of Control and "bow tie" matrix are set out and explained. Business integration, functional design and congruence with project management tools and methods are also explained. The section on auditing is practical as is the section on physical risks, and is followed by a comprehensive discussion of significant aspects of risk management, change management, ICT management, human resource management as they apply to security risk management. The book has a comprehensive lexicon and bibliography.

A Wiley book rarely lets you down, and this one doesn't either. With a refreshing Australian touch, distinctively unlike many American books on the same subject, this 445-page heavy-weight of a book has it all.

It is is a vast and practically all-encompassing repository of knowledge, filled with accepted best practices, innovations and research in the evolving field of security risk management. This book does not have a narrow scope, it is wide open, and it extends towards business continuity, resilience and even supply chain management. It thoroughly details the security risk management process in an easy-to-read format that can be understood by executive managers and deployed by security risk management practitioners. Indeed, no prior knowledge is required. Accompanied by rich and colorful illustrations on every other page (examples can be seen in the preview below), the message is clear: While today's business world may be complex, security risk management doesn't have to follow suit with the same complexity. Yes, risks may be complex, but managing them is not, and this book makes it look easy. Essentially this book provides a mixture of security management, resilience management and business continuity management, and it does so very well. It is a vast book and I can only review so much, but let's see what the book has to offer.

One of the best features of the book is the SRM Lexicon, a 50-page compilation of more than 250 terms and definitions related to security risk management. In fact, the SRM Lexicon can be read entirely on its own, without any reference to the book; it would still make perfect sense. It is that good. Among other things, the book also features a list of no less than twelve risk definitions, their benefits and potential drawbacks

This is a solid handbook that leaves no ground uncovered. Because it is so comprehensive, after reading the book, I do feel a bit lost...as in "Where do I go from here and where do I start?". That is where the sample templates are most helpful, as they provide a step-by-step guide, examples and check list towards achieving full security risk management. Besides this, the SRM lexicon and the illustrations make this book more than worthwhile.

Length:: 1:57 Mins

Read this book and enjoy the benefits it holds. Unlike the vast majority of technical security manuals, this book is very easy to read and extremely helpful in communicating the key points in order to achieve success and get immediate results.

Great visuals, practical case examples, insightful teachings, natural flow and based on actual experience.

Simply put, essential reading for the security professional who wants intelligent and relevant information with explanations using up to date and structured methodologies that can be realistically implemented.

Readers don't have to security experts to read this, they just have to want to improve themselves and stay current with modern trends.

Worthy of reading several times over.

I like this body of knowledge of contempory insights on security risk management. This gives me great information, backgrounds and visuals to go with them.