E-Book, Englisch, 408 Seiten
Freund / Jones Measuring and Managing Information Risk
1. Auflage 2014
ISBN: 978-0-12-799932-6
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
A FAIR Approach
E-Book, Englisch, 408 Seiten
ISBN: 978-0-12-799932-6
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Dr. Jack Freund is a leading voice in cyber risk measurement and management. As VP, Head of Cyber Risk Methodology for BitSight, Jack has overall responsibility for the systemic development and application of frameworks, algorithms, and quantitative and qualitative methods to measure cyber risk. Previously, Jack was Director of Risk Science at quantitative risk management startup RiskLens and Director of Cyber Risk for TIAA. Jack holds a Ph.D. in Information Systems from Nova Southeastern University, a Masters in Telecommunication and Project Management, and a BS in CIS. Jack has been named a Senior Member of the IEEE and ACM, a Fellow of the IAPP and FAIR Institute, and a Distinguished Fellow of the ISSA. He is the 2020 recipient of the (ISC)2 Global Achievement Award, 2018 recipient of ISACA's John W. Lainhart IV Common Body of Knowledge Award, and the FAIR Institute's 2018 FAIR Champion Award.
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;Measuring and Managing Information Risk;4
3;Copyright;5
4;Contents;6
5;Acknowledgments by Jack Jones;10
6;About the Authors;12
7;Preface by Jack Jones;14
7.1;WHAT THIS BOOK IS NOT, AND WHAT IT IS;14
8;Preface by Jack Freund;16
9;Chapter 1 - Introduction;20
9.1;HOW MUCH RISK?;20
9.2;THE BALD TIRE;21
9.3;ASSUMPTIONS;21
9.4;TERMINOLOGY;22
9.5;THE BALD TIRE METAPHOR;24
9.6;RISK ANALYSIS VS RISK ASSESSMENT;24
9.7;EVALUATING RISK ANALYSIS METHODS;25
9.8;RISK ANALYSIS LIMITATIONS;27
9.9;WARNING—LEARNING HOW TO THINK ABOUT RISK JUST MAY CHANGE YOUR PROFESSIONAL LIFE;28
9.10;USING THIS BOOK;29
10;Chapter 2 - Basic Risk Concepts;32
10.1;POSSIBILITY VERSUS PROBABILITY;32
10.2;PREDICTION;35
10.3;SUBJECTIVITY VERSUS OBJECTIVITY;36
10.4;PRECISION VERSUS ACCURACY;42
11;Chapter 3 - The FAIR Risk Ontology;44
11.1;DECOMPOSING RISK;46
11.2;LOSS EVENT FREQUENCY;47
11.3;THREAT EVENT FREQUENCY;48
11.4;CONTACT FREQUENCY;49
11.5;PROBABILITY OF ACTION;50
11.6;VULNERABILITY;51
11.7;THREAT CAPABILITY;52
11.8;DIFFICULTY;53
11.9;LOSS MAGNITUDE;54
11.10;PRIMARY LOSS MAGNITUDE;56
11.11;SECONDARY RISK;57
11.12;SECONDARY LOSS EVENT FREQUENCY;58
11.13;SECONDARY LOSS MAGNITUDE;59
11.14;ONTOLOGICAL FLEXIBILITY;59
12;Chapter 4 - FAIR Terminology;62
12.1;RISK TERMINOLOGY;62
12.2;THREAT;64
12.3;THREAT COMMUNITY;67
12.4;THREAT PROFILING;69
12.5;VULNERABILITY EVENT;81
12.6;PRIMARY AND SECONDARY STAKEHOLDERS;81
12.7;LOSS FLOW;82
12.8;FORMS OF LOSS;84
13;Chapter 5 - Measurement;94
13.1;MEASUREMENT AS REDUCTION IN UNCERTAINTY;94
13.2;MEASUREMENT AS EXPRESSIONS OF UNCERTAINTY;96
13.3;BUT WE DON’T HAVE ENOUGH DATA…AND NEITHER DOES ANYONE ELSE;99
13.4;CALIBRATION;103
13.5;EQUIVALENT BET TEST;104
14;Chapter 6 - Analysis Process;110
14.1;THE TOOLS NECESSARY TO APPLY THE FAIR RISK MODEL;110
14.2;HOW TO APPLY THE FAIR RISK MODEL;111
14.3;PROCESS FLOW;112
14.4;SCENARIO BUILDING;112
14.5;THE ANALYSIS SCOPE;115
14.6;EXPERT ESTIMATION AND PERT;118
14.7;MONTE CARLO ENGINE;120
14.8;LEVELS OF ABSTRACTION;122
15;Chapter 7 - Interpreting Results;124
15.1;WHAT DO THESE NUMBERS MEAN? (HOW TO INTERPRET FAIR RESULTS);124
15.2;UNDERSTANDING THE RESULTS TABLE;126
15.3;VULNERABILITY;128
15.4;PERCENTILES;128
15.5;UNDERSTANDING THE HISTOGRAM;129
15.6;UNDERSTANDING THE SCATTER PLOT;129
15.7;QUALITATIVE SCALES;130
15.8;HEATMAPS;132
15.9;SPLITTING HEATMAPS;134
15.10;SPLITTING BY ORGANIZATION;135
15.11;SPLITTING BY LOSS TYPE;136
15.12;SPECIAL RISK CONDITIONS;137
15.13;UNSTABLE CONDITIONS;138
15.14;FRAGILE CONDITIONS;138
15.15;TROUBLESHOOTING RESULTS;139
16;Chapter 8 - Risk Analysis Examples;142
16.1;OVERVIEW;142
16.2;INAPPROPRIATE ACCESS PRIVILEGES;142
16.3;PRIVILEGED INSIDER/SNOOPING/CONFIDENTIALITY;147
16.4;PRIVILEGED INSIDER/MALICIOUS/CONFIDENTIALITY;149
16.5;CYBER CRIMINAL/MALICIOUS/CONFIDENTIALITY;161
16.6;UNENCRYPTED INTERNAL NETWORK TRAFFIC;169
16.7;PRIVILEGED INSIDER/CONFIDENTIALITY;172
16.8;NONPRIVILEGED INSIDER/MALICIOUS;183
16.9;CYBER CRIMINAL/MALICIOUS;190
16.10;WEBSITE DENIAL OF SERVICE;194
16.11;ANALYSIS;196
16.12;BASIC ATTACKER/AVAILABILITY;205
17;Chapter 9 - Thinking about Risk Scenarios Using FAIR;212
17.1;THE BOYFRIEND;213
17.2;SECURITY VULNERABILITIES;214
17.3;WEB APPLICATION RISK;217
17.4;CONTRACTORS;219
17.5;PRODUCTION DATA IN TEST ENVIRONMENTS;221
17.6;PASSWORD SECURITY;222
17.7;BASIC RISK ANALYSIS;224
17.8;PROJECT PRIORITIZATION;233
17.9;SMART COMPLIANCE;244
17.10;Going into business;246
17.11;CHAPTER SUMMARY;249
18;Chapter 10 - Common Mistakes;250
18.1;MISTAKE CATEGORIES;250
18.2;CHECKING RESULTS;250
18.3;SCOPING;251
18.4;DATA;254
18.5;VARIABLE CONFUSION;254
18.6;MISTAKING TEF FOR LEF;255
18.7;MISTAKING RESPONSE LOSS FOR PRODUCTIVITY LOSS;255
18.8;CONFUSING SECONDARY LOSS WITH PRIMARY LOSS;256
18.9;CONFUSING REPUTATION DAMAGE WITH COMPETITIVE ADVANTAGE LOSS;256
18.10;VULNERABILITY ANALYSIS;257
19;Chapter 11 - Controls;260
19.1;OVERVIEW;260
19.2;HIGH-LEVEL CONTROL CATEGORIES;260
19.3;ASSET-LEVEL CONTROLS;264
19.4;VARIANCE CONTROLS;272
19.5;DECISION-MAKING CONTROLS;281
19.6;CONTROL WRAP UP;291
20;Chapter 12 - Risk Management;292
20.1;COMMON QUESTIONS;293
20.2;WHAT WE MEAN BY “RISK MANAGEMENT”;294
20.3;DECISIONS, DECISIONS;298
20.4;SOLUTION SELECTION;305
20.5;A SYSTEMS VIEW OF RISK MANAGEMENT;306
21;Chapter 13 - Information Security Metrics;312
21.1;CURRENT STATE OF AFFAIRS;312
21.2;METRIC VALUE PROPOSITION;313
21.3;BEGINNING WITH THE END IN MIND;314
21.4;MISSED OPPORTUNITIES;338
22;Chapter 14 - Implementing Risk Management;354
22.1;OVERVIEW;354
22.2;A FAIR-BASED RISK MANAGEMENT MATURITY MODEL;355
22.3;GOVERNANCE, RISKS, AND COMPLIANCE;369
22.4;RISK FRAMEWORKS;375
22.5;ROOT CAUSE ANALYSIS;384
22.6;THIRD-PARTY RISK;392
22.7;ETHICS;393
22.8;IN CLOSING;394
23;Index;396
23.1;A;396
23.2;B;396
23.3;C;397
23.4;D;398
23.5;E;398
23.6;F;399
23.7;G;399
23.8;H;400
23.9;I;400
23.10;J;400
23.11;K;400
23.12;L;400
23.13;M;401
23.14;N;402
23.15;O;403
23.16;P;403
23.17;Q;404
23.18;R;404
23.19;S;407
23.20;T;408
23.21;U;409
23.22;V;409
23.23;W;410
23.24;Z;410
Preface by Jack Freund
FIGURE P.1 IT risk job skills.
