Measuring and Managing Information Risk

Measuring and Managing Information Risk

A FAIR Approach

1st Edition - August 22, 2014

Write a review

  • Authors: Jack Freund, Jack Jones
  • Paperback ISBN: 9780124202313
  • eBook ISBN: 9780127999326

Purchase options

Purchase options
DRM-free (Mobi, PDF, EPub)
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order


Using the factor analysis of information risk (FAIR) methodology developed over ten years and adopted by corporations worldwide, Measuring and Managing Information Risk provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. Intended for organizations that need to either build a risk management program from the ground up or strengthen an existing one, this book provides a unique and fresh perspective on how to do a basic quantitative risk analysis. Covering such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, Measuring and Managing Information Risk helps managers make better business decisions by understanding their organizational risk.

Key Features

  • Uses factor analysis of information risk (FAIR) as a methodology for measuring and managing risk in any organization.
  • Carefully balances theory with practical applicability and relevant stories of successful implementation.
  • Includes examples from a wide variety of businesses and situations presented in an accessible writing style.


Security and risk executives, directors, managers, and analysts; IT risk managers; information security professionals; students of OpenGroup’s FAIR Certified Risk Analyst Certification Exam; graduate business or IT students taking courses in risk management and IT security.

Table of Contents

    • Acknowledgments by Jack Jones
    • About the Authors
    • Preface by Jack Jones
    • Preface by Jack Freund
    • Chapter 1. Introduction
      • How much risk?
      • The bald tire
      • Assumptions
      • Terminology
      • The bald tire metaphor
      • Risk analysis vs risk assessment
      • Evaluating risk analysis methods
      • Risk analysis limitations
      • Warning—learning how to think about risk just may change your professional life
      • Using this book
    • Chapter 2. Basic Risk Concepts
      • Possibility versus probability
      • Prediction
      • Subjectivity versus objectivity
      • Precision versus accuracy
    • Chapter 3. The FAIR Risk Ontology
      • Decomposing risk
      • Loss event frequency
      • Threat event frequency
      • Contact frequency
      • Probability of action
      • Vulnerability
      • Threat capability
      • Difficulty
      • Loss magnitude
      • Primary loss magnitude
      • Secondary risk
      • Secondary loss event frequency
      • Secondary loss magnitude
      • Ontological flexibility
    • Chapter 4. FAIR Terminology
      • Risk terminology
      • Threat
      • Threat community
      • Threat profiling
      • Vulnerability event
      • Primary and secondary stakeholders
      • Loss flow
      • Forms of loss
    • Chapter 5. Measurement
      • Measurement as reduction in uncertainty
      • Measurement as expressions of uncertainty
      • But we don’t have enough data…and neither does anyone else
      • Calibration
      • Equivalent bet test
    • Chapter 6. Analysis Process
      • The tools necessary to apply the FAIR risk model
      • How to apply the FAIR risk model
      • Process flow
      • Scenario building
      • The analysis scope
      • Expert estimation and PERT
      • Monte Carlo engine
      • Levels of abstraction
    • Chapter 7. Interpreting Results
      • What do these numbers mean? (How to interpret FAIR results)
      • Understanding the results table
      • Vulnerability
      • Percentiles
      • Understanding the histogram
      • Understanding the scatter plot
      • Qualitative scales
      • Heatmaps
      • Splitting heatmaps
      • Splitting by organization
      • Splitting by loss type
      • Special risk conditions
      • Unstable conditions
      • Fragile conditions
      • Troubleshooting results
    • Chapter 8. Risk Analysis Examples
      • Overview
      • Inappropriate access privileges
      • Privileged insider/snooping/confidentiality
      • Privileged insider/malicious/confidentiality
      • Cyber criminal/malicious/confidentiality
      • Unencrypted internal network traffic
      • Privileged insider/confidentiality
      • Nonprivileged insider/malicious
      • Cyber criminal/malicious
      • Website denial of service
      • Analysis
      • Basic attacker/availability
    • Chapter 9. Thinking about Risk Scenarios Using FAIR
      • The boyfriend
      • Security vulnerabilities
      • Web application risk
      • Contractors
      • Production data in test environments
      • Password security
      • Basic Risk Analysis
      • Project prioritization
      • Smart compliance
      • Going into business
      • Chapter summary
    • Chapter 10. Common Mistakes
      • Mistake categories
      • Checking results
      • Scoping
      • Data
      • Variable confusion
      • Mistaking TEF for LEF
      • Mistaking response loss for productivity loss
      • Confusing secondary loss with primary loss
      • Confusing reputation damage with Competitive Advantage loss
      • Vulnerability analysis
    • Chapter 11. Controls
      • Overview
      • High-level control categories
      • Asset-level controls
      • Variance controls
      • Decision-making controls
      • Control wrap up
    • Chapter 12. Risk Management
      • Common questions
      • What we mean by “risk management”
      • Decisions, decisions
      • Solution selection
      • A systems view of risk management
    • Chapter 13. Information Security Metrics
      • Current state of affairs
      • Metric value proposition
      • Beginning with the end in mind
      • Missed opportunities
    • Chapter 14. Implementing Risk Management
      • Overview
      • A FAIR-based risk management maturity model
      • Governance, risks, and compliance
      • Risk frameworks
      • Root cause analysis
      • Third-party risk
      • Ethics
      • In closing
    • Index

Product details

  • No. of pages: 408
  • Language: English
  • Copyright: © Butterworth-Heinemann 2014
  • Published: August 22, 2014
  • Imprint: Butterworth-Heinemann
  • Paperback ISBN: 9780124202313
  • eBook ISBN: 9780127999326

About the Authors

Jack Freund

Dr. Jack Freund is an expert in IT risk management specializing in analyzing and communicating complex IT risk scenarios in plain language to business executives. Jack has been conducting quantitative information risk modeling since 2007. He currently leads a team of risk analysts at TIAA-CREF. Jack has over 15 years in IT and technology consulting for organizations such as Nationwide Insurance, CVS/Caremark, Lucent Technologies, Sony Ericsson, AEP, Wendy’s International, and The State of Ohio.

He holds a BS in CIS, master's in telecommunication and project management, a PhD in information systems, and the CISSP, CISA, CISM, CRISC, CIPP, and PMP certifications. Jack is a visiting professor at DeVry University and a senior member of the ISSA, IEEE, and ACM. Jack chairs a CRISC subcommittee for ISACA and has participated as a member of the Open Group’s risk analyst certification committee. Jack’s writings have appeared in the ISSA Journal, Bell Labs Technical Journal, Columbus CEO magazine, and he currently writes a risk column for @ISACA. You can follow all Jack’s work and writings at

Affiliations and Expertise

Manager, information security risk assessment, TIAA-CREF; visiting professor, DeVry University

Jack Jones

Jack Jones, CISM, CISA, CRISC, CISSP, has been employed in technology for the past thirty years, and has specialized in information security and risk management for twenty-four years. During this time, he’s worked in the United States military, government intelligence, consulting, as well as the financial and insurance industries. Jack has over nine years of experience as a CISO with three different companies, with five of those years at a Fortune 100 financial services company. His work there was recognized in 2006 when he received the 2006 ISSA Excellence in the Field of Security Practices award at that year’s RSA conference.

In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012 was honored with the CSO Compass award for leadership in risk management. He is also the author and creator of the Factor Analysis of Information Risk (FAIR) framework. Currently, Jack is co-founder and president of CXOWARE, Inc.

Affiliations and Expertise

Co-founder and president of CXOWARE, Inc.

Ratings and Reviews

Write a review

There are currently no reviews for "Measuring and Managing Information Risk"