Security Risk Management

1st Edition

Building an Information Security Risk Management Program from the Ground Up

Print ISBN: 9781597496155
eBook ISBN: 9781597496162
Imprint: Syngress
Published Date: 17th May 2011
Page Count: 360
38.95 + applicable tax
30.99 + applicable tax
49.95 + applicable tax
Compatible Not compatible
VitalSource PC, Mac, iPhone & iPad Amazon Kindle eReader
ePub & PDF Apple & PC desktop. Mobile devices (Apple & Android) Amazon Kindle eReader
Mobi Amazon Kindle eReader Anything else

Institutional Access


The goal of Security Risk Management is to teach you practical techniques that will be used on a daily basis, while also explaining the fundamentals so you understand the rationale behind these practices. Security professionals often fall into the trap of telling the business that they need to fix something, but they can’t explain why. This book will help you to break free from the so-called "best practices" argument by articulating risk exposures in business terms. You will learn techniques for how to perform risk assessments for new IT projects, how to efficiently manage daily risk activities, and how to qualify the current risk level for presentation to executive level management. While other books focus entirely on risk analysis methods, this is the first comprehensive guide for managing security risks.

Key Features

  • Named a 2011 Best Governance and ISMS Book by InfoSec Reviews
  • Includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment
  • Explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk
  • Presents a roadmap for designing and implementing a security risk management program


CISOs, Security Managers, IT Managers, Security Consultants, IT Auditors, Security Analysts, and Students in Information Security/Assurance college programs

Table of Contents





PART I. Introduction to Risk Management

Chapter 1. The Security Evolution

Information in this Chapter


How We Got Here

A Risk-Focused Future

Information Security Fundamentals

The Death of Information Security


Chapter 2. Risky Business

Information in this Chapter


Applying Risk Management to Information Security

Business-Driven Security Program

Security as an Investment

Qualitative versus Quantitative


Chapter 3. The Risk Management Lifecycle

Information in this Chapter


Stages of the Risk Management Lifecycle

Business Impact Assessment

A Vulnerability Assessment Is Not a Risk Assessment

Making Risk Decisions

Mitigation Planning and Long-Term Strategy

Process Ownership


PART II. Risk Assessment and Analysis Techniques

Chapter 4. Risk Profiling

Information in this Chapter


How Risk Sensitivity Is Measured

Asking the Right Questions

Assessing Risk Appetite


Chapter 5. Formulating a Risk

Information in this Chapter


Breaking Down a Risk

Who or What Is the Threat?


Chapter 6. Risk Exposure Factors

Information in this Chapter


Qualitative Risk Measures

Risk Assessment


Chapter 7. Security Controls and Services

Information in this Chapter


Fundamental Security Services

Recommended Controls


Chapter 8. Risk Evaluation and Mitigation Strategies

Information in this Chapter


Risk Evaluation</P


No. of pages:
© Syngress 2011
eBook ISBN:
Paperback ISBN:


Best Governance and ISMS Books 2011, InfoSec Reviews


"Evan Wheeler has developed a much needed new approach to the field of security risk management. Readers familiar with this field of study will find that it does what he says he wants it to do: shake the old risk paradigms out of their roots and plant something fresh and useful today."--Dennis Treece, Colonel, US Army (Retired)/Chief Security Officer, Massachusetts Port Authority-Boston

"Wheeler’s book is predominantly a practitioner’s guide to security risk management but can also be used as a teaching text to help engineers, students of security, information assurance, or information systems more broadly. The key message that Wheeler is emphasizing is that risk is at the core of security, and at the heart of every business. Despite that the book lacks key referencing from academic literature, it can still be used as the basis for setting a large-scale team assignment on devising a risk management program from the ground up for a real organisation. Security professionals in banks will particularly find the book relevant."--Computers and Security

"This book is packed with practical
tips and the information contained throughout provides a good overview of the subject matter. The author explains the fundamentals of risk identification, assessment and management, exploring the differences between a vulnerability assessment and a risk assessment, and also providing rationales behind each of the subjects covered. This is not a technical book and the author generally avoids detailed technical analysis; rather it is an aide-memoir for Security Risk Management. …his book is recommended, in particular, for those beginning a career in Risk Management. It also provides a useful reference for current risk professionals who perhaps could benefit from a book that helps refine and further improve their current skillset."--Best Governance and ISMS Books in InfoSecReviews Book Awards