Information Security Risk Analysis, Second Edition

Information Security Risk Analysis, Second Edition enables CIOs, CSOs, and MIS managers to understand when, why, and how risk assessments and analyses can be conducted effectively. This book discusses the principle of risk management and its three key elements: risk analysis, risk assessment, and vulnerability assessment. It examines the differences between quantitative and qualitative risk assessment, and details how various types of qualitative risk assessment can be applied to the assessment process. The text offers a thorough discussion of recent changes to FRAAP and the need to develop a pre-screening method for risk assessment and business impact analysis. ---------------------Features--------------------- · Analyzes risk analysis, risk assessment, and vulnerability assessments · Introduces System Development Life Cycle (SDLC) and Business Process Life Cycle (BPLC), and integrates risk analysis and assessment into these processes · Discusses the need to develop a standard set of controls, and details how to apply regulations such as GLBA, HIPPA, SOX, ISO 17799, and others · Explains how to use qualitative risk assessment concepts and FRAAP to conduct business impact analyses and determine information classification requirements · Contains samples of forms, controls, policies, letters, and spreadsheets needed to complete the risk analysis and assessment processes

Mr. Peltier's approach, while not as scientific, is far more powerful because it involves all stakeholders through his unique facilitated risk analysis process (FRAP), and produces findings and assessments that are clear and easy for non-technical people to understand. His approach is also thorough and business-focused. From the beginning this book grabs your attention. By page four I was completely drawn in by his use of a life cycle of the risk analysis process, and how he closely tied it to tasks and deliverables, and quality. He explains the strengths and weaknesses of qualitative analysis, then moves into a chapter that describes his approach to performing it. This is where I became sold. The approach is comprehensive and task-oriented. Every key factor, from financial loss to legal implications, are covered and qualitatively assessed using a valuation score. This section also has numerous checklists, tables and data with which to perform the analysis. These are augmented in the next chapter on value analysis, and by the time I finished it I was not only "sold", but a proponent of this approach.

The heart of this book and approach is the facilitated risk analysis process that extends the process to a team of stakeholders. The value is that the business itself is an active participant and assumes ownership of the findings, deliverables and action plan. I contrasted this with my past approach and saw that one of the reasons why assessments done by "experts" were difficult to move into the implementation phase is because the so-called beneficiaries of the work couldn't relate to the reasons or importance. Using Mr. Peltier's approach, information security becomes everyone's responsibility - an ideal situation in the eyes of any security professional.

The remainder of the book is filled with case studies and more tables and checklists. In fact, if you purchased this book for the tables and checklists alone you would be getting a bargain. My only complaint is these were not provided in electronic format as well.

If you perform information security risk analysis, or business continuity or disaster recovery planning this book is "must reading". Others outside of the primary audience who will find this book valuable include project managers (the qualitative risk approach will be equally effective in project planning and control), and facilities managers. This book earns a solid 5 stars and Mr. Peltier earns my gratitude for showing me a better way.


Superb book - explains the details   September 25, 2001
Linda Zarate (Azusa, CA United States)
14 out of 14 found this review helpful

This is an excellent introduction to risk analysis in general and a highly effective guide for conducting a security risk analysis.

Of the 281 pages in this book, 156 pages are devoted to the seven chapters comprising the "how to" and case study, with the remaining pages allocated to six highly valuable appendices.

Chapter 1, Effective Risk Analysis, starts the book by discussing risk analysis in general, including common approaches, and leads into the author's approach. The next chapter covers qualitative risk analysis, followed by a chapter on value analysis. By this point it's clear that the author's philosophy is to capture major risks, cost data and develop impact without getting bogged down in complex methods. I liked chapter 4, which discusses other qualitative methods, their strengths and weaknesses, which adds context to the heart of this book: Chapter 5, Facilitated Risk Analysis Process. In a nutshell, this approach involves all stakeholders and spreads the responsibility and accountability for identifying, analyzing and prioritizing risks. This is as it should be because security should be everyone's job, and the stakeholders (led by subject matter experts) are the best source of authority for making trade-offs and allocating resources to ensure the degree of security that consensus dictates. Since security is, in part, a function of trade-offs, the Facilitated Analysis Risk Process proposed by the author is an effective and essential process supporting security. Chapter 6 covers other uses of qualitative risk analysis, and is though-provoking and informative. The case study in chapter 7 ties together the preceding chapters and concludes the text on risk analysis.

The appendices are, in my opinion, invaluable. Like a previous reviewer I lament the fact that the tables and forms were not included in electronic format, but this is a minor quibble on my part. Appendix A is a comprehensive, 25-page questionnaire that covers every facet of security risks. Appendix B contains a reproduction of every form associated with the Facilitated Risk Analysis Process (Scope/Business Process Identification, Action Plan, Final Report, Controls List, Risk List and Controls/Risk Cross-Reference List). Business Impact Analysis forms are provided in Appendix C, and a sample report is provided in Appendix D. Threat definitions are provided in Appendix E, and three short papers authored by other experts giving other opinions of risk analysis are the subject of Appendix F.

Overall this is a highly focused book that should not be ignored by anyone who is responsible for security, business continuity or disaster recovery planning. Even if you are more apt to use quantitative methods instead of the qualitative methods proposed by the author, this book is still an important work on security risk analysis. The appendices alone are worth the price of the book.


Great resource   July 17, 2007
Infosec professional (NY United States)
An excellent resource on risk analysis techniques and methodolgies. The breadth and depth of coverage fits a wide range of audience. I work in information security and found the concepts and details very very helpful and ones I could relate to in my work. The organization of the chapters and overall book is very logical and facilitates overall readability. I wuld highly recommend this book to anyone working in any aspect of risk assessment/management.

2 thumbs up!


AWESOME!!!   July 7, 2005
Eric Kent (USA)
4 out of 9 found this review helpful

This is a great book about risk. Very valuable. Written in a clear and easy to understand style.

A bargain at 5 times the price. You can't get this info and data anywhere else.


A very good kick-off book on Risk Analysis   November 15, 2001
Diego Baldini (Helsinki, Finland)
14 out of 15 found this review helpful

This is the only book that provides a general overview of what a Risk Analysis is, and I consider it a very good basis for learning how to perform a Risk Analysis and evaluate the risks. Anyway, it is my personal opinion that there are no standard methods to be used: a good Risk Analyst stays to a good Risk Analysis, like a good tailor stays to a good suit. Every time that you will have to perform a Risk Analysis, you will decide with the team or with the customer what kind of methods are going to be used and wich kind of evaluation parameters are going to be taken into consideration. Another thing that I disagree about, is the time that should be spent on the Risk Analysis: to perform a good analysis in ten days, is like expecting a persian carpet to be made in one week or a good italian meal to be served in three minutes.