 |
||
| Article Index - Product Contact Details | ||
|
Information Security Risk Analysis by Thomas R. Peltier, Auerbach |
||
|
May 2001 Oh, happy day! Someone has finally written a solid, definitive book on risk analysis. And not just someone; Tom Peltier, perennial security icon, speaker and all around infosec curmudgeon. Tom, a colleague for many years, has been one of the most vocal, outspoken proponents of risk analysis in our industry ("It's Risk Analysis ... NOT Risk Assessment! You analyze risks and you assess vulnerabilities."). He is the developer of the facilitated risk analysis process (FRAP) approach and an expert in most other risk analysis methods ("It's not a methodology. Methodology is the study of methods."). Tom has collected a few of the more common risk analysis methods, but the book focuses on FRAP. That is one of its strengths. The reader gets a chance to see FRAP in the context of other approaches. And, because the author has included all of the forms and procedures you need to conduct a FRAP, the book also is a road map to a successful analysis. Tom has broken Information Security Risk Analysis into several chapters beginning with four chapters on methods other than FRAP. He covers analysis in general, qualitative analysis and value analysis. He hits the good, the bad and the ugly and comes around to FRAP as an antidote for the bad and the ugly - ugly, in my opinion, being the endless collection of data resulting in an analysis so hopelessly out-of-date as to be meaningless. FRAP gets the job done, gets it done rapidly and involves all of the stakeholders so ultimate buy-in is much less of a problem. He points out, however, that in any given enterprise, any one or combination of the risk analysis methods discussed may be appropriate because no single size fits all. The writing in Information Security Risk Analysis is, as one would expect, first rate, the information right on target and the approach logical and well organized. This book is another one of my 'Christmas in February' bundle from Rich O'Hanley at Auerbach and it is well worth any reasonable effort you might need to expend to acquire it. The prepared forms and case study alone are worth the price of the book. There is no doubt that we need to perform risk analysis from time to time - he even tells you when to consider doing one. There is, equally, no doubt that risk analysis can be a painful process. Information Security Risk Analysis can help ease the pain and get the job done for you. You need to do risk analysis? OK, then - buy the book! Five stars! Only because that's all I've got.
|
||
|
||
|
||
|
||
|
SC On-Line |
||
|
|
||
| Copyright © 2001 West Coast Publishing. All rights reserved. |
