I’m Writing A Book

Earlier this year my good friend Jack Jones and I entered into a contract with Elsevier imprint Butterworth-Heinemann to write a book on the risk assessment methodology FAIR. We will deliver the final manuscript in the fist quarter of 2014 and it should be in print next summer/fall. The title of the book is tentatively called Measuring and Managing Information Risk: A FAIR Approach.

It is a real honor to be able to write about a topic I love with the industry visionary that taught me how to do it.

From the beginning, when Jack and I first began talking about this book (over dinner in the early summer of 2012) we wanted to write a conversational book to teach risk practitioners how to do FAIR. We didn’t want to write a risk textbook, and to be sure this is not a math book. It is very much intended to be an accessible book to help people understand how to take the work they are currently doing in risk management and improve the results quickly using applied methods and techniques. And don’t worry: our trademark senses of humor will be firmly intact throughout (my tongue always seems to be firmly ensconced in my cheek).

This book has been a long time coming. FAIR has evolved significantly since Jack Jones first published the FAIR whitepaper in 2005. Jack and I have conducted numerous FAIR training sessions and classes that detail the evolution of this now industry standard, but one thing is still a challenge for many people: how to apply FAIR to the daily security scenarios with which they are faced. This book will describe various scenarios to help lift the fog and give people “Ah-Ha” moments as they will quickly find examples that emulate current scenarios they are facing, or application techniques they can use to help better model the risk they are currently modeling in FAIR. We are even taking it further by showing you how to present risk scenarios to management and how to integrate FAIR into many popular risk assessment standards (NIST, ISO, etc.).

When you are done reading this book, you will know how to apply FAIR anywhere to model the risk associated with virtually anything. And it will also be a great reference for those looking to earn the Open Group’s upcoming FAIR Risk Analyst certification.

So naturally writing a book takes a lot of work so that’s why my writing here has been sketchy these past couple months. But in the meantime, you can get a preview of the book at a blog post that Jack wrote to better understand the concepts around what risk management is and how to practice it.

Most Likely Fined Like

hey girlA recent article in Insurance and Technology made me think about the nature of identity as it relates to information risk management. If we take a look at the list of companies from which data is being collected, I can’t help but wonder if there is enough similarity between these companies to make some basic risk assumptions about them.

If we think about the various loss forms that exist in a FAIR loss magnitude assessment, the one this helps with is Fines and Judgements. In other words, I’m drawing a line from the Cuomo’s request to a concept I’m calling “Most Likely Fined Like” (MLFL). There is an interesting element of this to me, namely that these companies are not all insurance companies. Many companies in this list would balk at being considered like each other. Some do life insurance, car insurance, others do health insurance, some do all this plus financial services, investments, etc. All of which contributes to various types of losses (things like primary value proposition are different obviously). These different companies have different public profiles as well which contributes to how often they will be attacked.

This sort of analysis is the core of a sophisticated risk analysis. Looking at secondary loss factors can be a tricky thing if as these values tend to get more abstract, but Most Likely Fined Like can be a good mental model to grab some data points from other companies and expand the pool of data from which you are extrapolating your ranges. You may get push back – “We don’t sell commercial auto policies,” or “We are a financial services company that happens to sell annuities.” I’m not defining corporate identity, strategy, or vision here. I’m trying to make a model of the reality in which we are operating. And I sense that amongst this list of companies, were they to experience a regulatory fine due to information security failures, you’d have a great data point for any of the others. This is a risk assessment technique that you can put in your pocket for the next time you are in a tough place identifying loss values.