This is a work in progress and very much under construction. This is a resource page for quantitative cyber risk topics, techniques, tools and opinion. There are many models out there to perform quantitative cyber risk analysis, but the focus right now is building out topics around Factor Analysis of Information Risk (FAIR) because it's the most widely used. Please contact me if you have comments, suggestions or just to let me know that this is useful.

Foundational Texts

Regardless of your skill level - beginner or expert - these books are probably on your bookshelf and well worn.

Books to take your analysis to the next level...

  • Thinking Fast and Slow by Daniel Kanhemen | Truly a remarkable and groundbreaking work on how cognitive bias affects our ability to make decisions

Groups, Chapters, Associations...

The Problems with Qualatitative Methodologies

Problems with scoring methods and ordinal scales in risk assessment by Douglas Hubbard and Dylan Evans

What is FAIR?

Tools and Applications to Perform a FAIR Analysis

There are several applications to perform a FAIR assessment and you can even roll your own. Here are the tools I know of. I don’t endorse any one, and in fact – you should try them all. For the free applications, I've indicated whether it's free, as in free beer, or free, as in freedom of speech.

  • Basic Risk Analysis – pages 205-214 from “Measuring and Managing Information Risk: a FAIR Approach” | Pen and paper, qualitative method
  • FAIR-U | Free (beer), basic version of RiskLens. For non-commercial use only. Registration required.
  • RiskLens | Commercial, fee-based FAIR application.
  • Evaluator | Free (beer & speech) Open source, OpenFAIR implementation, built and run on R
  • FAIR Tool | Free (beer & speech) Open source application, built on R + Shiny
  • OpenFAIR Risk Analysis Tool | (Free beer for a 90-day eval) OpenGroup’s Excel-based application. Registration required. (spreadsheetdata sheetguide to theory of application)

Examples of Quantitative Risk Analyses

The best way to advance your quantitative risk analysis skills is to read as many as you can, and perform as many as you can. This is one area I need help on - please email me any publicly accessible sample analysis if you know of one not listed here. It does not need to be FAIR, but would prefer high-quality examples that are thorough from beginning to end.

FAIR Analyses