This is a work in progress and very much under construction. This is a resource page for quantitative cyber risk topics, techniques, tools and opinion. There are many models out there to perform quantitative cyber risk analysis, but the focus right now is building out topics around Factor Analysis of Information Risk (FAIR) because it's the most widely used. Please contact me if you have comments, suggestions or just to let me know that this is useful.
Regardless of your skill level - beginner or expert - these books are probably on your bookshelf and well worn.
- Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones
- The Failure of Risk Management: Why It’s Broken and How to Fix It by Douglas Hubbard
- How to Measure Anything in Cybersecurity Risk by Douglas Hubbard and Richard Seiersen
Books to take your analysis to the next level...
- Thinking Fast and Slow by Daniel Kanhemen | Truly a remarkable and groundbreaking work on how cognitive bias affects our ability to make decisions
Groups, Chapters, Associations...
- Society of Information Risk Analysis | Group who's charter is to "To improve the practice of evidence-based information risk analysis." Many members are quantitative-focused. Discussions happen on the on the Google Group. The annual conference should be considered mandatory to anyone in the field.
- FAIR Institute | Very active non-profit dedicated to advanced Factor Analysis of Information Risk (FAIR) world-wide. Join here (free), then you can participate in FAIR Institute Link, a discussion board. The FAIR Institute LinkedIn group also has good discussion.
- FAIR Institute Local Chapters | There are FAIR Institute local chapters all over the world. Join or start one.
The Problems with Qualatitative Methodologies
Problems with scoring methods and ordinal scales in risk assessment by Douglas Hubbard and Dylan Evans
What is FAIR?
Tools and Applications to Perform a FAIR Analysis
There are several applications to perform a FAIR assessment and you can even roll your own. Here are the tools I know of. I don’t endorse any one, and in fact – you should try them all. For the free applications, I've indicated whether it's free, as in free beer, or free, as in freedom of speech.
- Basic Risk Analysis – pages 205-214 from “Measuring and Managing Information Risk: a FAIR Approach” | Pen and paper, qualitative method
- FAIR-U | Free (beer), basic version of RiskLens. For non-commercial use only. Registration required.
- RiskLens | Commercial, fee-based FAIR application.
- Evaluator | Free (beer & speech) Open source, OpenFAIR implementation, built and run on R
- FAIR Tool | Free (beer & speech) Open source application, built on R + Shiny
- OpenFAIR Risk Analysis Tool | (Free beer for a 90-day eval) OpenGroup’s Excel-based application. Registration required. (spreadsheet, data sheet, guide to theory of application)
Examples of Quantitative Risk Analyses
The best way to advance your quantitative risk analysis skills is to read as many as you can, and perform as many as you can. This is one area I need help on - please email me any publicly accessible sample analysis if you know of one not listed here. It does not need to be FAIR, but would prefer high-quality examples that are thorough from beginning to end.
- There are 11 FAIR analyses in Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones.
- Inappropriate access privileges – p. 123
- Privileged Insider/snooping – p. 128
- Privileged Insider/malicious – p. 130
- Cybercriminal – p. 142
- Unencrypted internal network traffic – p. 150
- Privileged insider – p. 153
- Nonprivileged insider – p. 164
- Malicious cybercriminal – p. 171
- Website denial of service – p. 175
- Advanced attacker – p. 177
- Basic attacker – p. 186
- Weight on a Rope | by Steve Poppe
- Silicon Valley Megastorm | by Steve Poppe
- Project Risk part 1 | by Jack Jones
- Analyze Risk in a Retail Environment | OpenGroup Webinar. Registration required.
- A Cost-Benefit Analysis of Connecting Home Dialysis Machines Online to Hospitals in Norway | OpenGroup white paper. Registration required.
- Business Continuity | by Steve Poppe