This is a work in progress and very much under construction. This is a resource page for quantitative cyber risk topics, techniques, tools and opinion. There are many models out there to perform quantitative cyber risk analysis, but the focus right now is building out topics around Factor Analysis of Information Risk (FAIR) because it's the most widely used. Please contact me if you have comments, suggestions or just to let me know that this is useful.
Regardless of your skill level - beginner or expert - these books are probably on your bookshelf and well worn.
Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones
The Failure of Risk Management: Why It’s Broken and How to Fix It by Douglas Hubbard
How to Measure Anything in Cybersecurity Risk by Douglas Hubbard and Richard Seiersen
Risk Analysis: A Quantitative Guide by David Vose
Books to take your analysis to the next level...
Thinking Fast and Slow by Daniel Kanhemen | Truly a remarkable and groundbreaking work on how cognitive bias affects our ability to make decisions
Groups, Chapters, Associations...
Society of Information Risk Analysis | Group who's charter is to "To improve the practice of evidence-based information risk analysis." Many members are quantitative-focused. Discussions happen on the on the Google Group. The annual conference should be considered mandatory to anyone in the field.
FAIR Institute | Very active non-profit dedicated to advanced Factor Analysis of Information Risk (FAIR) world-wide. Join here (free), then you can participate in FAIR Institute Link, a discussion board. The FAIR Institute LinkedIn group also has good discussion.
FAIR Institute Local Chapters | There are FAIR Institute local chapters all over the world. Join or start one.
Some like-minded blogs from other folks…
Exploring Possibility Space by Russell Thomas
The New School of Information Security - blog accompanying the book
Information Security Management by Daniel Blander
Cyentia Institute Blog - excellent resource
Hubbard Decision Research blog - by Doug Hubbard, author many risk books
Probability Management blog - by Dr. Sam Savage
The Evolver blog - Evolver is a security solutions company and posts many interesting articles on FAIR analyses
Below are foundational risk management concepts.
Risk Management & Analysis
Risk Management: Out with the Old, In with the New! by Russell Thomas | One of most succinct and important thought pieces on the subject (blog post)
The Problems with Qualitative Methodologies
Problems with scoring methods and ordinal scales in risk assessment by Douglas Hubbard and Dylan Evans (paper)
What's wrong with risk matrices? by Louis Anthony Cox | seminal post on the topic; behind a paywall but worth it (paper)
The Trouble with Risk Matrices by Kent Wall (paper)
What is FAIR?
What is FAIR? | Web page from FAIR Institute
FAIR FAQ | Web page from FAIR Institute
Tools and Applications to Perform a FAIR Analysis
There are several applications to perform a FAIR assessment and you can even roll your own. Here are the tools I know of. I don’t endorse any one, and in fact – you should try them all. For the free applications, I've indicated whether it's free, as in free beer, or free, as in freedom of speech.
Basic Risk Analysis – pages 205-214 from “Measuring and Managing Information Risk: a FAIR Approach” | Pen and paper, qualitative method
FAIR-U | Free (beer), basic version of RiskLens. For non-commercial use only. Registration required.
RiskLens | Commercial, fee-based FAIR application.
Evaluator | Free (beer & speech) Open source, OpenFAIR implementation, built and run on R
PyFair | FAIR implementation built on Python
FAIR Tool | Free (beer & speech) Open source application, built on R + Shiny
Examples of Quantitative Risk Analyses
The best way to advance your quantitative risk analysis skills is to read as many as you can, and perform as many as you can. This is one area I need help on - please email me any publicly accessible sample analysis if you know of one not listed here. It does not need to be FAIR, but would prefer high-quality examples that are thorough from beginning to end.
Risk analyses by David Vose, using Model Risk - David Vose has posted many sample risk analyses using Model Risk, many of which can be performed using the free edition. If you are learning quantitative risk, or want to learn other models, I highly recommend working through these. They are not information security specific, but they don’ t need to be to learn the techniques.
RiskLens Case Studies - Case studies of FAIR analyses by RiskLens
There are 11 FAIR analyses in Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones.
Inappropriate access privileges – p. 123
Privileged Insider/snooping – p. 128
Privileged Insider/malicious – p. 130
Cybercriminal – p. 142
Unencrypted internal network traffic – p. 150
Privileged insider – p. 153
Nonprivileged insider – p. 164
Malicious cybercriminal – p. 171
Website denial of service – p. 175
Advanced attacker – p. 177
Basic attacker – p. 186
Weight on a Rope | by Steve Poppe
Silicon Valley Megastorm | by Steve Poppe
Project Risk part 1 | by Jack Jones
Analyze Risk in a Retail Environment | OpenGroup Webinar. Registration required.
A Cost-Benefit Analysis of Connecting Home Dialysis Machines Online to Hospitals in Norway | OpenGroup white paper. Registration required.
Business Continuity | by Steve Poppe