<< 1 >>
Rating: 
Summary: Awesome Content - hurried writing
Review: I believe that this book was pushed out to the presses much too quickly. Be prepared to rewrite some of the processes because of poor writing (and/or proof reading). Some of the steps in the Qualitative Risk Analysis just strait up don't make sense.However I give it two thumbs up for content. This book helped me with disaster planning tremendously. Bottom line this book is worth the money and deserves/needs a second edition.
Rating:
Summary: Awesome Content - hurried writing
Review: I believe that this book was pushed out to the presses much too quickly. Be prepared to rewrite some of the processes because of poor writing (and/or proof reading). Some of the steps in the Qualitative Risk Analysis just strait up don't make sense. However I give it two thumbs up for content. This book helped me with disaster planning tremendously. Bottom line this book is worth the money and deserves/needs a second edition.
Rating:
Summary: Qualitative not Quantitative
Review: The book outlines - over the course of about 50 pages - a simple and qualitative risk metric. IF one is looking for a method to quantify risk then look elsewhere; perhaps to a professional actuary.
Overall it is a decent book for an introduction to qualitative risk analysis.
Rating:
Summary: Qualitative not Quantitative
Review: The book outlines - over the course of about 50 pages - a simple and qualitative risk metric. IF one is looking for a method to quantify risk then look elsewhere; perhaps to a professional actuary. Overall it is a decent book for an introduction to qualitative risk analysis; however, it is very basic and one cannot base any serious work off it.
Rating:
Summary: Painfull but good
Review: This book contains some great information for performing risk analysis. The content however appears to have never been reread and contains many errors and typos. The book also contains about 100 pages of regular text and approx. 300 pages of tables which are not available in an electronic format. So basically if your going to use the book for real life analysis, be prepared to retype all the tables that appeal to you. It is truely unfortunate that there is no mechanism for obtaining an electronic version of the tables in this book.
As far as technical content, the book is very good and does a great job of breaking in someone new to the world of risk analysis.
Rating: 
Summary: Completely changed my way of thinking
Review: This book has radically influenced my approach to security risk management. In the past I had nothing but disdain for any qualitative approach to risk assessment, whether it was for security, project management or disaster recovery. My philosophy was that if you couldn't produce a probability curve you didn't have the full picture. The problem with that philosophy is the very people for whom you are doing the assessment typically do not care about probability curves - if they understand them at all. Mr. Peltier's approach, while not as scientific, is far more powerful because it involves all stakeholders through his unique facilitated risk analysis process (FRAP), and produces findings and assessments that are clear and easy for non-technical people to understand. His approach is also thorough and business-focused. From the beginning this book grabs your attention. By page four I was completely drawn in by his use of a life cycle of the risk analysis process, and how he closely tied it to tasks and deliverables, and quality. He explains the strengths and weaknesses of qualitative analysis, then moves into a chapter that describes his approach to performing it. This is where I became sold. The approach is comprehensive and task-oriented. Every key factor, from financial loss to legal implications, are covered and qualitatively assessed using a valuation score. This section also has numerous checklists, tables and data with which to perform the analysis. These are augmented in the next chapter on value analysis, and by the time I finished it I was not only "sold", but a proponent of this approach. The heart of this book and approach is the facilitated risk analysis process that extends the process to a team of stakeholders. The value is that the business itself is an active participant and assumes ownership of the findings, deliverables and action plan. I contrasted this with my past approach and saw that one of the reasons why assessments done by "experts" were difficult to move into the implementation phase is because the so-called beneficiaries of the work couldn't relate to the reasons or importance. Using Mr. Peltier's approach, information security becomes everyone's responsibility - an ideal situation in the eyes of any security professional. The remainder of the book is filled with case studies and more tables and checklists. In fact, if you purchased this book for the tables and checklists alone you would be getting a bargain. My only complaint is these were not provided in electronic format as well. If you perform information security risk analysis, or business continuity or disaster recovery planning this book is "must reading". Others outside of the primary audience who will find this book valuable include project managers (the qualitative risk approach will be equally effective in project planning and control), and facilities managers. This book earns a solid 5 stars and Mr. Peltier earns my gratitude for showing me a better way.
Rating:
Summary: Completely changed my way of thinking
Review: This book has radically influenced my approach to security risk management. In the past I had nothing but disdain for any qualitative approach to risk assessment, whether it was for security, project management or disaster recovery. My philosophy was that if you couldn't produce a probability curve you didn't have the full picture. The problem with that philosophy is the very people for whom you are doing the assessment typically do not care about probability curves - if they understand them at all. Mr. Peltier's approach, while not as scientific, is far more powerful because it involves all stakeholders through his unique facilitated risk analysis process (FRAP), and produces findings and assessments that are clear and easy for non-technical people to understand. His approach is also thorough and business-focused. From the beginning this book grabs your attention. By page four I was completely drawn in by his use of a life cycle of the risk analysis process, and how he closely tied it to tasks and deliverables, and quality. He explains the strengths and weaknesses of qualitative analysis, then moves into a chapter that describes his approach to performing it. This is where I became sold. The approach is comprehensive and task-oriented. Every key factor, from financial loss to legal implications, are covered and qualitatively assessed using a valuation score. This section also has numerous checklists, tables and data with which to perform the analysis. These are augmented in the next chapter on value analysis, and by the time I finished it I was not only "sold", but a proponent of this approach. The heart of this book and approach is the facilitated risk analysis process that extends the process to a team of stakeholders. The value is that the business itself is an active participant and assumes ownership of the findings, deliverables and action plan. I contrasted this with my past approach and saw that one of the reasons why assessments done by "experts" were difficult to move into the implementation phase is because the so-called beneficiaries of the work couldn't relate to the reasons or importance. Using Mr. Peltier's approach, information security becomes everyone's responsibility - an ideal situation in the eyes of any security professional. The remainder of the book is filled with case studies and more tables and checklists. In fact, if you purchased this book for the tables and checklists alone you would be getting a bargain. My only complaint is these were not provided in electronic format as well. If you perform information security risk analysis, or business continuity or disaster recovery planning this book is "must reading". Others outside of the primary audience who will find this book valuable include project managers (the qualitative risk approach will be equally effective in project planning and control), and facilities managers. This book earns a solid 5 stars and Mr. Peltier earns my gratitude for showing me a better way.
Rating:
Summary: Superb book - explains the details
Review: This is an excellent introduction to risk analysis in general and a highly effective guide for conducting a security risk analysis. Of the 281 pages in this book, 156 pages are devoted to the seven chapters comprising the "how to" and case study, with the remaining pages allocated to six highly valuable appendices. Chapter 1, Effective Risk Analysis, starts the book by discussing risk analysis in general, including common approaches, and leads into the author's approach. The next chapter covers qualitative risk analysis, followed by a chapter on value analysis. By this point it's clear that the author's philosophy is to capture major risks, cost data and develop impact without getting bogged down in complex methods. I liked chapter 4, which discusses other qualitative methods, their strengths and weaknesses, which adds context to the heart of this book: Chapter 5, Facilitated Risk Analysis Process. In a nutshell, this approach involves all stakeholders and spreads the responsibility and accountability for identifying, analyzing and prioritizing risks. This is as it should be because security should be everyone's job, and the stakeholders (led by subject matter experts) are the best source of authority for making trade-offs and allocating resources to ensure the degree of security that consensus dictates. Since security is, in part, a function of trade-offs, the Facilitated Analysis Risk Process proposed by the author is an effective and essential process supporting security. Chapter 6 covers other uses of qualitative risk analysis, and is though-provoking and informative. The case study in chapter 7 ties together the preceding chapters and concludes the text on risk analysis. The appendices are, in my opinion, invaluable. Like a previous reviewer I lament the fact that the tables and forms were not included in electronic format, but this is a minor quibble on my part. Appendix A is a comprehensive, 25-page questionnaire that covers every facet of security risks. Appendix B contains a reproduction of every form associated with the Facilitated Risk Analysis Process (Scope/Business Process Identification, Action Plan, Final Report, Controls List, Risk List and Controls/Risk Cross-Reference List). Business Impact Analysis forms are provided in Appendix C, and a sample report is provided in Appendix D. Threat definitions are provided in Appendix E, and three short papers authored by other experts giving other opinions of risk analysis are the subject of Appendix F. Overall this is a highly focused book that should not be ignored by anyone who is responsible for security, business continuity or disaster recovery planning. Even if you are more apt to use quantitative methods instead of the qualitative methods proposed by the author, this book is still an important work on security risk analysis. The appendices alone are worth the price of the book.
Rating:
Summary: Superb book - explains the details
Review: This is an excellent introduction to risk analysis in general and a highly effective guide for conducting a security risk analysis. Of the 281 pages in this book, 156 pages are devoted to the seven chapters comprising the "how to" and case study, with the remaining pages allocated to six highly valuable appendices. Chapter 1, Effective Risk Analysis, starts the book by discussing risk analysis in general, including common approaches, and leads into the author's approach. The next chapter covers qualitative risk analysis, followed by a chapter on value analysis. By this point it's clear that the author's philosophy is to capture major risks, cost data and develop impact without getting bogged down in complex methods. I liked chapter 4, which discusses other qualitative methods, their strengths and weaknesses, which adds context to the heart of this book: Chapter 5, Facilitated Risk Analysis Process. In a nutshell, this approach involves all stakeholders and spreads the responsibility and accountability for identifying, analyzing and prioritizing risks. This is as it should be because security should be everyone's job, and the stakeholders (led by subject matter experts) are the best source of authority for making trade-offs and allocating resources to ensure the degree of security that consensus dictates. Since security is, in part, a function of trade-offs, the Facilitated Analysis Risk Process proposed by the author is an effective and essential process supporting security. Chapter 6 covers other uses of qualitative risk analysis, and is though-provoking and informative. The case study in chapter 7 ties together the preceding chapters and concludes the text on risk analysis. The appendices are, in my opinion, invaluable. Like a previous reviewer I lament the fact that the tables and forms were not included in electronic format, but this is a minor quibble on my part. Appendix A is a comprehensive, 25-page questionnaire that covers every facet of security risks. Appendix B contains a reproduction of every form associated with the Facilitated Risk Analysis Process (Scope/Business Process Identification, Action Plan, Final Report, Controls List, Risk List and Controls/Risk Cross-Reference List). Business Impact Analysis forms are provided in Appendix C, and a sample report is provided in Appendix D. Threat definitions are provided in Appendix E, and three short papers authored by other experts giving other opinions of risk analysis are the subject of Appendix F. Overall this is a highly focused book that should not be ignored by anyone who is responsible for security, business continuity or disaster recovery planning. Even if you are more apt to use quantitative methods instead of the qualitative methods proposed by the author, this book is still an important work on security risk analysis. The appendices alone are worth the price of the book.
Rating: 
Summary: A very good kick-off book on Risk Analysis
Review: This is the only book that provides a general overview of what a Risk Analysis is, and I consider it a very good basis for learning how to perform a Risk Analysis and evaluate the risks. Anyway, it is my personal opinion that there are no standard methods to be used: a good Risk Analyst stays to a good Risk Analysis, like a good tailor stays to a good suit. Every time that you will have to perform a Risk Analysis, you will decide with the team or with the customer what kind of methods are going to be used and wich kind of evaluation parameters are going to be taken into consideration. Another thing that I disagree about, is the time that should be spent on the Risk Analysis: to perform a good analysis in ten days, is like expecting a persian carpet to be made in one week or a good italian meal to be served in three minutes.
<< 1 >>
| 
