Information Security Risk Analysis
by Thomas Pelter
CRCPress, Inc. (Auerbach Publications),  2000.
281 pages.  ISBN 0-8493-0880-1.    $64.95

Reviewed by Judith M. Myerson      April 25, 2001


My first reaction to the book was favorable. Information Security Risk Analysis aims at information security professionals, project managers, auditors and facilities managers. The book fulfills its purpose by helping the readers to start in conducing risk analysis processes with sample forms.

Information Security Risk Analysis contains 280 pages and is divided nearly between seven chapters and six appendices. It begins with asset identification, threat identification and Annual Loss Expectancy and proceeds to the next chapter on asset valuation, risk evaluation and risk management, threat impacts, safeguard identification, and cost-benefit analysis. The third chapter focuses on assigning values to assets, while the fourth chapter briefly covers vulnerability analysis, hazard impact analysis, threat analysis, questionnaires and single-time loss algorithm.

As shown in the next chapter, the FRAP is a good example of considering, evaluating and documenting information security risks. Chapter 6 gives other types of qualitative risk analysis such as Business Impact Analysis (BIA). The final chapter presents a case study to better understand the concepts of FRAP. The book then moves to a series of appendices on a questionnaire sample, FRAP forms, BIA forms, a `report sample, threat definitions and other risk analysis opinions.

The book cover is appropriately designed and reflects the theme of the subject. Typography in text is good. A contrasting color, such as medium blue, would be helpful in highlighting important words or topics. References and indexes are more than adequate.