Information Security Risk Analysis
by Thomas Pelter
CRCPress, Inc. (Auerbach Publications),  2000.
281 pages.  ISBN 0-8493-0880-1.    $64.95

Reviewed by Judith M. Myerson      April 25, 2001


My first reaction to the book was favorable. Information Security Risk Analysis aims at information security professionals, project managers, auditors and facilities managers. The book fulfills its purpose by helping the readers to start in conducing risk analysis processes with sample forms.

Information Security Risk Analysis contains 280 pages and is divided nearly between seven chapters and six appendices. It begins with asset identification, threat identification and Annual Loss Expectancy and proceeds to the next chapter on asset valuation, risk evaluation and risk management, threat impacts, safeguard identification, and cost-benefit analysis. The third chapter focuses on assigning values to assets, while the fourth chapter briefly covers vulnerability analysis, hazard impact analysis, threat analysis, questionnaires and single-time loss algorithm.

As shown in the next chapter, the FRAP is a good example of considering, evaluating and documenting information security risks. Chapter 6 gives other types of qualitative risk analysis such as Business Impact Analysis (BIA). The final chapter presents a case study to better understand the concepts of FRAP. The book then moves to a series of appendices on a questionnaire sample, FRAP forms, BIA forms, a `report sample, threat definitions and other risk analysis opinions.

The book cover is appropriately designed and reflects the theme of the subject. Typography in text is good. A contrasting color, such as medium blue, would be helpful in highlighting important words or topics. References and indexes are more than adequate.

From the Back Cover:
Risk is a cost of doing business. The question is "What are the risks, and what are their costs? Knowing the vulnerabilities and threats that face your organization's information and systems is the first essential step in risk management.

Information Security Risk Analysis shows you how to use cost-effective risk analysis techniques to identify and quantify the threats both accidental and purposeful that your organization faces. The book steps you through the qualitative risk analysis process using techniques such as PARA (Practical Application of Risk Analysis) as well as FRAP to:
     o  Evaluate tangible and intangible risks
     o  Use the qualitative risk analysis process
     o  Identify elements that make up a strong Business Impact Analysis
     o  Conduct risk analysis with confidence

Management looks to you, its information security professional, to provide a process that allows for the systematic review of risk, threats, hazards, and concerns, and to provide cost-effective measures to lower risk to an acceptable level. You can find books covering risk analysis for financial, environmental, and software projects, but you will find none that apply risk analysis to information technology and business continuity planning or deal with issues of loss of systems configuration, passwords, information loss, system integrity, CPU cycles, bandwidth and more. Information Security Risk Analysis shows you now to determine cost effective solutions for your organization's information technology.