InfoSec Reviews – The Security Risk Assessment Handbook

Book Title: The Security Risk Assessment Handbook

Subtitle: A Complete Guide for Performing Security Risk Assessments

Author: Douglas J. Landoll

Publisher: CRC Press, Boca Raton, USA

Date of Publishing: 2011

ISBN(13): 9781439821480

Price (UK&US price – full price, not discounted price): £48.99,   $79.95

URL of Amazon UK web page: The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

URL of Amazon US web page:

Written for “anyone who wants a more detailed understanding of how to perform a security risk assessment”, this book, now in its second edition, covers a lot of ground for its 450 or so pages: information security, physical and environmental exposures, personnel risk and business continuity. Its author, a one-time senior analyst at the NSA, is clearly highly experienced in managing very large-scale risk assessment exercises.The first two chapters discuss the basic rationale and processes for risk assessment in very broad terms – essentially providing a 35-page abstract of the rest of the book. Somewhat strangely though, the section entitled Who is This Book For? appears at the end of chapter one. Chapter three – Project Definition – presents a body of budgetary, administrative and quasi-technical guidance that at first sight seems a little disorganised, but does cover the ground well.Chapter four – Security Risk Assessment Preparation – varies in depth of treatment, from specifying the precise content of an introductory letter, to the truism that, “The security risk assessment team should seek to obtain an understanding of the criticality of the various information systems to … the organisation”. Importantly though, it does outline alternative approaches to asset valuation, loss prediction and threat determination, albeit in quite broad terms. The section on Validating Threat Statements lists the factors to be considered but does not explain how to use them to perform a robust validation. The examples are simplistic and shed no light on the thought processes required to ensure this.Chapters five to eight – about half the book – are dedicated to data gathering. Chapter five includes a single section – a mere five pages – on sampling that I find potentially misleading. It includes an unexplained equation and table for determining sample counts for different levels of statistical confidence and error rate. The examples –likelihood of early voting in an election and “estimated rate of noncompliance” – both have a binomial distribution. However, these are immediately followed by discussion of the Standard Deviation of a normal (Gaussian) distribution. It is not mentioned that the given equation assumes an approximation of the binomial distribution to a Gaussian that only holds good for large sample counts (courtesy of the Central Limit Theorem) and can fail for rare events. Nor is it noted that many of the security risks that most concern us have essentially non-Gaussian distributions – notably those that are outcomes of human intentionality or rare extreme events resulting from the coincidence of multiple independent factors. The procedural guidance in these four chapters is, however, detailed and exhaustive, particularly with respect to identifying potential sources of information.Chapter nine – “Security Risk Analysis” – covers the critical issue of reducing uncertainty in just seven pages. Here, the reader is variously advised to “Use Judgment”, “Develop a Probability Distribution”, “Use Tools” and “Use Conditional Probabilities”. No real guidance is provided on how any of these are done, although in the fourth case observant readers might be able to infer the additive property of conditional probabilities for themselves from one of the examples. The half page dedicated to “Obtaining Consensus” makes no mention of the greatest challenge – how to counter the cognitive biases that can lead to erroneous consensus, so dramatically demonstrated by NASA in two separate Shuttle disasters.Chapter ten – Security Risk Mitigation – starts well by describing the major alternative approaches to the selection of controls. Nevertheless, it then peters out with a mere half page on Establishing Security Risk Parameters – a fundamental component of risk mitigation worthy of exhaustive treatment.The final three chapters cover reporting, project management and methodologies. The first of these offers such elementary advice on report writing that it seems superfluous in a book of this nature. The chapter on project management is useful and indeed covers some important issues, such as consultant credibility, that are rarely mentioned. However, I feel it should have been placed earlier in the book, between chapters three and four perhaps. The same applies to the final chapter, entitled Security Risk Assessment Approaches. It contains a valuable and quite detailed discussion of the pros and cons of quantitative and qualitative methods, which could usefully have been placed between chapters eight and nine.The presentation of the book disrupts the evolution of this reader’s thought process. Numbered and captioned sections with multiple layers of subsections (in places, six deep) break the text into individually captioned fragments sometimes as short as single paragraphs. So, for example, subsection Approach 1: Review Contracts, contains a mere 17 lines of text, of which 14 are further subdivided by two layers of bullet points. The “sidebars” are another source of confusion. They aren’t sidebars at all, but inline blocks of smaller print with their own quite different captions and numbering convention. The diagrams and tables are also separately sequentially numbered without reference to the subsections they relate to and are frequently positioned within other subsections. These multiple parallel conventions combine in places to make attentive reading very difficult, for example, SIDEBAR 7.1 is positioned at the end of subsection Network Mapping, separated from subsection Vulnerability Scanners by tables 7.13 and 7.14.

This book skips over many of the really essential issues, including statistical principles, heuristics and the reduction of bias and uncertainty, issues that make the difference between a security risk assessment in name only and a robust one that can be relied on. In this it is not alone – I have yet to find a security risk practitioners’ handbook that does discuss such matters adequately, but as a result I feel it is not really as complete a guide as its subtitle and the author’s undoubted expertise might have made it. It is a useful and exhaustive guide to the administration of a security risk assessment exercise, but only partially to its execution.

This book is strong on the administration and management of security risk assessment at the expense of first principles. It is thus a valuable guide for those commissioning or planning risk assessment exercises. But several critical factors that contribute to robustness are insufficiently discussed for it to qualify as an assessors’ primary reference.

Marks: 3 out of 5