BKINSCRA.RVW 20040509 "Information Security Risk Analysis", Thomas R. Peltier, 2001, 0-8493-0880-1 %A Thomas R. Peltier %C 920 Mercer Street, Windsor, ON N9A 7C2 %D 2001 %G 0-8493-0880-1 %I Auerbach Publications %O +1-800-950-1216 orders@crcpress.com %O http://www.amazon.com/exec/obidos/ASIN/0849308801/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849308801/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0849308801/robsladesin03-20 %P 281 p. %T "Information Security Risk Analysis" Chapter one, supposedly discussing effective risk management, outlines a number of points important to the process, but in a rather scattered manner. Material seems to have been gathered from a variety of sources, but the gaps between those references and articles have not been filled. The information given is inconsistent in terms of significance: a list of natural threats lists "air pollution" (there is no corresponding "water pollution") and "earthquakes" as generic issues, but breaks weather conditions down into items as specific as "Alberta Clipper" and "lake effect snow" (as well as a very odd mention of "yellow snow," defined as snow coloured by pollen). Risk analysis methods are generally divided into quantitative and qualitative, so one would assume that chapter two, "Qualitative Risk Analysis," would present the concepts of this idea, leaving quantitative analysis for another section. Neither of those assumptions is true: chapter two lists three different methods that would probably be seen as qualitative, but does not analyse or compare them, and quantitative analysis is not reviewed in any specific part of the book. Chapter three, entitled "Value Analysis," is an extremely terse mention of the importance of calculating the value of assets. Five more qualitative procedures are listed in chapter four. Another such, the Facilitated Risk Analysis Process (FRAP), suitable for a quick risk review in a small department, is described in chapter five, along with some related, but incompletely described, forms and charts. "Other Uses of Qualitative Risk Analysis," in chapter six, enumerates a few other risk analysis factors, mostly to do with business impact analysis. Chapter seven is supposed to be a case study using FRAP, but consists of fifty pages of unexplained forms. The appendices contain various forms, again without commentary or exegesis, including a questionnaire that bears a strong resemblence to the US NIST (National Institute of Standards and Technology) security self-assessment form. The basics of risk analysis are here, but, aside from a padding of verbiage, there is not much else. A decent article on the subject, such as Ozier's in the "Information Security Management Handbook" (cf. BKINSCMH.RVW), covers every bit as much territory, and in a more concise manner. copyright Robert M. Slade, 2004 BKINSCRA.RVW 20040509