Quant Fever
July 25, 2008
Furthering the discussion of applying quantitative thinking to information security, I thought I would share some influential resources (with no particular order or organization). How To Measure Anything provides a very interesting glimpse of what applied information risk quantification could look like. In particular, the sections on confidence intervals, calibration, and Monte Carlo analysis are stirring. I’d be interested in pilot-testing some of these techniques against some real-world business scenarios. (Thanks to Jeff Lowder for pointing this book out). Factor Analysis of Information Risk (FAIR) by Jack Jones is a compelling description of the components of risk and how to measure them. Andrew Jaquith’s 2007 book Security Metrics provides practical ideas for measuring and managing towards relevant outcomes. Other books I’m reading include Adam Shostack and Andrew Stewart’s The New School of Information Security and Dan Geer’s Economics and Strategies of Data Security (also see Dan’s inspiring Measuring Security slides). I can’t help but think somewhere from the intersection of these and other disparate thoughts arises a Grand Unification Theory of Information Risk Management…
Comments
Got something to say?
You must be logged in to post a comment.