How did I learn all this stuff?
I spent 34 years of my career working in organizations called Computing Security, Information Protection and Assurance, and Information Security. My work involved protecting government classified information on major defense contracts, writing and publishing a security control framework (policy) document when none existed, leading the security program for the 777 airplane program involving international data exchange for design and manufacturing partners, and leading requirements and implementation of a role-based automated access management system whose pilot was to implement access for 1000 Manufacturing Resource Management system’s users. And that was before the arrival of the Internet. I had 20 years to learn more.
The topic of risk management and particularly risk analysis intrigued and frustrated me for many years. In about 2009 I learned about FAIR (Factors Analysis of Information Risk), which became a passion through the end of my career and continues today.
Posts will cover a variety of topics which I will strive to organize logically. But today I want to share an initial reading list.
Most of what I learned was from experience. But the following provided knowledge I received initially by reading, then by putting the knowledge into practice. I recommend reading in the order listed, but have provided some context to help you choose.
This defines FAIR, so is a must reads:
- Open Group Standard: Risk Taxonomy (O-RT), Version 3.0 (The Open Group)
In order to use FAIR you must be able to measure anything. Understanding the flaw of using averages is a foundation for really understanding the use of FAIR.
- How to Measure Anything (Douglas Hubbard)
- The Flaw of Averages (Sam Savage)
The first half of the following book explains how to measure anything; if you are in a hurry perhaps skip Hubbard’s first book. The last chapters of this book provide some advanced math that will interest the practitioner who is really serious about pursuing FAIR.
- How to Measure Anything in Cybersecurity Risk (Douglas Hubbard)
This collection focuses on risk management, first with Hubbard’s critical assessment followed by proposals that answer the criticism.
- The Failure of Risk Management (Douglas Hubbard)
- Measuring and Managing Information Risk (Freund and Jones)
- Open Group Standard: Risk Analysis, Version 2.0 (O-RA) (The Open Group)
The documents from The Open Group are available from The Open Group. You may find some of the other books in you local library, but some you will have to buy.
Christopher T. Carlson is a pioneer, having arrived in his first computing security assignment at the dawn of the field in 1982. He created or substantially evolved practices in his security assignments including classified computing security, computing security policy and controls, security awareness, business unit security support, security assessments, access administration including role based access, risk analysis and management, and application security development life cycle. The goal of this writing is to provide lessons from the field so that those who follow need not start from scratch.
- O-AA™ Security Playbook – Security Architecture Section
- How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR™ (2019)
- Open FAIR™ Tool with SIPmath™ Distributions: Guide to the Theory of Operation (2018)
- Open FAIR™ – STIX™ Integration Whitepaper (2017)
- Open FAIR™ – NIST Cybersecurity Framework Cookbook (2016)
- Open FAIR™ – ISO/IEC 27005 Cookbook (2010)
- The Boeing Computing Security Requirements Manual (1991)
- Open FAIR™ – Risk Taxonomy (O-RT) V3 (2020)
- Open FAIR™ – Risk Analysis (O-RA) V2 (2020)
- Open Information Security Management Maturity Model (O-ISM3) (2011)