This blog is dedicated to sharing knowledge of information system security I acquired through work experiences, collaboration and forums with other professionals, and through reading.

How did I learn all this stuff?

I spent 34 years of my career working in organizations called Computing Security, Information Protection and Assurance, and Information Security. My work involved protecting government classified information on major defense contracts, writing and publishing a security control framework (policy) document when none existed, leading the security program for the 777 airplane program involving international data exchange for design and manufacturing partners, and leading requirements and implementation of a role-based automated access management system whose pilot was to implement access for 1000 Manufacturing Resource Management system’s users. And that was before the arrival of the Internet. I had 20 years to learn more.


The topic of risk management and particularly risk analysis intrigued and frustrated me for many years. In about 2009 I learned about FAIR (Factors Analysis of Information Risk), which became a passion through the end of my career and continues today.

Posts will cover a variety of topics which I will strive to organize logically. But today I want to share an initial reading list.


Most of what I learned was from experience. But the following provided knowledge I received initially by reading, then by putting the knowledge into practice.  I recommend reading in the order listed, but have provided some context to help you choose.

This defines FAIR, so is a must reads:

  • Open Group Standard: Risk Taxonomy (O-RT), Version 3.0 (The Open Group)

In order to use FAIR you must be able to measure anything. Understanding the flaw of using averages is a foundation for really understanding the use of FAIR.

  • How to Measure Anything (Douglas Hubbard)
  • The Flaw of Averages (Sam Savage)

The first half of the following book explains how to measure anything; if you are in a hurry perhaps skip Hubbard’s first book. The last chapters of this book provide some advanced math that will interest the practitioner who is really serious about pursuing FAIR.

  • How to Measure Anything in Cybersecurity Risk (Douglas Hubbard)

This collection focuses on risk management, first with Hubbard’s critical assessment followed by proposals that answer the criticism.

  • The Failure of Risk Management (Douglas Hubbard)
  • Measuring and Managing Information Risk (Freund and Jones)
  • Open Group Standard: Risk Analysis, Version 2.0 (O-RA) (The Open Group)

The documents from The Open Group are available from The Open Group. You may find some of the other books in you local library, but some you will have to buy.

The Author

Christopher T. Carlson is a pioneer, having arrived in his first computing security assignment at the dawn of the field in 1982. He created or substantially evolved practices in his security assignments including classified computing security, computing security policy and controls, security awareness, business unit security support, security assessments, access administration including role based access, risk analysis and management, and application security development life cycle. The goal of this writing is to provide lessons from the field so that those who follow need not start from scratch.





the-open-group-certified-open-fair-foundation (1)