In the 1964 US Supreme Court case of Jacobellis v. Ohio, Supreme Court Justice Potter Stewart delivered what has become the famous line of “I know it when I see it.” While the case there was about pornography, too many people use a similar approach when it comes to information risk management. They don’t measure, understand, or define it but think they know it when they see it.
In Understand, Manage, and Measure Cyber Risk: Practical Solutions for Creating a Sustainable Cyber Program (Apress), author Ryan Leirvik has written a helpful reference to guide the reader in creating a risk management program.
Measuring risk, like measuring blood pressure, is one thing. But the goal is not just to measure it once; rather, it is to create a long-term program. Creating a sustainable program to deal with that is another goal in and of itself. And that is a unique thing the book brings. With that, Leirvik shows how to create a program that will work over the long term.
The book opens by noting that the problem around risk is threefold:
- Technology is an enabler
- Inherently flawed humans build technology
- Advantageous actors misuse technology to reap rewards
He then details the many component parts of a risk management program. Leirvik has extensive real-world experience, and besides detailing what needs to be done, he also cautions the reader of numerous pitfalls to avoid. In the sometimes irrational exuberance to create a risk management program, a firm can, in fact, introduce greater risk if they do not implement it correctly. And Leirvik does a good job of showing the reader how to do it correctly.
The definitive text on measuring risk is Measuring and Managing Information Risk: A FAIR Approach by Dr. Jack Freund and Jack Jones. At 200 pages, this is an introduction and far from being a comprehensive reference on the topic. But for those who are serious about building out their risk management program, Understand, Manage, and Measure Cyber Risk is an excellent resource to start with.