We assess risk at every step of our life. We either remediate, mitigate, or accept the risk based on the assessment. Even for a routine activity like changing lanes while driving, we look in the rearview mirror, glance in the sideview mirror, and do a shoulder check. Three different methods are used to assess the risk before changing lanes. Why? Because we want to make sure what we do is safe. Once we assess the risk, we decide whether to change the lane or wait. The risk assessment is so ingrained into our daily activities that we do not even realize we do it daily. However, our mindsets regarding security risk assessment are slightly different. As a cybersecurity industry, we are still struggling to ensure that risk assessments are performed and performed correctly. Poorly conducted risk assessments can provide misleading information to the management, resulting in threats to corporate assets.
Douglas J. Landoll, a cybersecurity practitioner and an industry veteran, in his book, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessment, shares a very detailed and systematic approach to risk assessment. The book is written without any unnecessary fluff, and Landoll’s extensive experience is evident from the very first chapter as he dives right into the core of the subject matter. In the first chapter, the author explains what risk assessment is, its role, and the need for risk assessment. The book is very well organized. The first part explains the basic concepts of risk assessment. The middle part is heavily focused on data gathering. The last part of the book describes qualitative and quantitative risk analysis techniques and examples of risk assessments and reporting methods. The section on data gathering starts with a description of the RIIOT (Review, Interview, Inspect, Observe, and Test) method. This part of the book explains how to gather administrative, technical, and physical data. For each type of data gathering, the author describes how to use the RIIOT method. Additionally, the book covers project management for risk assessment tasks, which is very useful for managers and leaders.
I have worked as an organization's security and compliance leader, and risk assessment is very close to my heart. I can vouch for the importance of security risk assessment in Information Security Management. The author hits the nail on the head in the first chapter by discussing the role of the CISO in the risk assessment process.
Finding out about the risk but not doing anything about it is probably worse than not doing the risk assessment at all. The book has a dedicated chapter on Security Risk Mitigation, which dives deeper into various security controls and implementation considerations.
Landoll outlines the necessity of the book in the first chapter. The resources available cannot “provide a complete and detailed explanation of the security risk assessment process sufficient to assist an information security professional in performing the work. Sufficient process details are missing, and the information security professional cannot gain a comfort level that they would know what to do when assessing physical security controls, interviewing the human resources director, or writing an effective report.” The book has attempted to do just that with step-by-step descriptions, real-world examples, checklists, and other tricks of the trade.
Landoll has over 30 years of experience in the field, and readers will greatly benefit from his experience and the insight he shares in the book. Each chapter ends with an exercise to reinforce the material learned in the chapter, making this book a good candidate for a textbook. This book is a great guide or reference for any security practitioner and a valuable resource for executives and leaders in the field. I highly recommend this book for people working on or who want to learn more about information security risk assessment.