Recent advancements in technology have made it extremely easy to enable commerce from the couch, provision multimedia communication among people around the world, and offer personalized services based on individual preferences. As a result, along with innovations that power experiences like those mentioned above, cyber security and enterprise risk management have also taken center stage because it is equally easy to execute attacks and cause data breaches.

It is therefore imperative that organizations perform a health check for their cyber resilience preparedness and, where necessary, implement controls that help them protect their customers and thereby their businesses. Often easier said than done, the approach toward information security and risk management in general has been reactive and takes a short-term view, usually influenced by regulations or an incident. However, as the industry matures and managing information risk becomes as important as its financial and operational counterparts, enterprises are looking to adopt frameworks that offer the best balance between flexibility, cost efficiency, and risk tolerance on their journey toward the long-term vision of the business.

This book is a worthy companion for risk managers embarking on this fun and scary ride. A work based on multiple years of academics and practical experience, the FAIR methodology is a great tool for risk management custodians; this book is the most complete authoritative guide on its usage.

With over 350 pages split into 14 chapters, the book is filled with extra materials like practical examples, anecdotes, and talking points for professionals to help them adopt the concepts in their own environment.

The first four chapters lay the foundation and cover risk overview, FAIR ontology, and terminology, and hence can be skipped by those familiar with and practicing FAIR (although it is always recommended to refresh these concepts). Chapters 5, “Measurement,” 6, “Analysis,” and 7, “Interpreting Results” contain the meat of the methodology and its application. The next two chapters share examples and scenarios in which FAIR can be applied, and finally chapters 10 and 11 caution practitioners of common mistakes and controls one can put in place to identify trends, both good and bad.

The last section, consisting of chapters 12 through 14, brings the discussion back to the beginning, covering risk management philosophy, the current state of affairs, and helpful tips on implementing an information resources management (IRM) program.

Although written for those interested in or practicing FAIR, this book is a valuable resource for anyone implementing a program with a strategy and vision to make it a business enabler. Unfortunately, the number and complexity of cyberattacks will continue to increase for the foreseeable future. Hence, even though every organization needs an information risk management program, it is key that those housing sensitive data adopt a framework, FAIR or something else, and implement a long-term program to manage information risk.

More reviews about this item: Amazon, Goodreads, Slashdot