Risk Management reading list.md

Note, a lot of content here is from SIRA lists/posts. If you are interested in the topic, please join SIRA.

TODO

• Group items in a sane way.
• The papers probably should be listed in a quotable format of some standard. Same with books?
• This list grew a bit big, probably should be split into separate lists per category. I started listing by person, but it probably makes no sense.
• The books and podcasts are the only lists that I think are substantial. The rest is not even stubs.

Books

Some of the books are available used on Ebay, for a fraction of the Amazon price.

• The Flaw of Averages; Savage

  Chris Hayes: Savage has written an entire book about the flawed tendency to only use "average" values for modeling and decision making. He also introduces the reader to the DIST standard; which is my particular interest. I am only a few chapters in to the book - but already, it is challenging me to refine how I articulate some risk values to management.

• Uncertainty: A Guide to Dealing with Uncertainty in Quantitative Risk and Policy Analysis; Morgan

• How to Measure Anything in Cybersecurity Risk; Hubbard, Seiersen

• The Failure of Risk Management; Hubbard

  Jay Jacobs: Both of Hubbard's books are staples for anyone attempting risk management.

• The New School of Information Security; Shostack and Stewart

• Measuring and Managing Information Risk; Jones, Freund

• A Field Guide to Lies and Statistics: A Neuroscientist on How to Make Sense of a Complex World; Levitin

• Thinking Fast and Slow; Kahneman

• The Undoing Project: A Friendship That Changed Our Minds; Lewis

• Data Driven Security; Jacobs, Rudis

• Against the Gods; Bernstein

  Jay Jacobs: I lovedthis book. Really put risk into context by looking at how it has been perceived throughout time. Plus this was were I first read about Pascal and others hanging out in Paris discussing Mathematics and the probability. The section on the birth of Lloyd's of London was incredibly intriguing and too short in my opinion. Just think of how many "medium risk" ships were over-insured in Lloyd's coffee shop.

• Predictably Irrational; Ariely

  Jay Jacobs: Focused on Behavioral Economics this book gives a glimpse into the motivations of people and the rationale, biases and fallacies that influence the decision process.

• Misconceptions of Risk; Aven

• Foundations of Risk Analysis, Aven

• Ignorance and Uncertainty; Smithson

• Principles of Uncertainty; Kadane

• Uncertainty and Risk: Multidisciplinary Perspectives; Bammer, Smithson:

• Cybersecurity: A Business Solution; Arnold

• Art of Critical Decision Making; Roberto

• Psychology of Risk; Breakwell

  Ron Woerner: I quickly scanned it at a local library and it appears to be a nice resource on how we think about risk. From the book description, "Risk surrounds and envelopes us. Without understanding it, we risk everything and without capitalizing on it, we gain nothing. This accessible new book from Glynis M. Breakwell comprehensively explores the psychology of risk, examining how individuals think, feel and act, as well as considering the institutional and societal assessments, rhetorics and reactions about risk. Featuring chapters on all the major issues in the psychology of risk including risk assessment, hazard perception, decision-making, risk and crisis management, risk and emotion, risk communication, safety cultures, the social amplification and social representation of risk and mechanisms for changing risk responses"

• Risk Analysis of Complex and Uncertain Systems; Cox

  Jeff Lowder: Tony Cox is one of the top risk scholars in the world. This is a very technical (and expensive!) book, but is a must-have for anyone who is serious about risk analysis. Among its many gems, the book contains a fascinating critique of risk matrices; Cox concludes that in many cases they are worse than useless — they do more harm than good.

• The Logic Of Failure: Recognizing And Avoiding Error In Complex Situations; Dorner

• The Science of Fear: How the Culture of Fear Manipulates Your Brain; Gardner

  Ron Woerner: This is the book Bruce Schneier recommends on understanding how humans perceive and deal with fear. It's important to understand human perspectives of risk in order to apply proper mitigation techniques.

• Calculated Risks: How to Know When Numbers Deceive You; Gigerenzer

  Jeff Lowder: This non-technical book is a fascinating, empirical study in what works and doesn't work in risk communication. The author provides fascinating, empirical case studies of how risk managers' failure to understand and effectively communicate conditional probabilities has had harmful effects. Gigerenzer argues that "natural frequencies" should replace conditional probabilities in risk communication.

• Blink: The Power of Thinking Without Thinking; Gladwell

• Assessing and Managing Security Risk in IT Systems: A Structured Methodology; McCumber

  Jeff Lowder: Introduces the "McCumber Cube" concept for thinking about information security risks, which forces you to consciously think about risks to the confidentiality, integrity, and availability of information in each of its states (storage, transit, processing).

• The Drunkard's Walk: How Randomness Rules Our Lives

  Jay Jacobs: Randomness is really the lack of probability and this book made me question my own belief in seeking cause-n-effect by questioning events as simply being a product of randomness. Chris Hayes: The reason I loved this book is because it established historical context on the subject of risk and probability; dating back a LONG time ago.

• Computer-Related Risks

  Dan Philpott: Excellent source book when looking for an example of a particular risk. Anecdotes and insights culled primarily from RISKS.

• Organized Uncertainty: Designing a World of Risk Management; Power

• Risk: A Philosophical Introduction to the Theory of Risk Evaluation and Management; Rescher

  Jeff Lowder: It's unfortunate this book is out of print, since all risk managers would benefit from reading it. Rescher provides much-needed clarity around the central concepts of risk evaluation and management.

• The Black Swan: Second Edition: The Impact of the Highly Improbable; Taleb

  Dan Philpott: It was bound to end up here anyway so I added it. Houses the most abused current argument for the limits of risk management and metaphor for ceding responsibility, the Black Swan event.

  Alex: Gaaaaahhhhhhhhhhhh!!'!!!!!!!!!!! Furrrrrrrrrr!!!!!!!!! Gnughrfuvlsnoffinhaster </yosemite sam>

• Risk Analysis: A Quantitative Guide; Vose

  Chris Hayes: Absolute must have

• IT Risk: Turning Business Threats into Competitive Advantage; Westerman, Hunter

  Jeff Lowder: This book is surprisingly light on the methodology used to estimate the probability and impact ofIT risks, but that is more than offset by the excellent suggestions around building a culture of risk management within organizations. It also introduces the 4A framework for IT risk management, which I found to be very innovative.

• Forecasting: Principles and Practice

• Managing Information Security Risks: The OCTAVE (SM) Approach

Cormac Haley, et all

MS Research. He researches basics - techniques (surveys), analysis tools (ROC curve), etc. Besides, exceptionally interesting work.

• Why do Nigerian Scammers Say They are from Nigeria?

  False positives cause many promising detection technologies to be unworkable in practice. Attackers, we show, face this problem too. In deciding who to attack true positives are targets successfully attacked, while false positives are those that are attacked but yield nothing. This allows us to view the attacker’s problem as a binary classification. The most profitable strategy requires accurately distinguishing viable from non-viable users, and balancing the relative costs of true and false positives.

• Sex, Lies and Cyber-crime Surveys

  The importance of input validation has long been recognized in security. Code injection and buffer overflow attacks account for an enormous range of vulnerabilities. “You should never trust user input” says one standard text on writing secure code. It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy. A single exaggerated answer adds spurious billions to an estimate, just as a buffer overflow can allow arbitrary code to execute. This isn’t merely a possibility. The surveys that we have exhibit exactly this pattern of enormous, unverified outliers dominating the rest of the data.

• So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users

  Given a choice between dancing pigs and security, users will pick dancing pigs every time.” While amusing, this is unfair: users are never offered security, either on its own or as an alternative to anything else. They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security. We have shown that much of this advice does nothing to make users more secure, and some of it is harmful in its own right. Security is not something users are offered and turn down. What they are offered and do turn down is crushingly complex security advice that promises little and delivers less.

• Where Do All The Attacks Go?

  The threat model we propose goes some way to closing the gap between potential and actual harm. The constraint that attacks must be profitable in expectation removes a great many attacks that otherwise appear economic. It guarantees that the attacker sees a sum-of-effort rather than a weakest-link defense. It’s not enough that something succeed now-and-then, or when the circumstances are right, or when all the ducks are in a row. When attacking users en masse, as Internet attackers do, attacks must be profitable at scale.

• Where Do Security Policies Come From?

  Our conclusions suggest that, at least in the case of passwords, exactly such an overshoot occurs. Some of the largest and most attacked sites on the web allow 6 character PINS or lowercase passwords. By contrast, government and university sites generally have far stronger (and far less usable) policies. The reason we suggest lies not in greater security requirements, but in greater insulation from the consequences of poor usability.

• Passwords and the Evolution of Imperfect Authentication

  We identify as outdated two models that still underlie much of the current password literature. First is the model of a random user who draws passwords uniformly and independently from some set of possible passwords. It has resulted in overestimates of security against guessing and encouraged ineffectual policies aimed at strengthening users’ password choices. The second is that of an offline attack against the password file. This model has inflated the importance of unthrottled password guessing relative to other threats (such as client malware, phishing, channel eavesdropping and plaintext leaks from the back-end) that are more difficult to analyze but significantly more important in practice. Together, these models have inspired an awkward jumble of contradictory advice that is impossible for humans to follow.

Mix

• Aven - Risk assessment and risk management: Review of recent advances on their foundation
• Oppenheimer, Little,Cooke - “Expert judgement and uncertainty quantification for climate change”
• Choi - Life is Lognormal Risk Communications

  Jeff Lowder: Sandman is arguably one of the top risk communication experts in the world. He is famous for his "Risk=Hazard + Outrage" model for thinking about risk communication.

• Responding to Community Outrage: Strategies for Effective Risk Communication; Sandman
• Cox - What's wrong with risk matrices?

  Jeff Lowder: The definitive overview of the problems with risk matrices.

• What's Right with Risk Matrices; Talbot Verbal Probability Expressions
• How probable is probable? A numerical translation of verbal probability expressions; Beyth-Marom J. Forecast 1 (1982): 256-269, doi: 10.1002/for.3980010305.
• Effective communication of uncertainty in the IPCC reports; Budescu, Por, Broomell doi:10.1007/s10584-011-0330-3

  Jeff Lowder: Provides an outstanding overview of the last 2-3 decades of empirical research into the use of linguistic or verbal expressions to communicate uncertainty or probability.

• Consistency in Interpretation of Probabilistic Phrases; Budescu, Wallsten Organizational Behavior Human Decision Processes 36
• Psychology of Intelligence Analysis; Heuer
• Words of Estimative Probability; Kent
• The Definition of Some Estimative Expressions; Wark
• Understanding and using linguistic uncertainties; Wallsten, Budescu, Erev
• Verbal probabilities: Ambiguous, context-dependent, or both?; Brun, Teigen

Dan Geer

• Index of CyberSecurity
• Measuring vs Modeling (w/Michael Roytman)
• Remember the Recall (w/Cyentia Institute and Michael Roytman)

Jennifer Bayuk

• [http://www.bayuk.com/]

Sasha Romanosky

• Content Analysis of Cyber Insurance Policies: How do carriers write policies and price cyber risk?
• Examining the Costs and Causes of Cyber Incidents

Conference proceedings, etc

• Workshop on the Economics of Information Security
• Society for Risk Analysis
• Society of Information Risk Analysts

MMOCs

[https://www.edx.org/course/ignorance-wu-zhi-anux-igno101x?source=aw&awc=6798_1518220293_a9044d7a4a4f887ce91b9ac350800257] promo video

Podcasts

• Data Driven Secuirty
• The Risk Science Podcast
• Cyential Institure

Methodology or Standards

• Octave - Managing Information Security Risks: The OCTAVE (SM) Approach
• FAIR - Measuring and Managing Information Risk; Jones, Freund
• NIST Risk Management Framework
• ENISA Risk Management

Reports and whitepapers

• Verison Data Breach Investigations Report
• McKinesey Risk Papers
• World Bank (Annual) Global Risk Report
• Lloyds Emerging Risks 2017 - Counting the cost Cyber exposure decoded

Other:

Bureau of labour statistics - Information Security Analysts