This is a work in progress and very much under construction. This is a resource page for quantitative cyber risk topics, techniques, tools and opinion. There are many models out there to perform quantitative cyber risk analysis, but the focus right now is building out topics around Factor Analysis of Information Risk (FAIR) because it's the most widely used. Please contact me if you have comments, suggestions or just to let me know that this is useful.

Foundational Texts

Regardless of your skill level - beginner or expert - these books are probably on your bookshelf and well worn.

Books to take your analysis to the next level...

  • Against the Gods: The Remarkable Story of Risk by Peter L. Bernstein | How did we get here? This book is a journey through the beginnings of probability theory, actuarial science and risk.

  • Thinking Fast and Slow by Daniel Kahnemen | Truly a remarkable and groundbreaking work on how cognitive bias affects our ability to make decisions

  • Superforecasting: The Art and Science of Prediction – by Philip E. Tetlock | I consider this a companion book to Thinking Fast and Slow. Readers will get tangible information on how to improve the forecasting part of risk analysis.

  • The Wisdom of Crowds by James Surowiecki | One of my favorite books on harnessing the collective wisdom of groups for forecasting, decisions making, problem solving, etc.

Groups, Chapters, Associations...

Blogs

Some like-minded blogs from other folks…

Foundational Concepts

Below are foundational risk management concepts.

Risk Management & Analysis

The Problems with Qualitative Methodologies

What is FAIR?

Tools and Applications to Perform a FAIR Analysis

There are several applications to perform a FAIR assessment and you can even roll your own. Here are the tools I know of. I don’t endorse any one, and in fact – you should try them all. For the free applications, I've indicated whether it's free, as in free beer, or free, as in freedom of speech.

  • Basic Risk Analysis – pages 205-214 from “Measuring and Managing Information Risk: a FAIR Approach” | Pen and paper, qualitative method

  • FAIR-U | Free (beer), basic version of RiskLens. For non-commercial use only. Registration required.

  • RiskLens | Commercial, fee-based FAIR application.

  • Evaluator | Free (beer & speech) Open source, OpenFAIR implementation, built and run on R

  • PyFair | FAIR implementation built on Python

  • FAIR Tool | Free (beer & speech) Open source application, built on R + Shiny

  • OpenFAIR Risk Analysis Tool | (Free beer for a 90-day eval) OpenGroup’s Excel-based application. Registration required. (spreadsheet, data sheet, guide to theory of application)

Finding Data

FAIR Analyses

The best way to advance your quantitative risk analysis skills is to read as many as you can, and perform as many as you can. This is one area I need help on - please email me any publicly accessible sample analysis if you know of one not listed here. It does not need to be FAIR, but would prefer high-quality examples that are thorough from beginning to end.

  • Risk analyses by David Vose, using Model Risk - David Vose has posted many sample risk analyses using Model Risk, many of which can be performed using the free edition. If you are learning quantitative risk, or want to learn other models, I highly recommend working through these. They are not information security specific, but they don’ t need to be to learn the techniques.