Waltzing With Bears: Managing Risk on Software Projects

Book Description

Any software project that's worth starting will be vulnerable to risk. Since greater risks bring greater rewards, a company that runs away from risk will soon find itself lagging behind its more adventurous competition.

By ignoring the threat of negative outcomes—in the name of positive thinking or a Can-Do attitude—software managers drive their organizations into the ground.

In Waltzing with Bears, Tom DeMarco and Timothy Lister—the best-selling authors of Peopleware—show readers how to identify and embrace worthwhile risks. Developers are then set free to push the limits.

You'll find that risk management

* makes aggressive risk-taking possible
* protects management from getting blindsided
* provides minimum-cost downside protection
* reveals invisible transfers of responsibility
* isolates the failure of a subproject.

Readers are taught to identify the most common risks faced by software projects:

* schedule flaws
* requirements inflation
* turnover
* specification breakdown
* and under-performance.

Packed with provocative insights, real-world examples, and project-saving tips, Waltzing with Bears is your guide to mitigating the risks—before they turn into problems.

Customer Reviews:

Very usefull.......2007-01-15

The book comes in handy, at a time where we are facing quite some challenges in a large IT project.

Common Sense advice for Project management.......2006-10-23

At a certain fundamental level, projects are about how well one manages the risks in the process of achieving the project objectives. Projects by their very nature and scope of effort entails some level of risk (major or minor), but unfortunately the concept of recognizing and managing the risks is sorely absent in majority of IT projects. And for those of us who have been involved in IT projects, this book is a stark reminder of how poorly risks are managed.

I found this book very useful in understanding the thought process behind risk management and more importantly the challenges and difficulties in implementing them. I have seen projects where Risk management is nothing more than symbolic maintenance of a risk log, which is more "CYA", than anything practically useful. Ofcourse, many other projects don't even maintain this token log too.

There are some striking observations in this book, which is commonsense, but gets lost in the thicket of our daily project management duties.
One of them is about the project delays:

"When a project strays from schedule, it's seldom because the work planned just took longer than anyone had thought; a much more common explanation is that the project got bogged down doing work that wasn't planned at all.
Most software project managers do a reasonable job of predicting the tasks that have to be done and a poor job of predicting the tasks that might have to be done."

Another one is about schedule estimates:
"Software managers have tended to follow a standard rule: The Estimate and the goal are identical. The discipline of risk management though will counsel you to use goals as you always have to help people strive for best performance. At the same time, it will prompt you to use a very different planning estimate when making promises to your clients and management.

Schedule = Goal = N -> Really dumb equation

Schedule > Goal > N -> Sensible (N =Nano-estimate)"

THis is so true. It always happens that whatever is the earliest
articulated date of completion automatically is considered the deadline, which is most of the time unrealistic and working against this timeline makes risk management even more impossible.

I woulf recommend this book to anyone intrested in reading about some common sense advice related to IT project management in general and Risk management in particular.

A necessity for *developers*.......2006-10-01

Read this unsystematic and occasionally glib book (I concede this point to other reviewers) and you will suddenly realize that you, your colleagues in development, your technical leads, and your CEO have probably all been lying to yourselves and to each other about every single "milestone". Risk analysis is not merely done badly most of the time. It's usually not done at all. I learned enough from this book on a Sunday to return to work the next day and successfully persuade my colleagues that our project plan was worthless, and we needed to come up with a new one *now* that properly took account of the risks. No, I'm not a risk analyst, but merely the effort of thinking about risk in a different way had a payoff. Before this, we were just driving blind.

This is the resource you need in your toolkit to stop the glazed eye syndrome?.......2006-05-19

Hardly. I'm not sure what the definitive source on risk managment for software projects is, but this isn't it. Not even a good primer.

Doubletalk, Optimism, and Magic.......2006-01-25

As far as I can tell, this book is driven by doubletalk, optimism, and magic.

DOUBLETALK:
Always take risks, we are told, because projects without risk don't have enough benefit. (A glib assertion, but.. OK.) Then we are told that we should never evade a risk - that is, we should never leave anything up to chance. In the middle here and there, we are told that risks won't go away. And finally, we are told that showstoppers are managed by promoting such risks to project assumptions with ceremonies... that evidently banish evil possibilities. The intent is to give managers the impression that they can take macho keen risks while controlling everything.

Sorry Guys. You can look both ways twice, but every time you cross the street, you stand a chance of losing your life. Deal with it.

OPTIMISM:
Those risk diagrams. The wonderful thing about them is that... they're bounded! Ya know what? I'd kill for one of those! Project Management might actually work for software development then! A bounded risk isn't a risk at all; it's a certainty with the possibility of coming in early in front of it.

Gee, Guys! Many of my risk diagrams are lognormal - and they come from histograms of historical data. You didn't cover those.

And finally there's the

MAGIC: Aside from the banishing rituals, there's the simulator based on magical industry averages. Wherever the data come from, and whatever it does, it doesn't have a large enough sample to make a stable... pie chart.

But that's just it. The book is great for pie chart mentalities, and every moment they spend reading it, they're staying out of my way.

Average customer rating:

Guide to Disaster Recovery
Michael Erbschloe , and John Vacca
Manufacturer: Course Technology
ProductGroup: Book
Binding: Paperback

Strategy & Competition | Management & Leadership | Business & Investing | Subjects | Books

Risk Assessment | Management & Leadership | Business & Investing | Subjects | Books

Network Security | Networking | Computers & Internet | Subjects | Books

General | Computers & Internet | Subjects | Books

Look Inside Business Books | Trip | Specialty Stores | Books

Look Inside Computer Books | Trip | Specialty Stores | Books

All Titles | Qualifying Textbooks - Fall 2007 | Stores | Books

Business & Investing | Qualifying Textbooks - Fall 2007 | Stores | Books

Computers & Internet | Qualifying Textbooks - Fall 2007 | Stores | Books
Similar Items:

ASIN: 0619131225

Book Description

Guide to Disaster Recovery presents methods to identify vulnerabilities and take appropriate countermeasures to prevent and mitigate failure risks for an organization. This book provides the networking professional with a foundation in disaster recovery principles, including preparation of a disaster recovery plan, assessment of risks in the enterprise, development of policies and procedures, an understanding of the roles and relationships of various members of an organization, implementation of the plan, testing and rehearsal of the plan, and actually recovering from a disaster. The book takes an enterprise-wide approach to developing a disaster recovery plan. Students will learn how to create a secure network by putting policies and procedures in place, and how to restore a network in the event of a disaster.

The Shellcoder's Handbook: Discovering and Exploiting Security Holes

Average customer rating:

The hacker's bible
Need some work.
Excellent Book
Koziol is great.
One of the best!

The Shellcoder's Handbook: Discovering and Exploiting Security Holes
Jack Koziol , David Litchfield , Dave Aitel , Chris Anley , Sinan "noir" Eren , Neel Mehta , and Riley Hassell
Manufacturer: Wiley
ProductGroup: Book
Binding: Paperback

Network Security | Networking | Computers & Internet | Subjects | Books

General | Computers & Internet | Subjects | Books

General | Software | Computers & Internet | Subjects | Books

Look Inside Business Books | Trip | Specialty Stores | Books

Look Inside Computer Books | Trip | Specialty Stores | Books

All Deals | Blowout Books | Stores | Books

Business & Investing | Blowout Books | Stores | Books

Computers & Internet | Blowout Books | Stores | Books

All Titles | Qualifying Textbooks - Fall 2007 | Stores | Books

Business & Investing | Qualifying Textbooks - Fall 2007 | Stores | Books

Computers & Internet | Qualifying Textbooks - Fall 2007 | Stores | Books
Similar Items:

ASIN: 0764544683

Book Description

Examines where security holes come from, how to discover them, how hackers exploit them and take control of systems on a daily basis, and most importantly, how to close these security holes so they never occur again
A unique author team-a blend of industry and underground experts- explain the techniques that readers can use to uncover security holes in any software or operating system
Shows how to pinpoint vulnerabilities in popular operating systems (including Windows, Linux, and Solaris) and applications (including MS SQL Server and Oracle databases)
Details how to deal with discovered vulnerabilities, sharing some previously unpublished advanced exploits and techniques

Customer Reviews:

The hacker's bible.......2007-01-06

Watching the series "24" I'm often impress by how Chloe O'Brian and Edgar Stiles get to break into any system they want to with ease. Reading this book I now know where they got their information from. This book is a classic,any kind of exploit is analyse by accomplished security experts. The coverage is pretty intence and even seniors c and assembler programmers will need to read some of the material a few times to make sure they get it. This is the kind of book you have to take your time reading, yes it is that deep. Eventhough the book was released four years ago the price of the book remain the same, which tell me the information in it is valuable. If exploiting is something that is something to want to get into, look no further this is the only book you need.

Need some work........2006-09-28

As a security consultant and penetration tester I can say that this books is quite interesting and covers lots of software exploitation area but it still need some work. Mostly on how concept are explained, used and writen. You'll still find lots of papers on internet with better (more complete) explanation but still, this is a must have for every penetration testers and security auditor.

Be advise: This book is for not for beginners.

Excellent Book.......2005-09-26

In the last few months I've read several white hat/black hat books on security, and I must say that this one is the best. Not for the completely new to the subject, and a little too quick to explain some complex topics, but still a great book. I have only two complaints, which aren't making me give this book less than a 5:
1. There's a lot of errors in the content, and following such an advance book when you can't trust the code gets complicated.
2. There are a few chapters, particularly in section 3, where the style hasn't been neutralized, and you can absolutely tell that the book was written by 5 different people with almost no coordination.

Other than that, excellent book. I'm looking forward to buying Database Hacker's Handbook, by the same editor.

Koziol is great........2005-09-07

This book is absolutely excellent. One of the best, if not the best security book I have ever read.

As previously stated numerous times, it will require you have Assembly and C knowledge. If you don't know either one the book will move lightning fast and you will probably not have the ability to keep up. If you do know both, you should be able to take the book at a nice and steady speed.

Aside from difficulty, the rumors that it contains syntax errors ARE true. There are a few little errors in places like this (showing a typical off-by-one error to prove that C doesn't check boundries on arrays):

#include

int main() {
int array[5] = {1,2,3,4,5};
printf("%d",array[5];
}

While these errors ARE numerous and slightly annoying, the important thing to understand is that you get the general concepts they are trying to teach you. Anybody can fix the syntax to work correctly but if they don't know the logic behind the syntax it's no different than a car mechanic trying to fix a F-16 jet.

I am willing to overlook the syntax and lexical errors that appear in this book and give it a 5/5. I may be too light, but I think it's an absolutely essential book that everybody should read.

If you find yourself wanting to get a book, whether it be Hacking: The Art of Exploitation, Reversing: Secrets of Reverse Engineering, Rootkits: subverting the Windows kernel, or The Art of Computer Virus Research and Defense, while all excellent books (which I highly recommend you all read if this book interests you), if you have the ability to get The Shellcoders Handbook: Discovering and Exploiting Security Holes, you should.

One of the best!.......2005-02-26

This book is excellent. I highly recommend it for everyone from admins learning about what hackers are trying to do to their network to seasoned exploit writers. The best part of this book is that if gives a very solid foundation to anyone interested in the field. The only negative thing that I can say is that you can see a slight difference in writing style between some of the chapters, but I suppose that is to be expected with so many authors.

Average customer rating:

The High Blood Pressure Hoax
Not for the Average Guy

The High Blood Pressure Hoax

Manufacturer: Sandkey publishing
ProductGroup: Book
Binding: Paperback
Similar Items:

ASIN: 1887202056

Product Description

Blood pressure drugs guarantee you will get worse, for they actually deplete the nutrients that cause high blood pressure, making sure you will need even more medications. They also shrink the brain and raise your risk of heart attack, senility and blindness. High blood pressure is not a deficiency of blood pressure-lowering drugs. But there are dozens of ways you can permanently cure your high blood pressure without drugs. And since healthy blood vessels determine the longevity of every organ in the entire body, you need this book even if you dont have high blood pressure, for vascular health is key to total body health and longevity. First of all every single cell of your body depends on the health of your blood vessels that supply them. If you dont want to get Alzheimers, then you need a healthy brain, but it is only as healthy as its blood supply. Likewise, if you dont want cancer (or you are trying to heal it), it starts (and spreads) in areas of poor circulation. The High Blood Pressure Hoax will show you that for every ailment even one as simple as high blood pressure, there are multiple causes and multiple cures. You have a lot to choose from. In fact, I would suggest you read the entire book before you chose your program. For by understanding how the various causes work, you (who know your body and medical history better than anyone else) have the optimum opportunity for choosing the best solution for you. This is the ultimate plan for vascular health, but it doesnt stop there. It also continues on from where Detoxify or Die left off and takes you to more powerful levels of detoxification. I cant wait to empower you! So lets get started.

Customer Reviews:

The High Blood Pressure Hoax.......2007-02-25

The High Blood Pressure Hoax is an excellent informative book that will enlighten the layperson about blood pressure and how to prevent hypertension. Dr Rogers explains everything in laymans terms and gives you an easy plan to follow. After all high blood pressure and many ailments aren't a lack of drugs but a lack of nutrients!!

Not for the Average Guy.......2007-01-06

My doc suggested I read this to better understand nutrition and its impact on health. He beleves that doctors are more inclined to treat symptoms rather than underlying causes and that this shortcoming in medical education and practive is changing quickly. But not quickly enough. If you have an MD degree, you could breeze thru this book. But for the average guy its like trying to read something written by an alien. Even if you glean a good idea, you'll have a lot of trouble putting it into practice as the foods and supplements suggested are difficult to locate.

Financial Modeling with Crystal Ball and Excel (Wiley Finance)

Average customer rating:

goes beyond deterministic assumptions
Financial Modeling with Crystal Ball and Excel

Financial Modeling with Crystal Ball and Excel (Wiley Finance)
John Charnes
Manufacturer: Wiley
ProductGroup: Book
Binding: Paperback

General | Popular Economics | Business & Investing | Subjects | Books

General | Business & Investing | Subjects | Books

General | Investing | Business & Investing | Subjects | Books

General | Computers & Internet | Subjects | Books

General | Reference | Subjects | Books
Similar Items:

ASIN: 0471779725

Book Description

Praise for
Financial Modeling with Crystal Ball(r) and Excel(r)

"Professor Charnes's book drives clarity into applied Monte Carlo analysis using examples and tools relevant to real-world finance. The book will prove useful for analysts of all levels and as a supplement to academic courses in multiple disciplines."
-Mark Odermann, Senior Financial Analyst, Microsoft

"Think you really know financial modeling? This is a must-have for power Excel users. Professor Charnes shows how to make more realistic models that result in fewer surprises. Every analyst needs this credibility booster."
-James Franklin, CEO, Decisioneering, Inc.

"This book packs a first-year MBA's worth of financial and business modeling education into a few dozen easy-to-understand examples. Crystal Ball software does the housekeeping, so readers can concentrate on the business decision. A careful reader who works the examples on a computer will master the best general-purpose technology available for working with uncertainty."
-Aaron Brown, Executive Director, Morgan Stanley, author of The Poker Face of Wall Street

"Using Crystal Ball and Excel, John Charnes takes you step by step, demonstrating a conceptual framework that turns static Excel data and financial models into true risk models. I am astonished by the clarity of the text and the hands-on, step-by-step examples using Crystal Ball and Excel; Professor Charnes is a masterful teacher, and this is an absolute gem of a book for the new generation of analyst."
-Brian Watt, Chief Operating Officer, GECC, Inc.

"Financial Modeling with Crystal Ball and Excel is a comprehensive, well-written guide to one of the most useful analysis tools available to professional risk managers and quantitative analysts. This is a must-have book for anyone using Crystal Ball, and anyone wanting an overview of basic risk management concepts."
-Paul Dietz, Manager, Quantitative Analysis, Westar Energy

"John Charnes presents an insightful exploration of techniques for analysis and understanding of risk and uncertainty in business cases. By application of real options theory and Monte Carlo simulation to planning, doors are opened to analysis of what used to be impossible, such as modeling the value today of future project choices."
-Bruce Wallace, Nortel

Customer Reviews:

goes beyond deterministic assumptions.......2007-06-24

The book is all about simulations. In financial modelling, as opposed to engineering or science. Readers from the latter 2 fields who have coded simulations will find much in common. The specific equations in the text for finance are largely different from what you've met before. But the basic treatment is essentially the same.

Typically, the text will describe some financial equation. The Crystal Ball program lets you easily generate random data as input to simulations, which it then runs.

Despite Excel in the book's title, the book is mostly about using Crystal Ball. Charnes shows how you can go well beyond a simple deterministic treatment of an income statement or balance sheet. Typically, most companies just use the deterministic approach. The danger is that this approach relies on certain assumptions. Using Crystal Ball and the book, you can test the effect of relaxing these assumptions on the balance sheet. A more robust approach to financial planning.

Financial Modeling with Crystal Ball and Excel.......2007-05-13

Acho que faltou um pouco mais de detalhes nos tópicos, porém o livro apresenta excelente modelos técnicos.

Security Metrics: Replacing Fear, Uncertainty, and Doubt

Average customer rating:

Every security professional (or wannabe) should read this book
I liked it better than Cats!
Excellent info; too much nerd-speak
Security Metrics: Replacing Fear, Undertainty & Doubt
A ground-breaking book that all security managers should read

Security Metrics: Replacing Fear, Uncertainty, and Doubt
Andrew Jaquith
Manufacturer: Addison-Wesley Professional
ProductGroup: Book
Binding: Paperback

Privacy | Business & Culture | Computers & Internet | Subjects | Books

Network Security | Networking | Computers & Internet | Subjects | Books

General | Computers & Internet | Subjects | Books

General | Databases | Computers & Internet | Subjects | Books

General | Software | Computers & Internet | Subjects | Books

All Titles | Qualifying Textbooks - Fall 2007 | Stores | Books
Similar Items:

ASIN: 0321349989

Book Description

<> The Definitive Guide to Quantifying, Classifying, and Measuring Enterprise IT Security Operations

Security Metrics is the first comprehensive best-practice guide to defining, creating, and utilizing security metrics in the enterprise.

Using sample charts, graphics, case studies, and war stories, Yankee Group Security Expert Andrew Jaquith demonstrates exactly how to establish effective metrics based on your organization’s unique requirements. You’ll discover how to quantify hard-to-measure security activities, compile and analyze all relevant data, identify strengths and weaknesses, set cost-effective priorities for improvement, and craft compelling messages for senior management.

Security Metrics successfully bridges management’s quantitative viewpoint with the nuts-and-bolts approach typically taken by security professionals. It brings together expert solutions drawn from Jaquith’s extensive consulting work in the software, aerospace, and financial services industries, including new metrics presented nowhere else. You’ll learn how to:

• Replace nonstop crisis response with a systematic approach to security improvement

• Understand the differences between âgoodâ and âbadâ metrics

• Measure coverage and control, vulnerability management, password quality, patch latency, benchmark scoring, and business-adjusted risk

• Quantify the effectiveness of security acquisition, implementation, and other program activities

• Organize, aggregate, and analyze your data to bring out key insights

• Use visualization to understand and communicate security issues more clearly

• Capture valuable data from firewalls and antivirus logs, third-party auditor reports, and other resources

• Implement balanced scorecards that present compact, holistic views of organizational security effectiveness

Whether you’re an engineer or consultant responsible for security and reporting to management–or an executive who needs better information for decision-making–Security Metrics is the resource you have been searching for.

Andrew Jaquith, program manager for Yankee Group’s Security Solutions and Services Decision Service, advises enterprise clients on prioritizing and managing security resources. He also helps security vendors develop product, service, and go-to-market strategies for reaching enterprise customers. He co-founded @stake, Inc., a security consulting pioneer acquired by Symantec Corporation in 2004. His application security and metrics research has been featured in CIO, CSO, InformationWeek, IEEE Security and Privacy, and The Economist.

Foreword

Preface

Acknowledgments

About the Author

Chapter 1 Introduction: Escaping the Hamster Wheel of Pain

Chapter 2 Defining Security Metrics

Chapter 3 Diagnosing Problems and Measuring Technical Security

Chapter 4 Measuring Program Effectiveness

Chapter 5 Analysis Techniques

Chapter 6 Visualization

Chapter 7 Automating Metrics Calculations

Chapter 8 Designing Security Scorecards

Index

Customer Reviews:

Every security professional (or wannabe) should read this book.......2007-09-21

I'm not sure what I can write to sway you to buy or read the book if 5 star reviews from Ben Rothke and Richard Bejtlich don't sway you but I'll throw my likes and dislikes in here anyway. I'm not a "metrics guy" in fact, I'm still not , but I do think the book puts the concept of using them into perspective for the person that may not use any metrics in their security work.

I've been summing up the book to people at work by using the example (and I'll badly paraphrase) from the book of "if your spam gateway blocks 100,000 spam messages a day is that a good metric?" Initially you may say yes, that is a good metric. In fact most people at work said the same thing. But, as the author explains it is a poor metric. Better metrics are useful percentages like the percentage of missed spam or the percentage of false positives. Saying that 100,000 spam message are being stopped only tells us that you have a ton of spam on your network.

Some of the things I liked about the book were the author's discussions on how to make charts more readable and efficient at portraying information. I had to read the Tufte books in college and have to admit that I got more out of chapter 6 (visualization) than I feel I learned that whole semester of class. Chapter 2 discussing what makes good metrics was extremely useful, as well were chapters 3 & 4 because they gave good examples of metrics you can use to measure an organizations various defenses like perimeter security or application security. The discussion of using COBIT, ITIL and Security Frameworks in Chapter 4 was also good.

I only had two minor gripes. First was that toward the end of the book the author talks about colors of slides and charts which obviously doesn't do us any good since the book is in black and white and second, that he does use some big words throughout the book and I did find myself having to go back and reread things. Could he have put it into simpler terms, probably, but that doesn't make the book bad, just means I need to work on my vocab :-)

Overall it was a good entrance to the world of security metrics for me and took and away some of the perceived boredom of them. It definitely gave me some tools to look more critically at the numbers and stats that some of the vendors throw our way as well as how to deliver data and information in a more useful matter.

I liked it better than Cats!.......2007-09-19

What a book. Seriously, I laughed, I cried. I shouted in frustration, only to be placated on the next page. I got a better understanding of what Andy has been banging on about with Security Metrics. And it helps me do my job better.

Excellent info; too much nerd-speak.......2007-09-06

As the other reviewers state, the information in this book is very valuable and would be an asset to any information security professional, particularly those of us involved in reporting metrics.

My only complaint is the author's writing style. He uses too much nerd-speak. By that I mean his sentences use a lot of giant, impressive-sounding words and jargon when he could say the same thing using simpler, day-to-day english. Because of that, the book was a difficult read for me. I had to re-read many parts to make sure I understood what the author was saying.

I'm at work now and don't have the book with me. I'll update this review later with some examples.

Security Metrics: Replacing Fear, Undertainty & Doubt.......2007-08-24

The book is an excellent resource for the security professional who is interested in implementing a strong industrial security program with measures that can assess its effectiveness. I highly recommend it.

A ground-breaking book that all security managers should read.......2007-08-10

I read Security Metrics right after finishing Managing Cybersecurity Resources, a book by economists arguing that security decisions should be made using cost-benefit analysis. On the face of it, cost-benefit analysis makes perfect sense, especially given the authors' analysis. However, Security Metrics author Andy Jaquith quickly demolishes that approach (confirming the problem I had with the MCR plan). While attacking the implementation (but not the idea) of Annual Loss Expectancy for security events, Jaquith writes on p 33 "[P]ractitioners of ALE suffer from a near-complete inability to reliably estimate probabilities [of occurrence] or losses." Bingo, game over for ALE and cost-benefit analysis. It turns out the reason security managers "herd" (as mentioned in MCR) is that they have no clue what else to do; they seek safety in numbers by emulating peers and then claim that as a defense when they are breached.

Fortunately, Security Metrics offers another solution. The book gives readers three sets of information: theory, metrics, and tools (concepts, not programs). The theory chapters (1 and 2) were so concise yet insightful I was tempted to underline every sentence. (I am not kidding.) Even the Preface made me glad to be reading the book when it associated "security ROI" with "the Macarena" and called it a "needless distraction." I laughed in agreement when I saw Andy call "security enablement" the "Abominable Snowman: it is rarely spotted, but legions of people swear it exists. After all, as my friend Dan geer puts it, 'You don't usually see airlines advertising how their planes fall out of the sky less often than their competitors.'" Why is that? My answer is simple: security is assumed and expected. Advertising anything else has no effect or makes people suspicious. I knew this book would be good.

The metrics chapters probably list hundreds of metrics you can extract verbatim and apply to your own environment. To the reviewer who wanted to reprint them in an appendix: they're called chapters 3 and 4. My main concern with the metrics was the focus on input-centric measurements instead of results. I would have liked to read more metrics on measuring whether security programs are working, rather than what techniques and tools are applied up front.

The tools chapters were helpful to anyone needing a statistics refresher. The visualization sections were especially helpful. (Feel free to dismiss yet another ignorant review from WB, who thinks a "review" means writing a few paragraphs after flipping through the pages of five books a day.) Andy's examples of turning lousy graphs and charts into information visualization vehicles should be followed by all managers.

Security Metrics is strengthened by the many stories from the author's consulting experience. I sensed that his techniques work and are not the product of the thought laboratory alone. I found his "Balanced Scorecard" approach to be interesting, especially to the degree it ties real metrics to business operations.

I had a few issues with terminology, such as using the term "threats" on p 231 when "attacks" is more accurate. (The football analogy is correct, however.) I semi-agreed with the author's suggestion to abandon "risk management" in favor of metrics-based approaches, but I didn't think two pages (4-5) were really enough to make the case. On p 264, threats are not risks, but they help instantiate risks. On pp 78-7, "risk of exploit" should be "ease of exploitation."

These are minor concerns, given the overwhelming concentration of practical and implementation-worthy pieces of information in Security Metrics. You must read this book if you care to measure security progress. Now we need Dan Geer to extend beyond writing wise forewords and articles into the world of his own book!

Information Security Risk Analysis, Second Edition

Average customer rating:

What? Are you managing risk?
Great resource
Good...
AWESOME!!!
Proper content, horrible writing

Information Security Risk Analysis, Second Edition
Thomas R. Peltier
Manufacturer: AUERBACH
ProductGroup: Book
Binding: Hardcover

Privacy | Business & Culture | Computers & Internet | Subjects | Books

Network Security | Networking | Computers & Internet | Subjects | Books

General | Computers & Internet | Subjects | Books

Look Inside Business Books | Trip | Specialty Stores | Books

Look Inside Computer Books | Trip | Specialty Stores | Books

All Titles | Qualifying Textbooks - Fall 2007 | Stores | Books

Business & Investing | Qualifying Textbooks - Fall 2007 | Stores | Books

Computers & Internet | Qualifying Textbooks - Fall 2007 | Stores | Books
Similar Items:

ASIN: 0849333466

Book Description

The risk management process supports executive decision-making, allowing managers and owners to perform their fiduciary responsibility of protecting the assets of their enterprises. This crucial process should not be a long, drawn-out affair. To be effective, it must be done quickly and efficiently. Information Security Risk Analysis, Second Edition enables CIOs, CSOs, and MIS managers to understand when, why, and how risk assessments and analyses can be conducted effectively. This book discusses the principle of risk management and its three key elements: risk analysis, risk assessment, and vulnerability assessment. It examines the differences between quantitative and qualitative risk assessment, and details how various types of qualitative risk assessment can be applied to the assessment process. The text offers a thorough discussion of recent changes to FRAAP and the need to develop a pre-screening method for risk assessment and business impact analysis.

Customer Reviews:

What? Are you managing risk?.......2007-07-26

As a corporate leader and IT leader, I need proven methodlogy and opinion from experienced leadership. "This crucial process should not be a long, drawn-out affair." What?! This is an essential capability of corporate leadership. "To be effective, it must be done quickly and efficiently." Okay... Let's look at what the risk management process is and, today, consider that it transcends business and requires managers and executives who - just perhaps - grew up in the information age. They cannot rely on the work of those who did not, and/or are trying to market a product. Lead the way leaders of the future. Protect your business by understanding and managing it yourselves instead of following people who want to sell you books and make money off of your business core competence. It takes real leadership from informed management who did more than read a book. Understand issues, solve problems, hire people/leaders who know how to handle risk from all vectors and retain the talent that preserves the future of your business. Listen to them. Challenge them. Build a system that manages your risk. Maybe this book offers something, but be your best counsel.

Great resource.......2007-07-17

An excellent resource on risk analysis techniques and methodolgies. The breadth and depth of coverage fits a wide range of audience. I work in information security and found the concepts and details very very helpful and ones I could relate to in my work. The organization of the chapters and overall book is very logical and facilitates overall readability. I wuld highly recommend this book to anyone working in any aspect of risk assessment/management.

2 thumbs up!

Good..........2005-11-04

After reading a large number of security books and papers, you come to an uncanny realization: if an author does not misspell HIPAA in his entire work, he's gotta be good! But then again, if a guy was a CSO when I was just finishing my elementary school, I am sure he knows something about security...

Here is what I have to say about this title: it is good, but pretty dry. And I happen to hate dry books. However, I am willing to make an exception for this one, since it is a management book about security risk. It won't teach you how to hack, scan, exploit or protect and firewall, but rather how to define, document, manage, organize and facilitate.

I would recommend the book for those involved with formal risk assessment for organizations. Admittedly, I do not fit this profile myself, but I enjoyed it since the author presents a somewhat novel approach to security risk assessment (called FRAAP) and I was curious about it. I also liked the section on mapping controls, such as HIPAA to ISO17799, etc.

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA is a Security Strategist with a major security company. He is an author of the book "Security Warrior" and a contributor to "Know Your Enemy II" and the upcoming "Hacker's Challenge III". In his spare time, he maintains his security portal info-secure.org and his blog at O'Reilly. His next book will be about security log analysis.

AWESOME!!!.......2005-07-07

This is a great book about risk. Very valuable. Written in a clear and easy to understand style.

A bargain at 5 times the price. You can't get this info and data anywhere else.

Proper content, horrible writing.......2005-04-13

After having read the book, I was left with a mixed feeling. The content of the book is OK. Not special, just OK. If this book changed your way of thinking about risk, then this is probably one of your first books you read on the subject. I give the book content 4 stars, since it's decent, easy to follow and fairly complete. Besides that, the author included three good articles at the end of the book, one of which (by Caroline Hamilton) is particularly well-written.

Now for the style. I can only agree with one of the other reviewers regarding the comment he made about proofreading the book. I wonder if the book was proofread at all. There are so many errors and annoyances in this book, it starts working on my nerves fairly quickly. To name but a few:

The writer contradicts himself on several occasions. Sometimes this gets hilarious:
- Page 30: [The cost/benefit analysis] is the most important step of any risk analysis process.
- Page 35: As discussed in the previous example, the scope statement is the most important element of the risk analysis process.
- Page 39: The most important element of any risk analysis process is the recommendations of controls and safeguards... etc etc.

I understand that mister O'Leary is his mentor, but don't tell me five $%^$@ times that he is the Director of the Education Resource Center (pages ix, 12, 13, 65, 66).

The spelling errors are a real pain in the butt:

- page 217: "Aurebach" instead of "Auerbach" (my favorite; it's his own publisher).
- page 16: "can shared" instead of "can be shared"
- page 36: ".appropriate" instead of "appropriate"
- page 43: "their role" instead of "his role"
- page 45: "control" instead of "risk" (last word on the page)
- page 46: "these" instead of "there"
- page 47: "guideline" instead of "guidelines"
- page 55: "their" instead of "its" (it refers back to "job")
- page 64: wrong comma usage
- page 71: "in" instead of "it"
- .....
- page 162: "Originizational" instead of "Organizational"
- page 217: "Ozierz's" instead of "Ozier's"

The writer uses the Ctrl+C and Ctrl+V too many times. Definitions should be reworded, not blindly copied. See pages 7 and 57, pages 47 and 72 etc.

Sometimes bulleted items in the same list have a trailing dot, sometimes they haven't.

I can go on and on.

To wrap it up, the writing gets 1 star. Equals 5 stars. Which will be rounded to 2 stars, simply because of his sloppy writing. If the writing were better, I might give it 3 or 4 stars.

Information Security Management Handbook, Sixth Edition (Isc2 Press)

Average customer rating:

Excellent Security book
A multiple vision of IT Security
Book content is excellent, but paper quality is worst ever
Volumes vs editions
Excellent reference!

Information Security Management Handbook, Sixth Edition (Isc2 Press)
Harold F. Tipton , and Micki Krause
Manufacturer: AUERBACH
ProductGroup: Book
Binding: Hardcover

General | Computers & Internet | Subjects | Books

Risks | Technology | Science | Subjects | Books

Look Inside Business Books | Trip | Specialty Stores | Books

Look Inside Computer Books | Trip | Specialty Stores | Books

Look Inside Science Books | Trip | Specialty Stores | Books

All Titles | Qualifying Textbooks - Fall 2007 | Stores | Books
Similar Items:

ASIN: 0849374952

Book Description

Never before have there been so many laws designed to keep corporations honest. New laws and regulations force companies to develop stronger ethics policies and the shareholders themselves are holding publicly traded companies accountable for their practices. Consumers are also concerned over the privacy of their personal information and current and emerging legislation is reflecting this trend. Under these conditions, it can be difficult to know where to turn for reliable, applicable advice. The sixth edition of the Information Security Management Handbook addresses up-to-date issues in this increasingly important area. It balances contemporary articles with relevant articles from past editions to bring you a well grounded view of the subject. The contributions cover questions important to those tasked with securing information assets including the appropriate deployment of valuable resources as well as dealing with legal compliance, investigations, and ethics. Promoting the view that the management ethics and values of an organization leads directly to its information security program and the technical, physical, and administrative controls to be implemented, the book explores topics such as risk assessments; metrics; security governance, architecture, and design; emerging threats; standards; and business continuity and disaster recovery. The text also discusses physical security including access control and cryptography, and a plethora of technology issues such as application controls, network security, virus controls, and hacking. US federal and state legislators continue to make certain that information security is a board-level conversation and the Information Security Management Handbook, Sixth Edition continues to ensure that there you have a clear understanding of the rules and regulations and an effective method for their implementation.

Customer Reviews:

Excellent Security book.......2007-01-05

Excellent very extensive security book. A very good reminder for the preparation of the CISSP exam. (is one of the official recommended books).

I passed my CISSP exam, because of this book.

Jako Boonekamp
CISSP #97956
The Netherlands

A multiple vision of IT Security.......2006-03-23

This book is an excellent example of compilation of dozens of good works on IT Security. The quality of articles and the different points of view whereupon are treated turn to it an essential work. It only has a failure: such amount of information has been packed in only a volume that has forced the publisher to reduce both the font and the thickness of the paper to the maximum. Very bad for that no longer we have twenty years and in addition we were used to mark the most interesting paragraphs with a pencil.

Book content is excellent, but paper quality is worst ever.......2005-12-16

I am reading the fifth edition of this book. In the earlier editions the book was published in three or four volumes. The fifth edition is a combination of all volumes. So that is good.

The book is a dense read. But the content is excellent. There are 163 chapters in this book. Each chapter written by different authors - experts in respective areas. So the book provides a best of breed treatment to various assorted topics. However, not all chapters are good (but most are). I'd say about 20 or so are of filler kind of chapters. Nothing really special in them. But the book is worth for the rest of the matter.

The chapters are also written to provoke further thought into each area. Kind of "first principles" approach - which I like compared to the CISSP guide approach of "here is the information, now devour it for the exam". However this book is not an exam guide (and I knew that before hand). I bought this book for the matter in it and I am very satisfied.

If you are the kind of person who want to quickly assimilate and regurgitate the matter for CISSP, then dont even bother. I am kind of person who loves to read things from the basics slowly, getting the concepts and ideas all clear in my mind and hence I plan to finish this book before reading CISSP exam guide (which by the way is also sitting on my bookshelf).

However I have a major complaint againg the publishers. Having charged One hundred thirty dollars for a 2000 page book, I'd expect the quality of paper is decent. The paper is so thin, I invariably turn two pages when I am thiking it is one page. It is so thin, even turning the page carefully damages the paper. I agree that the content is specialized and most authors hold at least two or more certifications (CISSP, CISA, SSCP etc.), but that does not warrant printing the book on really wafer thin transparent paper. Sure, the publishers need to make money, but not by compromising the quality of the paper SO MUCH.

And you'd expect this kind of book to live on your shelf for a long long time than "Teach yourself crap in 24 hours" books, but the quality of paper will make that unlikely. Hence I am giving 4 stars to a book which otherwise would deserve 6 stars

Volumes vs editions.......2005-04-19

Some of the reviewers are confusing 'volumes' with editions. Each edition of this book contains several volumes. Each volume contains new papers, adding them to the current edition of the ISMH.

The current edition of the Information Security Management Handbook is the 5th. At present, it has only 2 volumes. This CD-ROM only contains the 1st volume of the 5th edition. There is a new CD-ROM of the ISMH with a 2005 date (ISBN 0849339422) which I *think* contains the new volume 2 of the 5th edition (ISBN 0849332109)

What makes this CD-ROM valuable over the 5thED-V1 book is that it contains the contents of the 3rd and the 4th editions! I know the 4th edition contained four volumes.

Excellent reference!.......2003-09-04

Excellent reference!

This is an excellent security reference!

Book Description

While it has become increasingly apparent that individuals and organizations need a security metrics program, it has been exceedingly difficult to define exactly what that means in a given situation. There are hundreds of metrics to choose from and an organization's mission, industry, and size will affect the nature and scope of the task as well as the metrics and combinations of metrics appropriate to accomplish it. Finding the correct formula for a specific scenario calls for a clear concise guide with which to navigate this sea of information. Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI defines more than 900 ready to use metrics that measure compliance, resiliency, and return on investment. The author explains what needs to be measured, why and how to measure it, and how to tie security and privacy metrics to business goals and objectives. The book addresses measuring compliance with current legislation, regulations, and standards in the US, EC, and Canada including Sarbanes-Oxley, HIPAA, and the Data Protection Act-UK. The metrics covered are scaled by information sensitivity, asset criticality, and risk, and aligned to correspond with different lateral and hierarchical functions within an organization. They are flexible in terms of measurement boundaries and can be implemented individually or in combination to assess a single security control, system, network, region, or the entire enterprise at any point in the security engineering lifecycle. The text includes numerous examplesand sample reports to illustrate these concepts and stresses a complete assessment by evaluating the interaction and interdependence between physical, personnel, IT, and operational security controls. Bringing a wealth of complex information into comprehensible focus, this book is ideal for corporate officers, security managers, internal and independent auditors, and system developers and integrators.

Customer Reviews:

The Oracle of Metrics (and I am not talking about the company) .......2007-03-08

***This is a big book full of a lot of facts and figures.*** (Yes a very big book, not a cover to cover book.) 824 pages, 5 chapters and by no means a read it from cover to cover book. The first two chapters, the "Introduction" and "the What's and Whys of Metrics" are the authors interesting and quite knowledgeable overview of the world of operational, personal, physical and IT security metrics. After, the remaining chapters get in-depth. Chapter 3 "Measuring Compliance" goes into great detail about relating the different acts, bills, regulations and directives with various Metrics. Chapter 4 "Measuring Resilience" provides numerous worksheets and questionnaires as well as an abundance of information regarding threats, asset protection, mission protection, audit trails and others. Finally Chapter 5 "Measuring ROI" covers cost, benefits, some case studies and comparative analysis as well again some great worksheets.
A very useful and well organized guide. (Although a bit on the expensive side)

Debris-flow Hazards and Related Phenomena (Springer Praxis Books / Geophysical Sciences)

Average customer rating:

Debris-flow Hazards and Related Phenomena (Springer Praxis Books / Geophysical Sciences)
Matthias Jakob , and Oldrich Hungr
Manufacturer: Springer
ProductGroup: Book
Binding: Hardcover

General | Earth Sciences | Science | Subjects | Books

Geophysics | Earth Sciences | Science | Subjects | Books

General | Science | Subjects | Books

General | Engineering | Professional & Technical | Subjects | Books

Look Inside Science Books | Trip | Specialty Stores | Books

All Amazon Upgrade | Amazon Upgrade | Stores | Books

Engineering | Amazon Upgrade | Stores | Books

Professional & Technical | Amazon Upgrade | Stores | Books

Science | Amazon Upgrade | Stores | Books

All Titles | Qualifying Textbooks - Fall 2007 | Stores | Books
Accessories:

ASIN: 3540207260

Book Description

With climate change and deforestation, debris flows and debris avalanches have become the most significant landslide hazards in many countries. In recent years there have been numerous debris flow avalanches in Southern Europe, South America and the Indian Subcontinent, resulting in major catastrophes and large loss of life. This is therefore a major high-profile problem for the world's governments and for the engineers and scientists concerned.

Matthias Jakob and Oldrich Hungr are ideally suited to edit this book. Matthias Jakob has worked on debris flow for over a decade and has had numerous papers published on the topic, as well as working as a consultant on debris flow for municipal and provincial governments. Oldrich Hungr has worked on site investigations on debris flow, avalanches and rockfall, with emphasis on slope stability analysis and evaluation of risks to roads in built-up areas. He has also developed mathematical models for landslide dynamic analysis. They have invited world-renowned experts to joint them in this book.

Books:

Books Index

Books Home

Recommended Books