In confronting risk, individuals and all agencies cannot simply respond with endless resources in mitigating the damage that hazards engender—they have to establish a balance. Risk Balance and Security combines the conceptual underpinnings of risk assessment and management at both the individual and agency level with a clear analysis of how these relate to challenges faced in responding to crime, terrorism, public health threats, and environmental disasters. With a new understanding of how decisions are made about threats and hazards, and how this understanding may be applied in our preparedness, prevention, and response strategies, we will be able to better conceptualize our task for enhancing security in the future. Key Features Links theoretical ideas with real world examples: Clear discussions are presented of how risk is constructed in modern society and why that is important in our efforts to develop strategies to enhance security. Provides an interdisciplinary treatment of risk: To capture the realities facing public security today, ideas are drawn from a number of different disciplines. Illustrates real applications of solutions to security problems: Students are shown how agencies are dealing with specific threats to security. Compares individual-level and institutional-level assessments of risk and security: These divergences enable readers to appreciate the complexities of establishing security. Intended Audience This is an excellent text for undergraduate and graduate courses such as Disaster Research, Security, Police Studies, Emergency Planning, and Crime and Public Policy in the departments of criminology, criminal justice, political science, and public health.
In seeking to evaluate the efficacy of post-9/11 homeland security expenses--which have risen by more than a trillion dollars, not including war costs--the common query has been, "Are we safer?" This, however, is the wrong question. Of course we are "safer"--the posting of a single security guard at one building's entrance enhances safety. The correct question is, "Are any gains in security worth the funds expended?"In this engaging, readable book, John Mueller and Mark Stewart apply risk and cost-benefit evaluation techniques to answer this very question. This analytical approach has been used throughout the world for decades by regulators, academics, and businesses--but, as a recent National Academy of Science study suggests, it has never been capably applied by the people administering homeland security funds. Given the limited risk terrorism presents, expenses meant to lower it have for the most part simply not been worth it. For example, to be considered cost-effective, increased American homeland security expenditures would have had each year to have foiled up to 1,667 attacks roughly like the one intended on Times Square in 2010--more than four a day. Cataloging the mistakes that the US has made--and continues to make--in managing homeland security programs, Terror, Security, and Money has the potential to redirect our efforts toward a more productive and far more cost-effective course.
Managing Risk and Information Security: Protect to Enable, an ApressOpen title, describes the changing risk environment and why a fresh approach to information security is needed. Because almost every aspect of an enterprise is now dependent on technology, the focus of IT security must shift from locking down assets to enabling the business while managing and surviving risk. This compact book discusses business risk from a broader perspective, including privacy and regulatory considerations. It describes the increasing number of threats and vulnerabilities, but also offers strategies for developing solutions. These include discussions of how enterprises can take advantage of new and emerging technologies—such as social media and the huge proliferation of Internet-enabled devices—while minimizing risk. With ApressOpen, content is freely available through multiple online distribution channels and electronic formats with the goal of disseminating professionally edited and technically reviewed content to the worldwide community. Here are some of the responses from reviewers of this exceptional work: “Managing Risk and Information Security is a perceptive, balanced, and often thought-provoking exploration of evolving information risk and security challenges within a business context. Harkins clearly connects the needed, but often-overlooked linkage and dialog between the business and technical worlds and offers actionable strategies. The book contains eye-opening security insights that are easily understood, even by the curious layman.” Fred Wettling, Bechtel Fellow, IS&T Ethics & Compliance Officer, Bechtel “As disruptive technology innovations and escalating cyber threats continue to create enormous information security challenges, Managing Risk and Information Security: Protect to Enable provides a much-needed perspective. This book compels information security professionals to think differently about concepts of risk management in order to be more effective. The specific and practical guidance offers a fast-track formula for developing information security strategies which are lock-step with business priorities.” Laura Robinson, Principal, Robinson Insight Chair, Security for Business Innovation Council (SBIC) Program Director, Executive Security Action Forum (ESAF) “The mandate of the information security function is being completely rewritten. Unfortunately most heads of security haven’t picked up on the change, impeding their companies’ agility and ability to innovate. This book makes the case for why security needs to change, and shows how to get started. It will be regarded as marking the turning point in information security for years to come.” Dr. Jeremy Bergsman, Practice Manager, CEB “The world we are responsible to protect is changing dramatically and at an accelerating pace. Technology is pervasive in virtually every aspect of our lives. Clouds, virtualization and mobile are redefining computing – and they are just the beginning of what is to come. Your security perimeter is defined by wherever your information and people happen to be. We are attacked by professional adversaries who are better funded than we will ever be. We in the information security profession must change as dramatically as the environment we protect. We need new skills and new strategies to do our jobs effectively. We literally need to change the way we think. Written by one of the best in the business, Managing Risk and Information Security challenges traditional security theory with clear examples of the need for change. It also provides expert advice on how to dramatically increase the success of your security strategy and methods – from dealing with the misperception of risk to how to become a Z-shaped CISO. Managing Risk and Information Security is the ultimate treatise on how to deliver effective security to the world we live in for the next 10 years. It is absolute must reading for anyone in our profession – and should be on the desk of every CISO in the world.” Dave Cullinane, CISSP CEO Security Starfish, LLC “In this overview, Malcolm Harkins delivers an insightful survey of the trends, threats, and tactics shaping information risk and security. From regulatory compliance to psychology to the changing threat context, this work provides a compelling introduction to an important topic and trains helpful attention on the effects of changing technology and management practices.” Dr. Mariano-Florentino Cuéllar Professor, Stanford Law School Co-Director, Stanford Center for International Security and Cooperation (CISAC), Stanford University “Malcolm Harkins gets it. In his new book Malcolm outlines the major forces changing the information security risk landscape from a big picture perspective, and then goes on to offer effective methods of managing that risk from a practitioner's viewpoint. The combination makes this book unique and a must read for anyone interested in IT risk." Dennis Devlin AVP, Information Security and Compliance, The George Washington University “Managing Risk and Information Security is the first-to-read, must-read book on information security for C-Suite executives. It is accessible, understandable and actionable. No sky-is-falling scare tactics, no techno-babble – just straight talk about a critically important subject. There is no better primer on the economics, ergonomics and psycho-behaviourals of security than this.” Thornton May, Futurist, Executive Director & Dean, IT Leadership Academy “Managing Risk and Information Security is a wake-up call for information security executives and a ray of light for business leaders. It equips organizations with the knowledge required to transform their security programs from a “culture of no” to one focused on agility, value and competitiveness. Unlike other publications, Malcolm provides clear and immediately applicable solutions to optimally balance the frequently opposing needs of risk reduction and business growth. This book should be required reading for anyone currently serving in, or seeking to achieve, the role of Chief Information Security Officer.” Jamil Farshchi, Senior Business Leader of Strategic Planning and Initiatives, VISA “For too many years, business and security – either real or imagined – were at odds. In Managing Risk and Information Security: Protect to Enable, you get what you expect – real life practical ways to break logjams, have security actually enable business, and marries security architecture and business architecture. Why this book? It's written by a practitioner, and not just any practitioner, one of the leading minds in Security today.” John Stewart, Chief Security Officer, Cisco “This book is an invaluable guide to help security professionals address risk in new ways in this alarmingly fast changing environment. Packed with examples which makes it a pleasure to read, the book captures practical ways a forward thinking CISO can turn information security into a competitive advantage for their business. This book provides a new framework for managing risk in an entertaining and thought provoking way. This will change the way security professionals work with their business leaders, and help get products to market faster. The 6 irrefutable laws of information security should be on a stone plaque on the desk of every security professional.” Steven Proctor, VP, Audit & Risk Management, Flextronics
Follow step-by-step guidance to craft a successful security program. You will identify with the paradoxes of information security and discover handy tools that hook security controls into business processes. Information security is more than configuring firewalls, removing viruses, hacking machines, or setting passwords. Creating and promoting a successful security program requires skills in organizational consulting, diplomacy, change management, risk analysis, and out-of-the-box thinking. What You Will Learn: Build a security program that will fit neatly into an organization and change dynamically to suit both the needs of the organization and survive constantly changing threats Prepare for and pass such common audits as PCI-DSS, SSAE-16, and ISO 27001 Calibrate the scope, and customize security controls to fit into an organization’s culture Implement the most challenging processes, pointing out common pitfalls and distractions Frame security and risk issues to be clear and actionable so that decision makers, technical personnel, and users will listen and value your advice Who This Book Is For: IT professionals moving into the security field; new security managers, directors, project heads, and would-be CISOs; and security specialists from other disciplines moving into information security (e.g., former military security professionals, law enforcement professionals, and physical security professionals)
Security Risk Management is the definitive guide for building or running an information security risk management program. This book teaches practical techniques that will be used on a daily basis, while also explaining the fundamentals so students understand the rationale behind these practices. It explains how to perform risk assessments for new IT projects, how to efficiently manage daily risk activities, and how to qualify the current risk level for presentation to executive level management. While other books focus entirely on risk analysis methods, this is the first comprehensive text for managing security risks. This book will help you to break free from the so-called best practices argument by articulating risk exposures in business terms. It includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment. It explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk. It also presents a roadmap for designing and implementing a security risk management program. This book will be a valuable resource for CISOs, security managers, IT managers, security consultants, IT auditors, security analysts, and students enrolled in information security/assurance college programs. - Named a 2011 Best Governance and ISMS Book by InfoSec Reviews - Includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment - Explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk - Presents a roadmap for designing and implementing a security risk management program
A superior new replacement to traditional discounted cash flow valuation models Executives and corporate finance practitioners now have a more reliable discount rate to value companies and make important business and investment decisions. In today's market, it’s free cash flow, cost of capital and return on invested capital that really matters, and now there's a superior tool to help analyze these metrics—Security Valuation and Risk Analysis. In this pioneering book, valuation authority Kenneth Hackel presents his next-generation methodology for placing a confident value on an enterprise and identifying discrepancies in value—a system that will provide even the most well-informed investor with an important competitive advantage. At the core of Security Valuation and Risk Analysis is Hackel's successful credit model for determining an accurate fair value and reliable discount rate for a company. Using free cash flow as the basis for evaluating return on invested capital is the most effective method for determining value. Hackel takes you step by step through years of compelling evidence that shows how his method has earned outsized returns and helped turn around companies that were heading toward failure. Whether used for corporate portfolio strategy, acquisitions, or performance management, the tools presented in Security Valuation and Risk Analysis are unmatched in their accuracy and reliability. Reading through this informative book, you'll discover how to: Take advantage of early warning signs related to cash flow and credit metrics Estimate the cost of equity capital from which free cash flows are discounted Identify where management can free up resources by using a better definition of free cash flow Security Valuation and Risk Analysis provides a complete education on cash flow and credit, from how traditional analysts value a company and spot market mispricing (and why many of those traditional methods are obsolete) to working with the most recent financial innovations, including derivatives, special purpose entities, pensions, and more. Security Valuation and Risk Analysis is your answer to a credit market gone bad, from an expert who knows bad credit from good.
The events of September 11, 2001 changed perceptions, rearranged national priorities, and produced significant new government entities, including the U.S. Department of Homeland Security (DHS) created in 2003. While the principal mission of DHS is to lead efforts to secure the nation against those forces that wish to do harm, the department also has responsibilities in regard to preparation for and response to other hazards and disasters, such as floods, earthquakes, and other "natural" disasters. Whether in the context of preparedness, response or recovery from terrorism, illegal entry to the country, or natural disasters, DHS is committed to processes and methods that feature risk assessment as a critical component for making better-informed decisions. Review of the Department of Homeland Security's Approach to Risk Analysis explores how DHS is building its capabilities in risk analysis to inform decision making. The department uses risk analysis to inform decisions ranging from high-level policy choices to fine-scale protocols that guide the minute-by-minute actions of DHS employees. Although DHS is responsible for mitigating a range of threats, natural disasters, and pandemics, its risk analysis efforts are weighted heavily toward terrorism. In addition to assessing the capability of DHS risk analysis methods to support decision-making, the book evaluates the quality of the current approach to estimating risk and discusses how to improve current risk analysis procedures. Review of the Department of Homeland Security's Approach to Risk Analysis recommends that DHS continue to build its integrated risk management framework. It also suggests that the department improve the way models are developed and used and follow time-tested scientific practices, among other recommendations.
Computers at Risk presents a comprehensive agenda for developing nationwide policies and practices for computer security. Specific recommendations are provided for industry and for government agencies engaged in computer security activities. The volume also outlines problems and opportunities in computer security research, recommends ways to improve the research infrastructure, and suggests topics for investigators. The book explores the diversity of the field, the need to engineer countermeasures based on speculation of what experts think computer attackers may do next, why the technology community has failed to respond to the need for enhanced security systems, how innovators could be encouraged to bring more options to the marketplace, and balancing the importance of security against the right of privacy.
Improvised explosive devices (IEDs) are a type of unconventional explosive weapon that can be deployed in a variety of ways, and can cause loss of life, injury, and property damage in both military and civilian environments. Terrorists, violent extremists, and criminals often choose IEDs because the ingredients, components, and instructions required to make IEDs are highly accessible. In many cases, precursor chemicals enable this criminal use of IEDs because they are used in the manufacture of homemade explosives (HMEs), which are often used as a component of IEDs. Many precursor chemicals are frequently used in industrial manufacturing and may be available as commercial products for personal use. Guides for making HMEs and instructions for constructing IEDs are widely available and can be easily found on the internet. Other countries restrict access to precursor chemicals in an effort to reduce the opportunity for HMEs to be used in IEDs. Although IED attacks have been less frequent in the United States than in other countries, IEDs remain a persistent domestic threat. Restricting access to precursor chemicals might contribute to reducing the threat of IED attacks and in turn prevent potentially devastating bombings, save lives, and reduce financial impacts. Reducing the Threat of Improvised Explosive Device Attacks by Restricting Access to Explosive Precursor Chemicals prioritizes precursor chemicals that can be used to make HMEs and analyzes the movement of those chemicals through United States commercial supply chains and identifies potential vulnerabilities. This report examines current United States and international regulation of the chemicals, and compares the economic, security, and other tradeoffs among potential control strategies.