---
product_id: 6671353
title: "Measuring and Managing Information Risk: A FAIR Approach"
price: "AR$143456"
currency: ARS
in_stock: true
reviews_count: 10
url: https://www.desertcart.com.ar/products/6671353-measuring-and-managing-information-risk-a-fair-approach
store_origin: AR
region: Argentina
---

# Measuring and Managing Information Risk: A FAIR Approach

**Price:** AR$143456
**Availability:** ✅ In Stock

## Quick Answers

- **What is this?** Measuring and Managing Information Risk: A FAIR Approach
- **How much does it cost?** AR$143456 with free shipping
- **Is it available?** Yes, in stock and ready to ship
- **Where can I buy it?** [www.desertcart.com.ar](https://www.desertcart.com.ar/products/6671353-measuring-and-managing-information-risk-a-fair-approach)

## Best For

- Customers looking for quality international products

## Why This Product

- Free international shipping included
- Worldwide delivery with tracking
- 15-day hassle-free returns

## Description

Measuring and Managing Information Risk: A FAIR Approach [Freund, Jack, Jones, Jack] on desertcart.com. *FREE* shipping on qualifying offers. Measuring and Managing Information Risk: A FAIR Approach

Review: The CISO's Bible - In a world where seemingly everything is oversold, this is the rare exception that is undersold. The title succinctly states, without drama, the authors’ broad ambit. They over-deliver. The book is nothing less than a manifesto for quantitative management of information security risk. Consider how radical it is to promise a truly quantitative approach to cyber risk management in a world dominated by numerous qualitative “frameworks,” red-yellow-green heat maps, thousand-item one-size-fits-all questionnaires, subjective and qualitative scales of likelihood and impact, and fake math like “red times green equals yellow”. And then consider how transformational it is to deliver on the promise. Other reviewers have nicely discussed the book’s coverage of the FAIR taxonomy. Suffice it to say that MMIR is your best friend in understanding the Open Group FAIR standards. Freund and Jones bring a potentially dry subject alive with many “Talking About Risk” sidebars that tell of their experience with FAIR methods in practice. These war stories make the content accessible and relevant. I especially appreciate the authors’ informal style that is conversational without being verbose and humorous without being patronizing or cute. What the war stories leave out chapter 8 fills in with numerous example analyses. A worked example is better than a thousand war stories. If giving a thorough rationale for and introduction to FAIR were all that MMIR did, it would be worth its weight in gold. But wait! There’s more! It’s the “managing” part, chapters 11-14, that constitutes another breakthrough beyond FAIR. There Freund and Jones begin laying out (one senses it is a work in progress) a risk management ontology, built on the FAIR risk measurement ontology. In rethinking the classification of controls in the context of threat event frequency, vulnerability, and loss mitigation, they provide ways to assess and – yikes! – quantify the potential value of control improvements, in isolation or in combination. This gives the CISO the beginning of a way to manage the control environment, not just the threats. But controls not consistently adhered to are both false comfort and all too common. Therefore F&J suggest that variance in the application of controls is perhaps the single most important set of infosec management metrics. As the old saw goes, if you cannot measure it you cannot manage it, and if you do not know how well your controls are operating on a continuing basis, then what confidence can you have in the millions of dollars invested in technology and staff? Which brings us to metrics. It is perhaps not surprising that a methodology based on quantitative analysis lends itself to meaningful metrics. F&J offer many concrete suggestions far superior to the grab-bag of metrics found in vendor dashboards (measure what’s cheap and looks cool) and other books. These are real metrics that the CISO can use to … manage risk. And managing risk is really why we do all this stuff. Making good decisions on both operational and strategic levels requires good data derived from reliable instruments and methods. It is in managing risk that MMIR is truly seminal and profound. If they do another edition Freund and Jones should consider adding a subtitle, “The CISO’s Bible,” because CISOs will find themselves coming back to it time and again. Or maybe that is the next book.
Review: A tremendous introduction to serious information security risk analysis - Measuring and Managing Information Risk: A FAIR approach is not like “traditional” information risk texts. Freund and Jones have taken the method far beyond what we are used to. They have the audacity to question the all too familiar “likelihood” and “impact scores” as well as their product, the “risk value” and its canvas, the "risk matrix". The premier contribution they give is the amount of thought that went into their method and ridding it from illogical aspects. This has made the method somewhat contrived in my opinion but you can’t escape the fact that it fits together. Also, the authors put a big emphasis on using a careful and consistent terminology, something that is truly bothersome in information security risk today. The FAIR method for analyzing risk does have rigor and may prove to give reliable results. Question is: will anyone but a select few bother to use it? Regardless, the book is a tremendous introduction to serious information security risk analysis, you will scoff at risk values and matrices after reading it.

## Technical Specifications

| Specification | Value |
|---------------|-------|
| Best Sellers Rank | #844,497 in Books ( See Top 100 in Books ) #362 in Information Management (Books) #1,470 in Computer Security & Encryption (Books) #3,026 in Computer Science (Books) |
| Customer Reviews | 4.6 4.6 out of 5 stars (237) |
| Dimensions  | 7.5 x 0.93 x 9.25 inches |
| Edition  | 1st |
| ISBN-10  | 0124202314 |
| ISBN-13  | 978-0124202313 |
| Item Weight  | 1.88 pounds |
| Language  | English |
| Print length  | 408 pages |
| Publication date  | September 5, 2014 |
| Publisher  | Butterworth-Heinemann |

## Images

![Measuring and Managing Information Risk: A FAIR Approach - Image 1](https://m.media-amazon.com/images/I/61Hfu69UxKL.jpg)

## Customer Reviews

### ⭐⭐⭐⭐⭐ The CISO's Bible
*by S***E on April 21, 2015*

In a world where seemingly everything is oversold, this is the rare exception that is undersold. The title succinctly states, without drama, the authors’ broad ambit. They over-deliver. The book is nothing less than a manifesto for quantitative management of information security risk. Consider how radical it is to promise a truly quantitative approach to cyber risk management in a world dominated by numerous qualitative “frameworks,” red-yellow-green heat maps, thousand-item one-size-fits-all questionnaires, subjective and qualitative scales of likelihood and impact, and fake math like “red times green equals yellow”. And then consider how transformational it is to deliver on the promise. Other reviewers have nicely discussed the book’s coverage of the FAIR taxonomy. Suffice it to say that MMIR is your best friend in understanding the Open Group FAIR standards. Freund and Jones bring a potentially dry subject alive with many “Talking About Risk” sidebars that tell of their experience with FAIR methods in practice. These war stories make the content accessible and relevant. I especially appreciate the authors’ informal style that is conversational without being verbose and humorous without being patronizing or cute. What the war stories leave out chapter 8 fills in with numerous example analyses. A worked example is better than a thousand war stories. If giving a thorough rationale for and introduction to FAIR were all that MMIR did, it would be worth its weight in gold. But wait! There’s more! It’s the “managing” part, chapters 11-14, that constitutes another breakthrough beyond FAIR. There Freund and Jones begin laying out (one senses it is a work in progress) a risk management ontology, built on the FAIR risk measurement ontology. In rethinking the classification of controls in the context of threat event frequency, vulnerability, and loss mitigation, they provide ways to assess and – yikes! – quantify the potential value of control improvements, in isolation or in combination. This gives the CISO the beginning of a way to manage the control environment, not just the threats. But controls not consistently adhered to are both false comfort and all too common. Therefore F&J suggest that variance in the application of controls is perhaps the single most important set of infosec management metrics. As the old saw goes, if you cannot measure it you cannot manage it, and if you do not know how well your controls are operating on a continuing basis, then what confidence can you have in the millions of dollars invested in technology and staff? Which brings us to metrics. It is perhaps not surprising that a methodology based on quantitative analysis lends itself to meaningful metrics. F&J offer many concrete suggestions far superior to the grab-bag of metrics found in vendor dashboards (measure what’s cheap and looks cool) and other books. These are real metrics that the CISO can use to … manage risk. And managing risk is really why we do all this stuff. Making good decisions on both operational and strategic levels requires good data derived from reliable instruments and methods. It is in managing risk that MMIR is truly seminal and profound. If they do another edition Freund and Jones should consider adding a subtitle, “The CISO’s Bible,” because CISOs will find themselves coming back to it time and again. Or maybe that is the next book.

### ⭐⭐⭐⭐⭐ A tremendous introduction to serious information security risk analysis
*by S***N on May 31, 2016*

Measuring and Managing Information Risk: A FAIR approach is not like “traditional” information risk texts. Freund and Jones have taken the method far beyond what we are used to. They have the audacity to question the all too familiar “likelihood” and “impact scores” as well as their product, the “risk value” and its canvas, the "risk matrix". The premier contribution they give is the amount of thought that went into their method and ridding it from illogical aspects. This has made the method somewhat contrived in my opinion but you can’t escape the fact that it fits together. Also, the authors put a big emphasis on using a careful and consistent terminology, something that is truly bothersome in information security risk today. The FAIR method for analyzing risk does have rigor and may prove to give reliable results. Question is: will anyone but a select few bother to use it? Regardless, the book is a tremendous introduction to serious information security risk analysis, you will scoff at risk values and matrices after reading it.

### ⭐⭐⭐⭐⭐ Put this in your information security library
*by D***D on August 18, 2016*

This is a great way for a information security professional to turn away from the "soft" methods of heat maps and ordinal scales. Information security needs real probabilistic methods to solve real risk assessment problems. Jack Jones and Jack Freund have found a great way to introduce these concepts by building a practical probabilistic method that cybersecurity experts can use - and already have used. I highly recommend it as required reading for information security professionals at all levels. Douglas W. Hubbard Co-author of How to Measure Anything in Cybersecurity Risk

## Frequently Bought Together

- Measuring and Managing Information Risk: A FAIR Approach
- How to Measure Anything in Cybersecurity Risk
- The Metrics Manifesto: Confronting Security with Data

---

## Why Shop on Desertcart?

- 🛒 **Trusted by 1.3+ Million Shoppers** — Serving international shoppers since 2016
- 🌍 **Shop Globally** — Access 737+ million products across 21 categories
- 💰 **No Hidden Fees** — All customs, duties, and taxes included in the price
- 🔄 **15-Day Free Returns** — Hassle-free returns (30 days for PRO members)
- 🔒 **Secure Payments** — Trusted payment options with buyer protection
- ⭐ **TrustPilot Rated 4.5/5** — Based on 8,000+ happy customer reviews

**Shop now:** [https://www.desertcart.com.ar/products/6671353-measuring-and-managing-information-risk-a-fair-approach](https://www.desertcart.com.ar/products/6671353-measuring-and-managing-information-risk-a-fair-approach)

---

*Product available on Desertcart Argentina*
*Store origin: AR*
*Last updated: 2026-04-25*