Skip to main content
Elsevier
View Cart

Measuring and Managing Information Risk

A FAIR Approach

  • 2nd Edition - December 2, 2025
  • Latest edition
  • Authors: Jack Freund, Jack Jones
  • Language: English

Measuring and Managing Information Risk: A FAIR Approach, Second Edition provides a proven and credible framework for understanding, measuring, and analyzing information risk of a… Read more

World Book Day celebration

Where learning shapes lives

Up to 25% off trusted resources that support research, study, and discovery.

Explore resources

Description

Measuring and Managing Information Risk: A FAIR Approach, Second Edition provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity using the Factor Analysis of Information Risk (FAIR) methodology developed over ten years and adopted by corporations worldwide. This new edition covers such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, and also includes new chapters and essays from industry professionals. It provides a step-by-step guide to help managers make better business decisions by understanding their organizational risk.

The field has advanced significantly in the past 10 years and this all-new edition reiterates the importance of the foundations of risk measurement but adds information about modern methods to integrate quantitative risk assessment methods into your security programs. This includes the integration of security telemetry data, outside data sources, approaches to automating FAIR assessments, and how to align methods and programs to security standards and regulations. Further discussed is how such approaches are being used by third-party agencies to provide CRQ data to the investors, underwriters, and regulators. This book is a valuable resource for all those who need the foundations, methods, and techniques for measuring, assessing, and communicating cyber risk to enable an organization to build an organizational IT risk management program. It serves as both a practical how-to guide for those new to the industry as well as tenured professionals that need a formalized guide for implementation.

Key features

  • Uses factor analysis of information risk (FAIR) as a methodology for measuring and managing risk in any organization, with insights on how to apply the FAIR methodology based on over 15 years of applied experience
  • Balances theory with practical applicability and relevant stories of successful implementation
  • Includes examples from a wide variety of businesses and situations presented in an accessible writing style
  • New to this edition: new chapters on Standards and Regulatory Alignment, Building Quantitative Risk Programs, and Assessment Automation, as well as significant revisions to cover the new FAIR-CAM standard and short essays from others in the industry

Readership

Security and risk executives, directors, managers, and analysts; IT risk managers; information security professionals, students of OpenGroup’s FAIR Certified Risk Analyst Certification Exam, graduate business or IT students taking courses in risk management and IT security Those new to the field of cybersecurity, including people in mathematical or quantitative professions (mathematics, economics, accounting, and business management), as well as those in adjacent professions such as life sciences

Table of contents

1. Introduction

2. Risk Concepts

3. FAIR Risk Ontology

4. FAIR Terminology

5. Measurement

6. Analysis Process

7. Interpreting Results

8. Risk Analysis Examples

9. Common Problems

10. Controls

11. Standards and Regulatory Alignment

12. Organizational Risk Decision Making

13. Metrics

14. Implementing Risk Management

15. Building Quantitative Risk Programs

16. Assessment Automation

17. Risk Measurement Red Flags

18. Invited Contribution

Review quotes

“…a comprehensive guide to help readers make effective risk and business decisions by formally and quantitatively understanding their organizational risk… Information risk management is a highly complex topic that spans numerous fields. At its core, it is about identifying, evaluating, and prioritizing data risks… takes the risk professional out of the realm of risk management via the checklist, which only produces meaningless measurements, into the world of quantitative, defendable results… For those looking for a method to calculate qualitative risk to support a formal enterprise risk management program, they won’t find a better guide than this book. The book is an excellent reference that will force you to reconsider how you view risk management… does a remarkable job of showing how a person can become a much better decision-maker… is a powerful tool that can revolutionize risk management.”

Review by Ben Rothke, Senior Information Security Manager (Tapad), RSAC™ Conference, February 2026.

Product details

  • Edition: 2
  • Latest edition
  • Published: December 2, 2025
  • Language: English

About the authors

JF

Jack Freund

Dr. Jack Freund is a leading voice in cyber risk measurement and management. As VP, Head of Cyber Risk Methodology for BitSight, Jack has overall responsibility for the systemic development and application of frameworks, algorithms, and quantitative and qualitative methods to measure cyber risk. Previously, Jack was Director of Risk Science at quantitative risk management startup RiskLens and Director of Cyber Risk for TIAA. Jack holds a Ph.D. in Information Systems from Nova Southeastern University, a Masters in Telecommunication and Project Management, and a BS in CIS. Jack has been named a Senior Member of the IEEE and ACM, a Fellow of the IAPP and FAIR Institute, and a Distinguished Fellow of the ISSA. He is the 2020 recipient of the (ISC)2 Global Achievement Award, 2018 recipient of ISACA’s John W. Lainhart IV Common Body of Knowledge Award, and the FAIR Institute’s 2018 FAIR Champion Award.
Affiliations and expertise
VP, Head of Cyber Risk Methodology for BitSight, US

JJ

Jack Jones

Jack Jones has worked in information security for over 35 years, serving as a CISO with three different companies, including a Fortune 100 company. His work was recognized in 2006 with the ISSA Excellence in the Field of Security Practices award, and in 2012 he received the CSO Compass award. As an Adjunct Professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs. Jones also created the Factor Analysis of Information Risk (FAIR) model, as well as the FAIR Controls Analytics Model (FAIR-CAM), since adopted as international standards. Jones is the Chief Risk Scientist at RiskLens and Chairman of the FAIR Institute, an award-winning global non-profit organization.
Affiliations and expertise
Co-founder and president of CXOWARE, Inc., US

View book on ScienceDirect

Read Measuring and Managing Information Risk on ScienceDirect