Managing Information Security Risks

The Octave Approach

Audrey Dorofee, Christopher Alberts

Publisher: Addison-Wesley, 2003, 471 pages

ISBN: 0-321-11886-3

Keywords: Information Security

Last modified: Nov. 14, 2008, 12:29 p.m.

Information security requires far more than the latest tool or technology. Organizations must understand exactly what they are trying to protect — and why — before selecting specific solutions. Security issues are complex and often are rooted in organizational and business concerns. A careful evaluation of security needs and risks in this broader context must precede any security implementation to insure that all the relevant, underlying problems are first uncovered.

The OCTAVE approach for self-directed security evaluations was developed at the influential CERT® Coordination Center. This approach is designed to help you:

  • Identify and rank key information assets
  • Weigh threats to those assets
  • Analyze vulnerabilities involving both technology and practices

OCTAVE(SM) enables any organization to develop security priorities based on the organization's particular business concerns. The approach provides a coherent framework for aligning security actions with overall objectives.

Managing Information Security Risks, written by the developers of OCTAVE, is the complete and authoritative guide to its principles and implementations. The book:

  • Provides a systematic way to evaluate and manage information security risks
  • Illustrates the implementation of self-directed evaluations
  • Shows how to tailor evaluation methods to different types of organizations

Special features of the book include:

  • A running example to illustrate important concepts and techniques
  • A convenient set of evaluation worksheets
  • A catalog of best practices to which organizations can compare their own
    1. Managing Information Security Risks.
    2. Principles and Attributes of Information Security Evaluations.
    1. Introduction to the OCTAVE Method.
    2. Preparing for OCTAVE.
    3. Identify Organizational Knowledge (Processes 1-3).
    4. Create Threat Profiles (Process 4).
    5. Identify Key Components (Process 5).
    6. Evaluate Selected Components (Process 6).
    7. Conduct Risk Analysis (Process 7).
    8. Develop Protection Strategy (Process 8?Workshop A).
    9. Select Protection Strategy (Process 8?Workshop B).
    1. An Introduction to Tailoring OCTAVE.
    2. Practical Applications.
    3. Information Security Risk Management.
    4. Glossary.
    5. Bibliography.
    1. Case Scenario for the OCTAVE Method.
    2. Worksheets.
    3. Catalog of Practices.


Managing Information Security Risks

Reviewed by Roland Buresund

Very Good ******** (8 out of 10)

Last modified: May 21, 2007, 3:12 a.m.

This is a book that has taken a lot of unnecessary flack from people that don't really understand that there is a audience for books that address the professional audience and therefore doesn't really need a lot of handholding.

This is an excellent book about a method for analysis of security requirements. You may or may not agree on all details, but it is definetely worth reading if you're in the business. Be forewarned, this is no beginners book! Oh, and the term OCTAVE stands for: Operationally Critical Threat, Asset, and Vulnerability Evaluation, just so you know…


There are currently no comments

New Comment


required (not published)