Appendix A – Non-peer-reviewed literature
NOTICE: The following are promising big thinkers who sell a product. I am not advocating the use of their methods. No peer-reviewed academic research is available proving that the following methods work. I am listing them here because they are promising but are as yet unverified/ vetted. Lets not fall into the potential snake-oil.
Factor analysis of information risk (FAIR). FAIR is the only foundation and framework I’ve discovered that is compatible with my research findings. Each of the recommendations is not only doable, there are books, trainings, communities, seminars, and certifications that teach you real-world application.
Foundational risk management program. Although not a peer-reviewed publication, Segal offers a well-documented guide for establishing a quantitative value-based enterprise risk management program. Segal also offers consulting services. http://www.simergy.com/presidentsbio.html.
Segal recently revealed his directorship of a new Columbia University Master of Science program in Enterprise Risk Management! I am personally thrilled that Segal’s highly critical methodology, undoubtedly born of his years of experience as an actuary, now has a place in academia. Even so, it is important to remember these methods too have not yet been verified in an academic setting, though many components of the method have been.
Risk probability modeling. Also not 100% peer-reviewed, the textbook published by Vose offers a well-documented guide to creating, evaluating, and updating probability models including the many variations of Monte Carlo simulation. http://www.vosesoftware.com/david.php
Selling probability modeling and measuring intangibles. Also not 100% peer-reviewed The easy-to-read publication by Douglas Hubbard provides example uses of quantitative value-based risk management and a guide for quantifying and measuring intangibles. Hubbard calls his solution Applied Information Economics, which helps users measure the value of obtaining additional information, such as may be the case when generated probabilities are not sufficiently precise.
Hubbard’s upcoming book, co-authored with General Electric Healthcare’s Richard Seiersen, How to Measure Anything in Cybersecurity may be more directly applicable.
Even so, it is important to remember these methods too have not yet been verified by an academic setting, though many components of the method have been.
Hubbard also offers consulting and calibration, AIE, and quantification/probability modeling training. Hubbard does an excellent job communicating all of these concepts to both analysts and executive decision makers. http://www.hubbardresearch.com/training/