Risk Management Resources

Free tools and resources for effectively managing, assessing, and communicating information security risk.

NIST NIST Risk Management Framework https://csrc.nist.gov/Projects/Risk-Management

Integrating Cybersecurity and Enterprise Risk Management (ERM) - NISTIR 8286 https://csrc.nist.gov/publications/detail/nistir/8286/final Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight - NISTIR 8286C https://csrc.nist.gov/publications/detail/nistir/8286c/draft

SIRA Information Risk Management Body of Knowledge https://github.com/societyinforisk/irmbok

Simple Risk (for engineers) https://magoo.github.io/simple-risk/reading.html

Reading List https://www.societyinforisk.org/reading-list

Calibration Training http://sethrylan.org/bayesian/calibrate.html

Risk Focused Organizations

https://www.fairinstitute.org/ FAIR - ISO/IEC 27005 Cookbook https://publications.opengroup.org/c103

https://www.societyinforisk.org/reading-list

https://hubbardresearch.com/

https://www.cyentia.com/

ISACA IT Risk Framework https://www.isaca.org/resources/it-risk

NCSC https://www.ncsc.gov.uk/collection/risk-management-collection/essential-topics/variety-risk-information

SRA RISK ANALYSIS QUALITY TEST[ https://www.sra.org/resources/risk-analysis-quality-test/

Tools

Binary Risk Assessment: BRA is a short series of simple questions that help you discuss a risk in a structured manner. https://binary.protect.io/

Tidyrisk: Tidyrisk is a collection of R packages for performing quantitative risk management using the OpenFAIR framework https://tidyrisk.org/

evaluator: open source quantitative risk analysis toolkit https://github.com/davidski/evaluator
collector: R package for conducting interviews with subject matter experts (SMEs) on the risk scenarios facing an organization https://github.com/davidski/collector

unsuR: Risk assessment with R https://github.com/cneskey/unsuR

riskquant: A library to assist in quantifying risk. https://github.com/Netflix-Skunkworks/riskquant https://netflixtechblog.com/open-sourcing-riskquant-a-library-for-quantifying-risk-6720cc1e4968

CISA CSET: Ransomware readiness assessment https://github.com/cisagov/cset/releases/tag/v10.3.0.0

VSAQ: Interactive questionnaire application to assess the security programs of third parties. https://github.com/google/vsaq

VCDB Explorer https://jpsturgis.shinyapps.io/vcdb_explorer/

Future https://saga.ws/ Open Source GRC: https://www.simplerisk.com

Not Maintained???

FAIRTool: Factor Analysis of Information Risk (FAIR) tool developed in R https://github.com/zugo01/FAIRTool

Vendor or Third-party Risk Management Resources

IU Health Vendor Relations  Information Security Requirements https://iuhealth.org/about-our-system/vendor-relations

VSAQ: Interactive questionnaire application to assess the security programs of third parties. https://github.com/google/vsaq

Supply Chain Specific

Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM) https://healthsectorcouncil.org/hic-scrim/

Threat Analysis

What threat actors should we consider? What are their common attack techniques?

Intel Threat Agent Library (2007) https://www.google.com/search?q=Intel+Threat+Agent+Library Spreadsheet version https://docs.google.com/spreadsheets/d/1qKne0RNOnwW3IJWgO70yiJOz1VebqT3M9I8Ci4ROEFQ/edit#gid=0

MITRE ATT&CK https://attack.mitre.org/

Threat Assessment Tools

https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool

ThreatModeler https://threatmodeler.com/threatmodeler-launches-free-lite-community-edition/

Insider Threat

CMU Common Sense Guide to Prevention and Detection of Insider Threats https://resources.sei.cmu.edu/asset_files/WhitePaper/2009_019_001_50285.pdf

Data Analysis

Data Visualization

Datavisualization book https://github.com/clauswilke/dataviz

Glasseye: present the results of statistical analysis written in Markdown with D3 charts https://github.com/coppeliaMLA/glasseye

ggcal: generate a familiar calendar plot from a vector of dates and fill values. https://github.com/jayjacobs/ggcal

Data Processing

Pandashells: Bringing the python data stack to the shell prompt https://github.com/robdmc/pandashells

Internet Data Download: Download and normalize data about the internet from various sources https://github.com/hdm/inetdata

Learning Python Data Analysis

Learning R

A brief introduction to R including sample code and walkthroughs. https://github.com/BillPetti/R-Crash-Course

rmarkdown: Dynamic Documents for R https://github.com/rstudio/rmarkdown

Other Risk Management Resources

TBD

Goal-Question-Indicator-Metric (GQIM) how to measure the things that matter to your business. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=451184

ISACA Glossary https://www.isaca.org/resources/glossary#glossi

Bayesian Probability https://www.youtube.com/watch?v=GShNozmkYlQ https://www.amazon.com/Theory-That-Would-Not-Die/dp/0300188226/ref=sr_1_2?dchild=1&qid=1598383597&refinements=p_27%3ASharon+Bertsch+Mcgrayne&s=books&sr=1-2&text=Sharon+Bertsch+Mcgrayne

Using the FAIR Model to Measure Inherent Risk https://www.fairinstitute.org/blog/using-the-fair-model-to-measure-inherent-risk

Breach Notification Laws https://www.bakerlaw.com/BreachNotificationLawMap

Vulnerabilities

CVE https://cve.mitre.org

rydalch / risk

Risk Management Resources

Risk Focused Organizations

Tools

Not Maintained???

Vendor or Third-party Risk Management Resources

Supply Chain Specific

Threat Analysis

Threat Assessment Tools

Insider Threat

Data Analysis

Data Visualization

Data Processing

Learning Python Data Analysis

Learning R

Other Risk Management Resources

Control Frameworks

Metrics

Research

Maturity Models

Exploit Prediction - Vulnerability Remediation

Guidance for Boards

TBD

Vulnerabilities

About