Risk Management Resources
Free tools and resources for effectively managing, assessing, and communicating information security risk.
NIST NIST Risk Management Framework https://csrc.nist.gov/Projects/Risk-Management
Integrating Cybersecurity and Enterprise Risk Management (ERM) - NISTIR 8286 https://csrc.nist.gov/publications/detail/nistir/8286/final Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight - NISTIR 8286C https://csrc.nist.gov/publications/detail/nistir/8286c/draft
SIRA Information Risk Management Body of Knowledge https://github.com/societyinforisk/irmbok
Simple Risk (for engineers) https://magoo.github.io/simple-risk/reading.html
Reading List https://www.societyinforisk.org/reading-list
Calibration Training http://sethrylan.org/bayesian/calibrate.html
Risk Focused Organizations
https://www.fairinstitute.org/ FAIR - ISO/IEC 27005 Cookbook https://publications.opengroup.org/c103
https://www.societyinforisk.org/reading-list
ISACA IT Risk Framework https://www.isaca.org/resources/it-risk
SRA RISK ANALYSIS QUALITY TEST[ https://www.sra.org/resources/risk-analysis-quality-test/
Tools
Binary Risk Assessment: BRA is a short series of simple questions that help you discuss a risk in a structured manner. https://binary.protect.io/
Tidyrisk: Tidyrisk is a collection of R packages for performing quantitative risk management using the OpenFAIR framework https://tidyrisk.org/
-
evaluator: open source quantitative risk analysis toolkit https://github.com/davidski/evaluator
-
collector: R package for conducting interviews with subject matter experts (SMEs) on the risk scenarios facing an organization https://github.com/davidski/collector
unsuR: Risk assessment with R https://github.com/cneskey/unsuR
riskquant: A library to assist in quantifying risk. https://github.com/Netflix-Skunkworks/riskquant https://netflixtechblog.com/open-sourcing-riskquant-a-library-for-quantifying-risk-6720cc1e4968
CISA CSET: Ransomware readiness assessment https://github.com/cisagov/cset/releases/tag/v10.3.0.0
VSAQ: Interactive questionnaire application to assess the security programs of third parties. https://github.com/google/vsaq
VCDB Explorer https://jpsturgis.shinyapps.io/vcdb_explorer/
Future https://saga.ws/ Open Source GRC: https://www.simplerisk.com
Not Maintained???
FAIRTool: Factor Analysis of Information Risk (FAIR) tool developed in R https://github.com/zugo01/FAIRTool
Vendor or Third-party Risk Management Resources
IU Health Vendor Relations Information Security Requirements https://iuhealth.org/about-our-system/vendor-relations
VSAQ: Interactive questionnaire application to assess the security programs of third parties. https://github.com/google/vsaq
Supply Chain Specific
Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM) https://healthsectorcouncil.org/hic-scrim/
Threat Analysis
What threat actors should we consider? What are their common attack techniques?
Intel Threat Agent Library (2007) https://www.google.com/search?q=Intel+Threat+Agent+Library Spreadsheet version https://docs.google.com/spreadsheets/d/1qKne0RNOnwW3IJWgO70yiJOz1VebqT3M9I8Ci4ROEFQ/edit#gid=0
MITRE ATT&CK https://attack.mitre.org/
Threat Assessment Tools
https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool
ThreatModeler https://threatmodeler.com/threatmodeler-launches-free-lite-community-edition/
Insider Threat
CMU Common Sense Guide to Prevention and Detection of Insider Threats https://resources.sei.cmu.edu/asset_files/WhitePaper/2009_019_001_50285.pdf
Data Analysis
Data Visualization
Datavisualization book https://github.com/clauswilke/dataviz
Glasseye: present the results of statistical analysis written in Markdown with D3 charts https://github.com/coppeliaMLA/glasseye
ggcal: generate a familiar calendar plot from a vector of dates and fill values. https://github.com/jayjacobs/ggcal
Data Processing
Pandashells: Bringing the python data stack to the shell prompt https://github.com/robdmc/pandashells
Internet Data Download: Download and normalize data about the internet from various sources https://github.com/hdm/inetdata
Learning Python Data Analysis
Learning R
A brief introduction to R including sample code and walkthroughs. https://github.com/BillPetti/R-Crash-Course
rmarkdown: Dynamic Documents for R https://github.com/rstudio/rmarkdown
Other Risk Management Resources
Control Frameworks
NIST Cybersecurity Framework https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
CIS Controls https://www.cisecurity.org/cybersecurity-tools/
COBIT https://www.isaca.org/resources/cobit
ISO 27001 and family https://www.iso.org/isoiec-27001-information-security.html
Metrics
http://www.securitymetrics.org/ Security Metrics book
Research
A system to calculate Cyber Value-at-Risk https://www.sciencedirect.com/science/article/pii/S0167404821003692
Maturity Models
CMMI https://cmmiinstitute.com/products/cybermaturity
Exploit Prediction - Vulnerability Remediation
Exploit Prediction Scoring System (EPSS) https://www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_sasha_romanosky.pdf https://www.first.org/epss/
KNOWN EXPLOITED VULNERABILITIES CATALOG https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Kenna Security Research https://resources.kennasecurity.com/research-reports-2
Guidance for Boards
Making risk management a value-added function in the boardroom https://www.mckinsey.com/business-functions/risk/our-insights/making-risk-management-a-value-added-function-in-the-boardroom
Cybersecurity: Boardroom Implications https://www.nacdonline.org/insights/publications.cfm?ItemNumber=8486
Managing Cyber Risk in a Digital Age - COSO https://www.coso.org/Documents/COSO-Deloitte-Managing-Cyber-Risk-in-a-Digital-Age.pdf
Enterprise Risk Management https://www.coso.org/Pages/erm.aspx
TBD
Goal-Question-Indicator-Metric (GQIM) how to measure the things that matter to your business. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=451184
ISACA Glossary https://www.isaca.org/resources/glossary#glossi
Bayesian Probability https://www.youtube.com/watch?v=GShNozmkYlQ https://www.amazon.com/Theory-That-Would-Not-Die/dp/0300188226/ref=sr_1_2?dchild=1&qid=1598383597&refinements=p_27%3ASharon+Bertsch+Mcgrayne&s=books&sr=1-2&text=Sharon+Bertsch+Mcgrayne
Using the FAIR Model to Measure Inherent Risk https://www.fairinstitute.org/blog/using-the-fair-model-to-measure-inherent-risk
Breach Notification Laws https://www.bakerlaw.com/BreachNotificationLawMap