Monday, June 28, 2010

Book Review - The Failure of Risk Management

Today I finished reading The Failure of Risk Management by Douglas Hubbard (ISBN:978-0-470-38795-5). The book comes in at 259 pages plus an appendix. Overall I found it to be an excellent read.

I should start by saying that I have been a disciple of Hubbard since reading his other book, How to Measure Anything (ISBN: 978-0470110126). In that book Hubbard talks about the variety of things that we just can't measure and then talks about how to measure them. There are a couple of themes that need to be taken away from that book, most important of which is that a measurement is ANYTHING that reduces your uncertainty about something. When you measure length with a ruler you learn that the length of an item is really close to 4 and 3/16 inches, but you could always be more precise. Usually you don't need to. The problem that most of us face when measuring immeasurables is that we can't wrap our heads around the idea that we don't need the same level of precision as we get from a ruler or thermometer.

The Failure of Risk Management takes many of the concepts from How to Measure Anything and applies them to Risk Management. One nice aspect of the book is that it doesn't focus on financial risk or information security risk, or product failure risk. It's just risk, across the board. There is a lot of repeated information in the two books, but I think that How to Measure Anything is more of a practical guide while Failure of Risk Management is more of an explanation of why we should do the stuff he talks about in How to Measure Anything.

The two books are very good companions to each other and I would recommend that security managers should read them both if you really want to see our profession become more than soothsaying and water witching. I think if you're dealing with someone who does not yet believe that Risk Management needs to be quantitative and backed up by experiments and scientific skepticism then they should start with the Failure of Risk Management. On the other hand, if you think we should become more quantitative but think it's too hard then you should start with How to Measure Anything. That will make the challenge seem less difficult. Follow up with the Failure of Risk Management to learn why the way we're currently doing things (heat maps, low/med/high charts) are flawed.

Just like the other book, the Failure of Risk Management throws just enough math at you to be interesting without making you feel like you're sinking. I'll be honest, if you try to read this in two or three long sittings you'll probably become fatigued by some of the math. Take it slowly, especially near the end of the book unless you're already pretty strong with statistics. Having said that, anyone that can follow college algebra should be able to keep up with the most difficult parts of the book. Don't be afraid, jump in.

I enjoyed the book, I give it five stars.

No comments: