Evan Wheelers book “Risk Management” is organised in three parts. The first one introduces the reader to risk management as a discipline. Followed by the second part providing the reader with various approaches to assess and analyse risk. The final part instructs the reader on how to build a risk management program from scratch. For the later checklist, forms and additional material can be taken from the appendix - ready to use. I really enjoyed reading all sections of this book. Extremely helpful for me was his introductionairy example about the tire hanging on a damaged rope and swinging in 10 meters hight over a field of sharp rocks. Analyzing this analogy you can learn a lot about risk, threat, threat actor and so on.

However, the author provides you with an action plan at the end of each chapter. The proposed tasks are helpful and do not take to much of your every day time - even if you are not planing on setting up a risk management program from scratch. Of course traditional ways of to quantify risk like OCTAVE or FAIR are discussed. Fortunately the author does not explain them in every detail. As a reader you get just enough information to understand the principles of both approaches as well as to judge which or none would help you in your situation the most. As well, the differences between a quantitative and qualitative risk model and how to build one are discussed. You, the reader, get some advice which approach may help you in which situation - but a strong recommendation is never made.

I like this book especially because Evan Wheeler highlights the importance of formulating risk in the correct way. Unfortunately I encountered such an approach rarely at work. The 350 pages are written in a very fluent way and loosened up with enough examples to make a good and fast read. I highly recommend this book, especially if you are new to security or a few years in business. It starts easy and gets complex over time - but it is no book for a risk manager with decades of experience :)

Go and grab it, Cheers!