Engineering-risk Books

This book was given to me by a friend who knew I was managing a group involved in improving productivity, and it made me rediscover what improvement meant.

I passed it around to my colleagues to read, so that we could discuss the rationale for implementing specific improvement approaches. Among other things, it made us realize that improving productivity is really all about reducing the number of problems one has to deal with, because fewer problems imply less time wasted in managing crises and more time invested in exploiting valuable opportunities. As trivial as it may sound, this really helped us acquire a new vision of what should be done, and how to go about it.

I now feel better equipped to identify practices that need to be mastered vs. those that are just nice to have. Instead of guessing at approaches that can potentially lead to improvements, my targets are now better defined and my plans more focused.

I have to say that I'm impressed. It is a very well structured book, similar to the CMMI model structure. It has real life problems and solutions, which you can use to imitate or avoid. Tips and practices that you should and should not do are widely depicted throughout the whole book.

If you are on the try to improve the way software is built in your company this book is a good start that will advice you on what should be done.

It's worth the buy, believe me.

This book provides very practical information on what counts most in software process improvement. (This is quite useful if you want to get the biggest bang for your process improvement buck.) There's a lot of wisdom packed into this easy-to-read and entertaining book.

Anecdotes on benefits/consequences of implementing/not improving processes really helped understand why best practices are important, and useful guidance on how to implement them. Easy read that gets to the point. Good explanation of Murphy's Law with details on how to estimate financial losses resulting from risk exposure that can be used in all kinds of situations.

This is the prescribed textbook for my Reliability & Risk Analysis class. I found this book to be very student-friendly and each topic is well motivated.

For beginners (like me), this book is a Gold Mine !!!

You know that this is a book with a difference from the start, when the second and third chapters devote themselves entirely to justifying why probability, utility, exchangeability and indifference are the fundamental ideas behind risk and reliability.

Never heard of utility or exchangeability? If you do any Bayesian statistics at all, then shame on you and read Chapters 2 and 3 immediately! If you do not, then do not let this put you off reading further. This is a book on reliability with impressive intellectual weight. It not only tells you the what and how of reliability and risk analysis using Bayesian methods, but also the why. The why is a philosophical and a mathematical argument. For example, you think you know what the failure rate is? Prof. Singpurwalla begs to differ and spends 10 pages to convince you that there is a lot more to the failure rate once you start to think about it. You think you know why the exponential or the Weibull should be used? Well, the simplest assumption that you can make about any set of objects is that you are indifferent between them and such indifference can lead you to use the exponential or Weibull as models for reliability. This is the idea behind exchangeability and Prof. Singpurwalla argues why it is the simplest way to think about modelling and why it then justifies using Bayesian statistical methods.

The rest of the book is a plethora of probability models and inference methods for different problems in risk and reliability. Those models and problems are a summary of the author's work in reliability over 4 decades. There are chapters on stochastic models of failure (including the discussion on failure rates), on how to do Bayesian statistical inference for the common lifetime models such as exponential and Weibull, as well as common topics like accelerated tests and dose-response experiments and a chapter on signature analysis that describes the analysis of the power spectum for reliability. Then there are chapters look at survival in dynamic environments, point processes for events and non-parametric Bayes methods; technically more advanced topics that require a good knowledge of probability theory but, as always, clearly developed and explained. The last two chapters look at relatively new and 'hot' topics, those of the reliability of co-operative, competing and vague systems, and the use of reliability in econometrics and finance.

If you're looking for a book of reliability analysis recipes that you can follow without thinking, then this is not the book for you. If you want a book that carefully lays out a logical approach to risk and reliability modelling, inference and prediction, at a good yet clearly explained technical level and that illustrates the approach with applications to many different reliability problems, then this is the book that you've been waiting for.

The book by Nozer Singpurwalla provides a clear introduction to the definition of "Probability", and the foundations on which the Probabilistic Framework is built. In almost every facet of today's life, Probability is dominant as a used concept. Although seemingly trivial to define in some simple cases such as cards or flipping a coin, much controversy prevailed over centuries on the topic of what is exactly meant by "Probability". The author Singpurwalla provides an extremely clear and abundant discussion of the subject, that is relevant at the introductory level as well as at the top level of the scientific community. This introduction is done in the context of Reliability and Risk Analysis, which makes it even easier to comprehend than in a more abstract setup. The book is worth buying on the basis of the second chapter alone "The Quantification of Uncertainty".

For the reader that is more versed into the subject, the author takes it to the highest level by introducing "Exchangeability and Indifference", a much specialized topic.

The author Nozer D. Singpurwalla being an expert authority in the subject of "Reliability", the crux of the book comes in chapters four (4) to ten (10) that offer a comprehensive review of the material in the field. The value of these chapters is in the author's expert selection of all the areas of value in Reliability and Risk Analysis. While many standard books present a linear listing of most techniques, Singpurwalla presents a collection of approaches that are classified through ther conceptual content and are meant to take a novice student to the expert level. While some of these concepts are explained in details, others are too complex to be detailed and are properly referenced. Of particular interest to an expert would be the part on the use of stochastic processes for modelling reliability. Not that many have attempted such a road.

Finally the last chapter introduces some of the Risk notions to the finance world. Although such a world is terribly complex and not so easily prone to successful modelling, this chapter nevertheless will open the avenue to fresh minds on how the Probabilistic Framework can be applied in diverse areas.

Throughout the whole book, a decision theoretic approach is outlined either explicitly or implicitly, as prescribed by the Bayesian paradigm.

Definitely an excellent contribution by a top expert. I was not surprised at all that three top scientist, Lindley, AFM Smith and Kadane offered their view on the book cover. A top book.

Professor Singpurwalla is a well-known statistics professor with expertise in both the applied and theoretical aspects of reliability. Many years ago (around 1974) he coauthored with Nancy Mann a text on reliabilty that is now viewed as one of the classics. That book dealt primarily with parametric models and parameter estimation and hypothesis testing as tools in reliability analysis. It used the the standard frequentist/likeihood approach. Dr. Singpurwalla now adheres to the Bayesian approach to statistical inference and this is reflected in his many research papers and recent books. This text is an excellent modern text in reliability taken from the Bayesian perspective. It is probably the best book out there right bow that embraces the Bayesian approach. Other works are the recent books by Richard Barlow and the old text by Ray Waller. Waller's book was mainly applied and emphasized examples from the nuclear industry that he worked in at that time.

Dr, Singpurwalla is an excellent and very experienced writer and this book can be used both as a reference and a text in Bayesian reliability.

I've worked in communications for more than 18 years and have dealt with environmental and other risk communications off and on for nearly 15 years. I wish someone had handed me this book when I managed public outreach/communications on my first Superfund site in 1994. This is a great, concise, easy-to-reference guide to risk communications...practical and wise without being unapproachably academic. A must for every communicator's library!

This is a good book for learning about the details of risk communications. It is quite detailed and systematic.

No Risk In Buying This Book!

I've been in the Environmental Risk Communication (RC) field for ten years, medicine for thirty. Often I've wished there was a text or overview of RC that was readable by professional and layperson alike. Little did I know: Regina Lundgren and Andrea McMakin have accomplished this, and the results are a resounding "Wow!" In the Third Edition of "Risk Communication, A Handbook for Communicating Environmental, Safety, and Health Risks" (Regina started with the first one; Andrea joined in for the latter two), they present an orderly, comprehensive, understandable, well-referenced, indexed, annotated and glossaried RC bible for anyone just launching into or well-ensconced in the field.

I've often said that RC can be used not only in the "classic" situations (nicely defined alliteratively in this book as "care, crisis and consensus"), but also in one-on-one domestic and professional settings. This book presents information and advice useful to and usable by just about any reader, as one would expect from a work by two communicators. There are numerous examples, case studies, tables, graphs, charts and margin key points (noted with a diamond) that go along with the very readable text (written at the appropriate level, of course). One moves from cover to cover with the ease of reading a novel, the steps to well-executed RC clearly and comprehensively (yet with remarkable simplicity) delineated. There is a start, a middle and an ending, and one feels as though the next natural step is to go out and try the recipe immediately. (I would not suggest, however, that this is a cookbook, only that it reads as easily and the results could be rewarding.)

I suspect many have and many more will hone their skills as this fine work becomes more familiar to those in the rapidly growing, essential and dynamic field of Risk Communication. There is "no risk in buying this book!" I highly recommend it and urge it on anyone who has dealt or will deal with environmental, safety and health "wicked problems" involving concerned stakeholders. That sigh of relief you hear is you, as you find solutions to---or at least direction toward---the challenges you face.

Straightforward and well-designed, this 400+ page book tells you how to explain risks to your workers, your stakeholders, and the public effectively. This book gives you the information you need to understand, plan, start, finish, and evaluate your plan to communicate environmental, safety, or health risks.

This guide, which is based on extensive research in the field, is filled with clear visuals and valuable checklists. The examples pulled from the authors' experiences reinforce the messages, often with a touch of humor and grace. For example, never give a presentation during moose hunting season.

A new chapter devoted to communicating in emergenices, such as bioterrorist attacks, provides valuable research and guidelines for building the infrastructure you need NOW, before the emergency, as well as what to do during and after the emergency.

If your job involves communicating risks, you'll want to read this book.

Blanchard is a master name on System Engineering and Life Cycle Costs. This books explains many details of such complex sciences helping us keep focused on what really matters. The explanations are easy to understand even for beginners.

I read this book while taking a masters course in system engineering. Over all, the book was clear and written in a format that allowed for self study. This was very helpful for me since my course was primarily online. The material was slightly redundant. The central thesis of the book was the fact that a system engineer needs to conduct the proper upfront planning as well as establish clear processes to ensure successful system development/delivery. The goal of System Engineering is to provide a system that meets the customer's need/requirements. This book introduces how this can be accomplished through a repeated process.
The redundant nature of the text requires a lot of cross reference (page flipping) between chapters in order to match the text description with the figure discussed. The book is more managerial then technical; most laymen will be able to read it without assistance from an instructor. Expanded explanations of reliability engineering as well as ID/prioritization of Technical Performance Measures would have been helpful. This textbook provided a good introduction to the SE process. I highly recommend this text book if you work as a System Engineer or Project Engineer for the Navy or Marines. This book references and will support their standard acquisition process. I give this book 4 of 5 stars.

This book (or something similar) really should be required for anyone graduating with an engineering degree who intends to work in industry.

Systems engineering is essentially the function that oversees any design effort to ensure that the resulting design does what it's supposed to. As such requirements are the bread and butter of systems engineering. The most visible job of the system engineer then is to turn the customer's desires into functional requirements, and then turn those requirements into something that can be designed to based on the system architecture the designers / system engineers prefer.

For example, consider if you have a city with a river through it and the local government wants to develop a system to carry cars across the river. The system engineer would first turn that desire into functional requirements. These would include requirements like: No. of cars per hour that can transit, can't interfere with riverborne ship traffic, growth in traffic that can be absorbed etc. From this you have something that you can verify design concepts against to see if they satisfy the customer desires, but actually can't pull out the ruler and calculators just yet. Systems engineers / designers would then consider options like a suspension bridge, a ferry system, or a tunnel beneath the river. Each of these system options would have their own architectures and the functional requirements would have to be translated into different design requirements for each. The bridge would have to be so high to allow ship traffic and have so many lanes and bear so much live weight. The ferry system would need so many ferries of such and such a carrying capacity. The tunnel would have to have so many lanes, would require such and such a ventilation capacity, etc. The systems engineer would be involved in determining which of these architectures would best suit customer needs, and then turn the functional requirements into the design to requirements so design work can begin in earnest.

Of course as design work continues and large components are broken down into smaller and smaller design components the systems engineer continues to guide the choice of how to configure the lower tier of design components, and to allocate design to requirements for them. If the system engineer has done their job right when all the design components are integrated into each other the resulting system really does what it was intended to do and meets the functional requirements.

This book tells you in a very clear, completely comprehensive, and extremely well laid out manner how to do this. It also tells you why you should do this, and how it is beneficial. The writing is straightforward, always to the point, and easily understood. The topic is pertinent and can help you understand how systems are actually engineered in the real world, a very rare and very appreciated breath of fresh air in engineering textbooks.

The author also covers all the aspects of systems engineering planning, including scheduling, budgeting, contracting, and system verification / validation, etc. Systems engineering is largely a management function so this information is interesting and necessary for the subject.

This book will be extremely helpful for engineers of any stripe who want to put their work into context, systems engineers for how to do what their supposed to do, and for contractors and government purchasers to implement processes to guarantee that they get a system that does what they want. (Provided what they want is feasible of course!)

Certainly recommended and a book that I use frequently for reference.

This book is aimed at the system engineer who is involved in product design and engineering or involved in government contracting and must produce system engineering management plans (SEMPs). It is also applicable to organizations who have or are planning to use the capability maturity model (CMM) to improve their effectiveness. For the intended audience this book is both comprehensive and complete. There are eight chapters, each followed by case studies, questions and problems, and six appendices.

It starts with a foundation of the basics, such as definitions, system engineering life cycle, analysis and concurrent engineering. It then builds upon this foundation by addressing all of the elements of a well-managed system engineering program: integrated product and process development, TQM, configuration management, support and logistics. Each element is discussed in detail and placed into the context of a total system engineering environment.

The chapter on system design requirements is particularly complete and covers every facet of this discipline, including reliability, maintainability, safety, software, etc. There is a lot of good material here, which is reinforced by the next chapter that covers design tools and methods. The design process is concluded by a chapter on design review and evaluation, which is a foundation of good quality practices as well as a well-written SEMP.

The real heart of the book starts in chapter 6, which covers SE program planing. It covers program requirements, the SEMP itself and provides a statement of work. It then provides a complete work breakdown structure for implementing system engineering functions and tasks. This chapter provides a risk management plan that is well thought out and serves as an excellent template. It also addresses the CMM for systems engineering. Much of this material has been superseded by the Software Engineering Institute's CMMI that now covers system engineering, software engineering and integrated product and process development. This is not a problem because the book's coverage of the CMM-SE is consistent with the material in the CMMI.

The final two chapters, addressing system engineering organization and supplier/sub contractor management are to the point and contains a lot of valuable information.

Had the author provided this book in soft copy on an accompanying diskette or CD ROM it would be a best seller on the Beltway because of the time it would save in developing a company-wide system engineering procedure manual.

Consulting companies and IT departments would also greatly benefit from this book because of the structured approach it provides for planning and managing system integration. Unlike their cousins in the government contracting and CMM domains, they generally approach system engineering and integration in a loose fashion that too often results in cost and schedule overruns, or project cancellation. By following the approach outlined in this book consulting companies and IT departments would find that technical, cost and schedule risks would be identified early and controlled, and that the design, integration and implementation of complex systems would enjoy a higher rate of success. This is especially true when multiple vendors are involved in an integration project - the material in chapters 1 (integrated process teams) and 8 (subcontractor management) provides a foundation for managing cross-functional teams. Therefore, I strongly recommend this book for engagement and project managers, and program management offices run by consulting companies and/or IT departments.

As a welding/metals inspector, I have both a professional and personal fascination with disasters. I own many books on various construction failures but this book remains one of my favorites. I have read this book cover to cover twice now and often find myself going back to it to reference various disasters.
While this book is not technical in nature (I don't believe you'll see any math formulas in the book), it is very comprehensive and straight forward in the explaining the background, details surrounding the failure, and the subsequent impact.
What separates this book from the many competitors is that it covers such a broad range of topics- from airships to medical catastrophes- and everything in between. And it doesn't just cover the famous (or infamous) disasters which have already been poured over ad nauseam. Though it does include the requisite Hindenburg, Kansas City Hyatt, and Titanic disasters, it also touches on the King Street Bridge and the Dalkon shield.

Though the text is a bit pricey, it is worth every penny and makes a wonderful addition to any library, whether an engineer or just someone with an interest in the mechanics of failure.

Very useful tools... packs with knowledge definitely a 5-stars materia

A most excellent compilation. Thought provoking and sobering material. Should be requisite reading for any Engineer, Project Manager, Operations Director, etc. Would especially recommend it as required reading for Engineering Students. The work often chronicles how various failures were first attributed to the most apparent superficial causes (i.e., the easy fix), but then only after several more failures were the root causes finally investigated, often at great cost both financially and in terms of human cost. Makes you wonder the next time you rush a project, cut some corners, eat away some margin, take some risks, etc...

A truly riviting book about the many failures of modern time. I couldn't put it down! This book fills in the details of many of the major disasters and accidents that you have read about in the news but provides the reader with the reasons that the technology failed. It's technically accurate without being overly complex. It explains not only what happened in each of the failures, but provides information on why it happened. I found the section on environmental accidents to be thought provoking and insightful. I would strongly recommend this book to anyone working in a technical field.

At last a comprehensive view of what a total security program needs to be. So much of the literature on the subject is about technology only that this wholistic approach is a breath of fresh air. It is clearly and simply written and provides an easy to follow roadmap for any security manager to follow in developing an enterprise security program.

This is a well-written practical guide to building and delivering an information security improvement programme. Presenting sage advice in a consistent manner, the book is a helpful primer for the person tasked by management with `fixing information security'.

The book is written by and for those in the front line, not in ivory towers. The three authors each have CISSP and other information security qualifications plus 10 to 20 years' work experience in information security management, meaning that their advice holds weight. They all combine hands-on with management and/or consulting expertise, meaning that they view information security in a business context.

The primary focus of the book is to guide, advise, encourage and support Chief Information Security Officers (or equivalents) working on their information security improvement programmes. It's a bit like having a personal trainer at the gym: the trainer points out the aims of the training and suggests how to the trainee might improve his technique, but the trainee must interpret the advice, internalize it and of course put in the hard work to improve.

The book generally avoids making specific recommendations for particular information security controls. The reader is expected to be able to figure out for himself (perhaps using some of the techniques and checklists presented) what the security improvement projects will actually achieve. Instead, it emphasizes the programme management aspects. This approach is more broadly applicable since each organization's information security needs differ. There are numerous other books and standards describing best practice security controls, but few address the overall planning.

The overall flow of the book follows the suggested lifecycle of an information security implementation or improvement project:
Assess - identify the drivers or needs for security improvement (e.g. risks, legal obligations) and the constraints
Plan - obtain management support for the programme, prepare an improvement strategy and build your team
Design - prepare information security policies, conduct a gap analysis and prepare a portfolio of projects
Execute - numerous suggestions to help manage the improvement projects successfully
Report - management reporting.

Each chapter contains a consistent structure with an introduction, some theoretical framing, the `guts' and a conclusion which links to the next chapter. The `guts' reflect the authors' practical approach, offering pragmatic and helpful guidance to the newly appointed or would-be CISO.

The writing is clear and straightforward, with key messages consistently presented and reinforced throughout the book. There are useful checklists, tables and process flows embedded in the text although some of the block diagrams seem rather too high-level and pointless (that's just my personal opinion).

I am currently working with a client to initiate a large information security improvement programme and so enjoyed reading this book cover-to-cover in a few sittings. It was gratifying to find that we are already following the recommended approach with few if any exceptions, and there's nothing substantial we would quarrel about. Better still, I am glad to have picked up some good tips and look forward to thumbing through this book every month for the next year or so. If you are a CISO, I commend this book to you.

The CISO Handbook: A Practical Guide to Securing Your Company lives up to its title as being a practical guide to security. The book is antithetical approach to the products equal security approach, and takes a pragmatic approach to security.

The authors have extensive real-world experience and approach information security from a holistic perspective. They clearly understand what it takes to build an information security program. One of the biggest mistakes in security is that it is seen as plug and play. Buy a security product, install in, and like magic, you have this thing called data security. But that only works in the world of product brochures and marketing material, not in the real world. The book does not approach security from a plug and play perspective, but as an endeavor that requires a multi-year effort to come to fruition.

The five chapters deal with security from its true source, namely that of risk. The chapters are: Assess, Plan, Design, Execute and Report. These five areas encompass all of information security and those firms that have built an information security infrastructure all done it by focusing on these five areas.

The first area, Assess, is all about risk management. Many companies will purchase security products without even knowing what their specific risks are, and have often not performed a comprehensive risk analysis. Without a comprehensive risk analysis, any security product will simply operate in a vacuum. The benefits of a risk assessment and analysis are that they ensure that an organization is worrying about the right things and dealing with real, as opposed to perceived threats. The ultimate outcome of a risk analysis should be to see if the organization can benefit from the security product.

Chapter 1 ends with an assessment checklist of various areas that go into a risk assessment. One of the questions in the checklist that you likely will not see anywhere else is "describe the political climate at your company". Too many security people think only about the technology and neglect the political implications of a security system. Not taking into consideration the politics is a surefire way to potentially doom a project. Similar questions detailed in the checklist will give the reader a good feel for how secure their organization truly is; as opposed to the often perceived view of being much more secure.

Chapter 2 is aptly titled Plan. The planning phase is meant to combine the issues of assessment and to integrate options to mitigate those risks. The way in which a specific security technology or methodology is implemented is dependent on the organization. Rather than using a cookie-cutter approach, effective planning ensures that the security technologies chosen support your security program. Far too many organizations make the mistake of simply buying products without giving enough consideration into the myriad details of how they will be deployed, managed and used.

Chapter 2 emphasizes the need for planning, and the book as a whole emphasizes the need for the use of a methodology when dealing with information security. For many security technologies, the challenges of are not so much with the technology, but rather with ensuring that the technology meets business requirements, is scalable and reliable, etc.

Building a comprehensive information security program is likely to be more complex than previous experience of typical IT projects. As well as project management, technical and operational aspects, there are many policy, legal and security issues which must be taken into consideration. By following a structured methodology based on practical experience, many of the potential traps and pitfalls can be avoided. The risks to the business and the project are reduced and those that remain are quantified at an early stage.

The planning checklist at the end of chapter 2 will helps by ensuring that the solutions identified are deployed in the context of a well designed information security program. It can also be used as a wake-up call to management that often seriously underestimates the amount of time and manpower required to create an effective information security program.

One of the added benefits of planning is that it makes it much easier to integrate new regulatory requirements into the security program. A well-planned network can retrofit new requirements much more quickly and efficiently. This is a critical need given the increasing amount of new regulations that will come into play in the coming years, in addition to current regulations such as HIPAA, Sarbanes-Oxley and much more.

Chapters 3, 4 and 5 progress in a similar manner with the topics of Design, Execute, and Report. Each chapter details the essentials of the topic and shows how it is critical to the efficacy of an successful information security program.

What the reader may find missing from the book is particulars of the various security technologies. But that is the very function of the book, to show that information security is not primarily about the products, rather the underlying infrastructure on which those products reside on. Any product that is not deployed in a methodology similar to that of The CISO Handbook is likely to find itself lacking. The product might be there and hum along; but the security that it provides will likely be negligible.

The uniqueness of The CISO Handbook is that is shows how to design and implement an effective security program based on real world scenarios, as opposed to product reviews and vendor evaluations.

The CISO Handbook: A Practical Guide to Securing Your Company is indeed a most practical guide, as its title suggests. It is quite helpful to anyone in a security organization, whether they are the CISO, system administrator, or in a different capacity. The CISO Handbook: A Practical Guide to Securing Your Company lives up to its title as being a practical guide to security. The book is antithetical approach to the products equal security approach, and takes a pragmatic approach to security.

The authors have extensive real-world experience and approach information security from a holistic perspective. They clearly understand what it takes to build an information security program. One of the biggest mistakes in security is that it is seen as plug and play. Buy a security product, install in, and like magic, you have this thing called data security. But that only works in the world of product brochures and marketing material, not in the real world. The book does not approach security from a plug and play perspective, but as an endeavor that requires a multi-year effort to come to fruition.

The five chapters deal with security from its true source, namely that of risk. The chapters are: Assess, Plan, Design, Execute and Report. These five areas encompass all of information security and those firms that have built an information security infrastructure all done it by focusing on these five areas.

The first area, Access, is all about risk management. Many companies will purchase security products without even knowing what their specific risks are, and have often not performed a comprehensive risk analysis. Without a comprehensive risk analysis, any security product will simply operate in a vacuum. The benefits of a risk assessment and analysis are that they ensure that an organization is worrying about the right things and dealing with real, as opposed to perceived threats. The ultimate outcome of a risk analysis should be to see if the organization can benefit from the security product.

Chapter 1 ends with an assessment checklist of various areas that go into a risk assessment. One of the questions in the checklist that you likely will not see anywhere else is "describe the political climate at your company". Too many security people think only about the technology and neglect the political implications of a security system. Not taking into consideration the politics is a surefire way to potentially doom a project. Similar questions detailed in the checklist will give the reader a good feel for how secure their organization truly is; as opposed to the often perceived view of being much more secure.

Chapter 2 is aptly titled Plan. The planning phase is meant to combine the issues of assessment and to integrate options to mitigate those risks. The way in which a specific security technology or methodology is implemented is dependent on the organization. Rather than using a cookie-cutter approach, effective planning ensures that the security technologies chosen support your security program. Far too many organizations make the mistake of simply buying products without giving enough consideration into the myriad details of how they will be deployed, managed and used.

Chapter 2 emphasizes the need for planning, and the book as a whole emphasizes the need for the use of a methodology when dealing with information security. For many security technologies, the challenges of are not so much with the technology, but rather with ensuring that the technology meets business requirements, is scalable and reliable, etc.

Building a comprehensive information security program is likely to be more complex than previous experience of typical IT projects. As well as project management, technical and operational aspects, there are many policy, legal and security issues which must be taken into consideration. By following a structured methodology based on practical experience, many of the potential traps and pitfalls can be avoided. The risks to the business and the project are reduced and those that remain are quantified at an early stage.

The planning checklist at the end of chapter 2 will helps by ensuring that the solutions identified are deployed in the context of a well designed information security program. It can also be used as a wake-up call to management that often seriously underestimates the amount of time and manpower required to create an effective information security program.

One of the added benefits of planning is that it makes it much easier to integrate new regulatory requirements into the security program. A well-planned network can retrofit new requirements much more quickly and efficiently. This is a critical need given the increasing amount of new regulations that will come into play in the coming years, in addition to current regulations such as HIPAA, Sarbanes-Oxley and much more.

Chapters 3, 4 and 5 progress in a similar manner with the topics of Design, Execute, and Report. Each chapter details the essentials of the topic and shows how it is critical to the efficacy of an successful information security program.

What the reader may find missing from the book is particulars of the various security technologies. But that is the very function of the book, to show that information security is not primarily about the products, rather the underlying infrastructure on which those products reside on. Any product that is not deployed in a methodology similar to that of The CISO Handbook is likely to find itself lacking. The product might be there and hum along; but the security that it provides will likely be negligible.

The uniqueness of The CISO Handbook is that is shows how to design and implement an effective security program based on real world scenarios, as opposed to product reviews and vendor evaluations.

The CISO Handbook: A Practical Guide to Securing Your Company is indeed a most practical guide, as its title suggests. It is quite helpful to anyone in a security organization, whether they are the CISO, system administrator, or in a different capacity.

Amazing book connecting all the dots you know in asset pricing, macro, general equil'um, etc. You come out of it refreshed, feeling you are a different person.

This book presents an excellent summary of the toolbox that students and professionals must manage in order to understand the numberless amount of modern contributions on asset pricing. All recent advances in the use of risk and uncertainty are presented with simple and direct language, and without useless mathematical sophistication. A needed help for asset pricing courses intended to graduate students.

Gollier has written a book that not many others could have written. It is VERY complete, it is full of deep insights, and, for me, it is a pleasure to read. Don't be mistaken: this is a research book, not a textbook. But for those of us doing research in decision theory, general equilibrium, finance, or macroeconomics, it is simply a must. How could you afford NOT to buy it?

As a safety officer myself, I found this book truly captivating. I couldn't put it down. If you ever had a difficult time starting a safety program, I recommend you read "Risk Management in the Fire Service". This book is a recipe for an effective safety/risk management program. Mr. Wilder's five-step risk management process is so simple, I will use it for all future safety programs. I can't think of any incident too complex for this process. I used to think budget determined how effective a safety program could be, but this book gives step-by-step advice on things you can do within any budget. It's nice to know there's a reference and an authority I can turn to when I need help. Thank you Mr. Wilder.

While the concept of risk management is new to fire and EMS services, it is obviously not new to the author. His fire science background combined with his risk management background make him the logical choice to train the industry. Having sat in on lectures given by the author, I purchased the book with the hopes that it would be as easy to follow as are his classes. I was not disappointed. This book is written in a such a way that it takes a complex topic and makes it easy to follow and understand. As a fire department captain and EMT, I have already taken some of the ideas gained from this book and brought them into our department. I strongly recommend this book for fire department administrators, training officers, safety officers, and anyone interested in learning the basics of risk management.

Having spent nearly 28 years in the risk management business it is refreshing to find a book that deals with timely issues in a clear, concise manner. The exposures unique to fire fighters/medics are unique and Mr. Wilder has unique approaches to today's risks. This book is a must read for any fire department in the United States and City Managers, Fire Chiefs, firemen and women would be remiss if it wasn't mandatory reading. One thing for sure. . . as soon as we are finished posting this review an invitation will be extended to Mr. Wilder to come address our departments and key personnel. I would encourage anyone in the business, who has not read this masterful work, to pick it up. I am certain based upon years of defense related consulting work that this book will become a standard in the industry and will be guide lines for conduct observed by both the plaintfiff and defense bars across the country. An "Excellent" job Mr. Wilder. Thank you . Mike Vines System Risk Manager

Provena Health Inc.

Excelent Book. Direct to the point. I have recommended this one to other project managers and they agreed with my opinion.

Easy to get, easy to undertand.

Best Regards

Rolando Ramos
Bogota-Colombia

I've read a number of project management books over the years, and very few of them fit at all in a product development environment. This book fits and matches product development very well. In fact, in my opinion, it is the best basic project management book on the market currently for application in product development. This shouldn't be a surprise though since Mickey Rosenau understands project management practice in the field of product development. Beware of the other authors who claim that they understand product development and then apply a traditional approach to project management. Project management in product development is different, and a traditional approach to project management doesn't work in product development. Stay away from the traditional management approach and get this book instead.

Excellent book, a good guide to improve project management

System Safety Engineering And Risk Assessment is an excellent reference on how to engineer safety and manage risk. The clarity of the writing combined with understandable examples makes this book an outstanding text for a course on engineering safe systems.

This book starts by introducing the need and benefits of implementing a system safety program providing context for the later material. Key safety concepts and definitions are then introduced with references to relevant government and industry standards. A pragmatic discussion follows on the necessity of management and organizational support for an effective safety program. The book then details specific techniques for hazard identification and analysis including HAZOP, fault tree, FMEA, FMECA and a few lesser known methodologies. The overview of human factors analysis begins with the observation that "human error is an out-of-tolerance action within the human machine system." This discussion provides a comprehensive framework for the more advanced material referenced in the section. The only weakness was the following section on software safety, which lacked detailed descriptions of state-of-practice analysis techniques. The analysis section is strengthened by the discussion of accident and failure reporting systems and the associated databases that are used to support accident and reliability analyses. The final chapters of the book provide a practical discussion of how to manage risk using tailored versions the various techniques introduced in the previous sections.

All in all, this is a worthwhile reference for systems engineers and safety officials.

I used this book to teach system safety engineering to graduate students. The author provides the reader a background into system safety that lays the ground work for a functional and proactive system safety process. This book provided workable examples to the student for comprehension of the material. Students as well as the instructor had a better understanding of system safety and the integration of the processes into general industrial and avaition safety programs/processes. I wish I had this book when I was trying to explain to my management what system safety engineering was and how it benefits the engineering department.

In this book, Nicholas Bahr has taken the complex discipline of systems safety and made it accessible in a logical, useful format. The book is clear and well illustrated (although a couple of the charts are a bit cumbersome and unwieldy), and calls upon numerous case studies to illustrate key points. There are separate chapters of Hazard Analysis, Fault Tree Analysis, Safety Analysis in Engineering, and Safety Management.

While useful for engineers (particularly in the chemical processing or nuclear fields), this book is written in comprehensible terms that do not require an engineering background or technical education to understand. In fact, I believe that the biggest beneficiaries of this book are not engineers at all, but non-technical managers, who desperately need to understand safety systems, but often don't. In fact the chapter on Safety Management should be required reading for any manager in a safety critical environment, as it is an excellent "how to" guide to safety management of complex systems. This chapter has examples of correct safety management, and more importantly, excellent examples of the perils of management unwillingness to prioritize safety. The case study of the Nypro UK cyclohexane plant explosion in Flixborough, England is the best detailed, and has universal applications to safety systems across varying industries. The loss of the shuttle 'Challenger' is also reviewed from a systems safety vantage point, but while there are many errors to be analyzed and learned from there, more of the lessons are industry specific than are the lessons from the Flixborough example.

I used this book in a graduate class on systems safety. This is one of the best safety books I have seen, and is the most concise text on systems safety that I have ever read, far better, for instance, than the works of Perrow. Mr. Bahr is to be commended for his work; I look forward to reading more by him in the future.