Free tools and resources for effectively managing, assessing, and communicating information security risk.
NIST NIST Risk Management Framework https://csrc.nist.gov/Projects/Risk-Management
Integrating Cybersecurity and Enterprise Risk Management (ERM) - NISTIR 8286 https://csrc.nist.gov/publications/detail/nistir/8286/final Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight - NISTIR 8286C https://csrc.nist.gov/publications/detail/nistir/8286c/draft
SIRA Information Risk Management Body of Knowledge https://github.com/societyinforisk/irmbok
Simple Risk (for engineers) https://magoo.github.io/simple-risk/reading.html
Reading List https://www.societyinforisk.org/reading-list
- https://www.themetricsmanifesto.com
- https://www.oreilly.com/library/view/security-metrics-replacing/9780321349989/
Calibration Training http://sethrylan.org/bayesian/
CISA (developing) https://www.cisa.gov/
https://www.fairinstitute.org/ FAIR - ISO/IEC 27005 Cookbook https://publications.opengroup.org/c103
https://www.societyinforisk.org/reading-list
ISACA IT Risk Framework https://www.isaca.org/resources/it-risk
SRA RISK ANALYSIS QUALITY TEST[ https://www.sra.org/resources/risk-analysis-quality-test/
Binary Risk Assessment: BRA is a short series of simple questions that help you discuss a risk in a structured manner. https://binary.protect.io/
Tidyrisk: Tidyrisk is a collection of R packages for performing quantitative risk management using the OpenFAIR framework https://tidyrisk.org/
-
evaluator: open source quantitative risk analysis toolkit https://github.com/davidski/evaluator
-
collector: R package for conducting interviews with subject matter experts (SMEs) on the risk scenarios facing an organization https://github.com/davidski/collector
unsuR: Risk assessment with R https://github.com/cneskey/unsuR
riskquant: A library to assist in quantifying risk. https://github.com/Netflix-Skunkworks/riskquant https://netflixtechblog.com/open-sourcing-riskquant-a-library-for-quantifying-risk-6720cc1e4968
CISA CSET: Ransomware readiness assessment https://github.com/cisagov/cset/releases/tag/v10.3.0.0
VSAQ: Interactive questionnaire application to assess the security programs of third parties. https://github.com/google/vsaq
VCDB Explorer https://jpsturgis.shinyapps.io/vcdb_explorer/
Future https://saga.ws/
Open Source GRC: https://www.simplerisk.com
FAIRTool: Factor Analysis of Information Risk (FAIR) tool developed in R https://github.com/zugo01/FAIRTool
IU Health Vendor Relations Information Security Requirements https://iuhealth.org/about-our-system/vendor-relations
VSAQ: Interactive questionnaire application to assess the security programs of third parties. https://github.com/google/vsaq
Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM) https://healthsectorcouncil.org/hic-scrim/
What threat actors should we consider? What are their common attack techniques?
Intel Threat Agent Library (2007) https://www.google.com/search?q=Intel+Threat+Agent+Library Spreadsheet version https://docs.google.com/spreadsheets/d/1qKne0RNOnwW3IJWgO70yiJOz1VebqT3M9I8Ci4ROEFQ/edit#gid=0
MITRE ATT&CK https://attack.mitre.org/
https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool
ThreatModeler https://threatmodeler.com/threatmodeler-launches-free-lite-community-edition/
CMU Common Sense Guide to Prevention and Detection of Insider Threats https://resources.sei.cmu.edu/asset_files/WhitePaper/2009_019_001_50285.pdf
How Material is That Hack? https://howmaterialisthathack.org/
Data Breach Investigations Report - DBIR https://www.verizon.com/business/resources/reports/dbir/
Cyentia - IRIS Risk Retina https://www.cyentia.com/
Datavisualization book https://github.com/clauswilke/dataviz
Glasseye: present the results of statistical analysis written in Markdown with D3 charts https://github.com/coppeliaMLA/glasseye
ggcal: generate a familiar calendar plot from a vector of dates and fill values. https://github.com/jayjacobs/ggcal
Pandashells: Bringing the python data stack to the shell prompt https://github.com/robdmc/pandashells
Internet Data Download: Download and normalize data about the internet from various sources https://github.com/hdm/inetdata
A brief introduction to R including sample code and walkthroughs. https://github.com/BillPetti/R-Crash-Course
rmarkdown: Dynamic Documents for R https://github.com/rstudio/rmarkdown
NIST Cybersecurity Framework https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
CIS Controls https://www.cisecurity.org/cybersecurity-tools/
COBIT https://www.isaca.org/resources/cobit
ISO 27001 and family https://www.iso.org/isoiec-27001-information-security.html
Security Control Mappings https://github.com/AbeWinters/control-mappings
CIS Critical Security Controls V7 Measures & Metrics https://www.cisecurity.org/insights/white-papers/cis-controls-v7-measures-metrics
Security Metrics book https://www.themetricsmanifesto.com
Maturity Assessment - FY 2023-2024 Inspector General FISMA Reporting Metrics (also referenced in Maturity Models section on this page) https://www.cisa.gov/sites/default/files/2023-02/Final%20FY%202023%20-%202024%20IG%20FISMA%20Reporting%20Metrics%20v1.1_0.pdf
CISO Dashboard Toolkit https://docs.google.com/spreadsheets/d/1c-KYLP5Im_lxBkZbOED0i6OXlE_LtOiCDwDUXtCHYrs/edit#gid=1682960858
Older Resources - some good nuggets here but not super accessible http://www.securitymetrics.org/
A system to calculate Cyber Value-at-Risk https://www.sciencedirect.com/science/article/pii/S0167404821003692
CMMI https://cmmiinstitute.com/products/cybermaturity
Maturity Assessment - FY 2023-2024 Inspector General FISMA Reporting Metrics (also referenced in Metrics section on this page) https://www.cisa.gov/sites/default/files/2023-02/Final%20FY%202023%20-%202024%20IG%20FISMA%20Reporting%20Metrics%20v1.1_0.pdf
NIST - Cybersecurity Capability Maturity Model C2M2 https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2
NIST - Program Review for Information Security Assistance PRISMA https://csrc.nist.gov/Projects/Program-Review-for-Information-Security-Assistance/Security-Maturity-Levels
CMMC Model (??) https://dodcio.defense.gov/CMMC/Model/
Exploit Prediction Scoring System (EPSS) https://www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_sasha_romanosky.pdf https://www.first.org/epss/
KNOWN EXPLOITED VULNERABILITIES CATALOG https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Kenna Security Research https://resources.kennasecurity.com/research-reports-2
Making risk management a value-added function in the boardroom https://www.mckinsey.com/business-functions/risk/our-insights/making-risk-management-a-value-added-function-in-the-boardroom
Cybersecurity: Boardroom Implications https://www.nacdonline.org/insights/publications.cfm?ItemNumber=8486
Director's Handbook on Cyber-Risk Oversight https://www.nacdonline.org/contentassets/4931ac5b05a84111953919eaa03a38e9/cyber-risk-oversight-handbook_webcompressed.pdf
Managing Cyber Risk in a Digital Age - COSO https://www.coso.org/Documents/COSO-Deloitte-Managing-Cyber-Risk-in-a-Digital-Age.pdf
Enterprise Risk Management https://www.coso.org/Pages/erm.aspx
TBM https://www.tbmcouncil.org/learn-tbm/resource-center/tbm-taxonomy-nist/
Goal-Question-Indicator-Metric (GQIM) how to measure the things that matter to your business. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=451184
ISACA Glossary https://www.isaca.org/resources/glossary#glossi
Bayesian Probability https://www.youtube.com/watch?v=GShNozmkYlQ https://www.amazon.com/Theory-That-Would-Not-Die/dp/0300188226/ref=sr_1_2?dchild=1&qid=1598383597&refinements=p_27%3ASharon+Bertsch+Mcgrayne&s=books&sr=1-2&text=Sharon+Bertsch+Mcgrayne
Using the FAIR Model to Measure Inherent Risk https://www.fairinstitute.org/blog/using-the-fair-model-to-measure-inherent-risk
Breach Notification Laws https://www.bakerlaw.com/BreachNotificationLawMap