Society of Information Risk Analysts

Recommended Reading


Predictably Irrational, Revised and Expanded Edition: The Hidden Forces That Shape Our Decisionsbook Ariely, Dan

 Jay Jacobs: Focused on Behavioral Economics this book gives a glimpse into the motivations of people and the rationale, biases and fallacies that influence the decision process.

Foundations of Risk Analysis: A Knowledge and Decision-Oriented Perspective (Wiley Series in Probability and Statistics)book Aven, Terje

Misconceptions of Risk Aven, Terje

Against the Gods: The Remarkable Story of Riskbook Bernstein, Peter

 Jay Jacobs: I lovedthis book. Really put risk into context by looking at how it has been perceived throughout time. Plus this was were I first read about Pascal and others hanging out in Paris discussing Mathematics and the probability. The section on the birth of Lloyd's of London was incredibly intriguing and too short in my opinion. Just think of how many "medium risk" ships were over-insured in Lloyd's coffee shop.

The Psychology of Riskbook Breakwell, Glynis M.

 Ron Woerner: I quickly scanned it at a local library and it appears to be a nice resource on how we think about risk. From the book description, "Risk surrounds and envelopes us. Without understanding it, we risk everything and without capitalizing on it, we gain nothing. This accessible new book from Glynis M. Breakwell comprehensively explores the psychology of risk, examining how individuals think, feel and act, as well as considering the institutional and societal assessments, rhetorics and reactions about risk. Featuring chapters on all the major issues in the psychology of risk including risk assessment, hazard perception, decision-making, risk and crisis management, risk and emotion, risk communication, safety cultures, the social amplification and social representation of risk and mechanisms for changing risk responses"

Risk Analysis of Complex and Uncertain Systems (International Series in Operations Research & Management Science)book Cox, Louis Anthony.

 Jeff Lowder: Tony Cox is one of the top risk scholars in the world. This is a very technical (and expensive!) book, but is a must-have for anyone who is serious about risk analysis. Among its many gems, the book contains a fascinating critique of risk matrices; Cox concludes that in many cases they are worse than useless — they do more harm than good.

The Logic Of Failure: Recognizing And Avoiding Error In Complex Situationsbook Dorner, Dietrich

The Science of Fear: How the Culture of Fear Manipulates Your Brainbook Gardner, Daniel

 Ron Woerner: This is the book Bruce Schneier recommends on understanding how humans perceive and deal with fear. It's important to understand human perspectives of risk in order to apply proper mitigation techniques.

Calculated Risks: How to Know When Numbers Deceive Youbook Gigerenzer, Gerd

 Jeff Lowder: This non-technical book is a fascinating, empirical study in what works and doesn't work in risk communication. The author provides fascinating, empirical case studies of how risk managers' failure to understand and effectively communicate conditional probabilities has had harmful effects. Gigerenzer argues that "natural frequencies" should replace conditional probabilities in risk communication.

Blink: The Power of Thinking Without Thinkingbook Gladwell, Malcolm

How to Measure Anything: Finding the Value of Intangibles in Businessbook Hubbard, Doug 

The Failure of Risk Management: Why It's Broken and How to Fix Itbook Hubbard, Doug

 Jay Jacobs: Both of Hubbard's books are staples for anyone attempting risk management.

Assessing and Managing Security Risk in IT Systems: A Structured Methodologybook McCumber, John

 Jeff Lowder: Introduces the "McCumber Cube" concept for thinking about information security risks, which forces you to consciously think about risks to the confidentiality, integrity, and availability of information in each of its states (storage, transit, processing).

The Drunkard's Walk: How Randomness Rules Our Lives (Vintage)book Mlodinow, Leonard

 Jay Jacobs: Randomness is really the lack of probability and this book made me question my own belief in seeking cause-n-effect by questioning events as simply being a product of randomness. 
 Chris Hayes: The reason I loved this book is because it established historical context on the subject of risk and probability; dating back a LONG time ago.

Computer-Related Risksbook Neumann, Peter G

 Dan Philpott: Excellent source book when looking for an example of a particular risk. Anecdotes and insights culled primarily from RISKS.

Organized Uncertainty: Designing a World of Risk Managementbook Power, Michael

Risk: A Philosophical Introduction to the Theory of Risk Evaluation and Management Rescher, Nicholas.

 Jeff Lowder: It's unfortunate this book is out of print, since all risk managers would benefit from reading it. Rescher provides much-needed clarity around the central concepts of risk evaluation and management.

The Flaw of Averages: Why We Underestimate Risk in the Face of Uncertaintybook Savage, Sam L., Jeff Danziger

 Chris Hayes: Savage has written an entire book about the flawed tendency to only use "average" values for modeling and decision making. He also introduces the reader to the DIST standard; which is my particular interest. I am only a few chapters in to the book - but already, it is challenging me to refine how I articulate some risk values to management.

The Black Swan: Second Edition: The Impact of the Highly Improbable: With a new section: "On Robustness and Fragility"book Taleb, Nassim Nicholas

 Dan Philpott: It was bound to end up here anyway so I added it. Houses the most abused current argument for the limits of risk management and metaphor for ceding responsibility, the Black Swan event.
 Alex: Gaaaaahhhhhhhhhhhh!!'!!!!!!!!!!!  Furrrrrrrrrr!!!!!!!!!  Gnughrfuvlsnoffinhaster </yosemite sam>

Risk Analysis: A Quantitative Guidebook Vose, David

 Chris Hayes: Absolute must have

IT Risk: Turning Business Threats into Competitive Advantagebook Westerman, George and Richard Hunter

 Jeff Lowder: This book is surprisingly light on the methodology used to estimate the probability and impact ofIT risks, but that is more than offset by the excellent suggestions around building a culture of risk management within organizations. It also introduces the 4A framework for IT risk management, which I found to be very innovative.


Methodology or Standards-Specific

Managing Information Security Risks: The OCTAVE (SM) Approachbook Alberts, Christopher and Audree Dorofee.

"Technical Standard - Risk Taxonomy" The Open Group,

 Chris Carlson: A reference to FAIR is certainly handy.


Risk Communication


Gigerenzer, Gerd. Calculated Risks: How to Know When Numbers Deceive You. New York: Simon &Schuster, 2002.

Jeff Lowder: Gigerenzer advocates using what he calls the "natural frequencies" approach for communicating and thinking about risks, in order to avoid the base rate fallacy.

Sandman, Peter M. Responding to Community Outrage: Strategies for Effective Risk Communication.Fairfax: American Industrial Hygiene Association, 1993. Republished electronically at

Jeff Lowder: Sandman is arguably one of the top risk communication experts in the world. He is famous for his "Risk=Hazard + Outrage" model for thinking about risk communication.

Risk Matrices

Cox, Tony. "What's Wrong with Risk Matrices?Risk Analysis 28 (2008): 497-512, DOI: 10.1111/j.1539-6924.2008.01030.x.

Jeff Lowder: The definitive overview of the problems with risk matrices.

Talbot, Julian. "What's Right with Risk Matrices."

Verbal Probability Expressions

Beyth-Marom, R., "How Probable is Probable? A Numerical Translation of Verbal Probability ExpressionsJ. Forecast 1 (1982): 256-269, doi: 10.1002/for.3980010305.

Budescu, David V., Han-Hui Por, and Stephen B. Broomell, "Effective Communication of Uncertainty in the IPCCReportsClimatic Change  (in press), doi:10.1007/s10584-011-0330-3, electronically published on 23 November 2011.

Jeff Lowder: Provides an outstanding overview of the last 2-3 decades of empirical research into the use of linguistic or verbal expressions to communicate uncertainty or probability.

Budescu, David V., and Wallsten, Thomas G., "Consistency in Interpretation of Probabilistic Phrases" Organizational Behavior Human Decision Processes 36 (1985): 391-405.

Heuer, Jr., Richards J. Psychology of Intelligence Analysis. n.p.: Central Intelligence Agency, 1999. Republished electronically at

Kent, Sherman. "Words of Estimative Probability." Central Intelligence Agency Study for the Center of Intelligence (1964),

Wallsten, Thomas G., David V. Budescu, and Ido Erev, "Understanding and Using Linguistic UncertaintiesActa Psychologica 68 (1988): 39-52.

Wark, David L. "The Definition of Some Estimative Expressions." Central Intelligence Agency Study for the Center of Intelligence (n.d.),

Wibecke Brun, Karl Halvor Teigen, "Verbal Probabilities: Ambiguous, Context-Dependent, or Both?," Organizational Behavior and Human Decision Processes, 41 (1988), 390-404, doi: 10.1016/0749-5978(88)90036-2.

©2010-2023 Society of Information Risk Analystsa 501(c)(3) non-profit organization. Our Privacy Policy.

Powered by Wild Apricot Membership Software