Recommended books on Risk Assessment and Risk Management

Some of these are quite old, but the fundamentals of risk assessment and risk management haven't changed, even if some new risks have appeared and some other risks are easier to mitigate.

Nassim Nicholas Taleb, Thomson Texere , 2001

This book contains musings on random events and its effects on the market (and life in general) by a professional trader, Nassim Taleb. There are thoughts here which I found quite profound concerning the nature of inductive logic (reasoning from events to rules), as well as interesting examples and explanations of how we allow ourselves to be fooled by random phenomena.

Taleb is particlarly fascinated by what he describes as the Black Swan Problem. We see lots of swans. All of them are white. We infer that all swans are white. Unfortunately we have never been to Australia, where the swans are black as well. If we build our trading systems on such principles will the appearance of a black swan wipe us out?

The style of writing here is collection of literate musings and digressions which I rather liked but, judging by Amazon reviews, it appears to irk some readers.

Richard A. Posner, Oxford University Press , 2004

There are disasters that affect the individual. There are disasters that affect an organization. And then there are disasters that affect the human race. It is this third type of disaster that interests Posner: more specifically, disasters that can wipe out the entire human species. The author discusses the possible causes of such catastrophes (natural and man-made), and the possible regulatory frameworks required to prevent or mitigate disaster. The difficulties of using cost/benefit analysis with low-probability very high consequence events are also covered.

A general interest book unless you are concerned with national (or international) policy.

David Ropeik, George Gray, Houghton Mifflin , 2002

This book aims to give balanced information on the fifty most talked about hazards in daily life. Each risk is presented along with background information and a discussion of the consequences and likelihood of exposure.

Although you may not agree with all their risk assessments, the information is presented in sufficient detail (along with references) that you can reach your own conclusions.

Although aimed at personal risks rather than business risks, this book presents excellent examples of how to analyze and report a risk.

Note that (as the authors clearly state) this is a book about the most talked about risks, not necessarily the ones which are most likely to kill you. Interesting tables in the Appendix correct this deficiency. Did you know that in the USA your lifetime odds of being killed in a car accident are 1 in 88? Or that a truck driver is about six times more likely to be killed on the job as a police officer?

John F. Ross, Perseus Books , 1999

A collections of musings on risk in everyday life. The title comes from the author's jumping-off point: an expedition in the arctic which discovers that there is a risk of meeting a polar bear, but has never encountered one before. How should the unknown risk be assessed?

It has been said that a picture is worth a thousand words. Unfortunately Ross provides the thousand words in place of the picture or diagram. Some of the discussions are therefore more difficult to follow than they should be, and the presentation of data in prose rather than tabular format is often irksome.

Some interesting discussions on the complexity of risk nonetheless.

Douglas W. Hubbard, Wiley , 2009

When I started reading this book I didn't like it. It starts out a little bit too much about the author, rather than the subject. So I put it aside for a while. But when I subsequently dipped into it, my opinion changed. It's a valuable book.

Hubbard's critique of risk management is based on its use of ad hoc methods which are fundamentally subjective and where there is little to no justification that the method actually works. Qualifiers (such as "low", "medium", "high" probabilities and "low", "medium", "high" impacts) are multiplied together in scoring systems which really offer no insights but just provide a warm and fuzzy feeling for management.

Hubbard won't accept the argument that "we just can't compute the probabilities" or "we can't estimate the losses" as an excuse for not trying to make a quantitative assessment of risk. He points out that the lack of a long historical record does not mean such estimates cannot be made. Safety engineers and actuaries can and do make such estimates, but their methods are frequently unrecognized or ignored when considering business continuity risks.

You don't need comprehensive historical data about a system to get a quantitative risk estimate. Indeed, just looking at historical data won't help for rare events. However, you can look at similar systems elsewhere, system components, and dependencies and combine the data for these using standard methods to get a reasonable assessment.

Hubbard also looks at how people make mistakes in estimates. Often they make the same errors in reasoning, or ignore the same factors.  There's some good sections on what these errors are, how to recognize them, and how to avoid them.

Overall, this a useful addition to any risk management library. It's not a methodology guide book, but it should help you recognize weaknesses in frequently used methods and (hopefully) find and adopt a better methodology of your own.

Michal Zalewski, No Starch Press , 2022

I'm not normally a fan of "prepping" books. The scenarios described are too unlikely and the proposed mitigations are often unrealistic and disproportionate.

A Mad Max style dystopian future won't occur next week, and before you prepare to fend off gangs of armed marauders attacking your underground nuclear bunker there are more mundane risks you should be prepared to survive.

Zalweski takes a wide view of risk, looking at disasters from personal to global. He assesses their likelihoods, and looks at what the practical measures are that we can take to prepare for them. I like the coverage here. There's everything from unexpected unemployment and falling off a ladder to hyperinflation and nuclear war. Each is treated thoughtfully with the respect it deserves.

In risk management everything is about trade-offs, and this book covers some trade-offs I had never considered. For example, every emergency plan suggests stockpiling some food to cope with disruption to supply. Food doesn't last forever, and whether its a one week supply or a one year supply your stockpile needs to be managed so that it is still edible when you need it. One approach is to continually eat through and replenish your stockpile, thus ensuring it has a certain level of freshness; the other is to eat nicer (but more perishable) and food discard your stockpile at regular intervals. I've tried both by accident rather than design, and when the presented as a choice, I know which I prefer.

Ultimately how likely you believe various threats are and what efforts you should personally take to mitigate them is your own decision. This book provides a good basis for clarifying those risks and making that decision.

Michael T. Osterholm PhD MPH and Mark Olshaker, Little, Brown Spark , 2017

Before the SARS-nCov-2 outbreak in 2019/2020, most government (and business) contingency planning was based around the idea of a novel influenza pandemic. The history of the flu pandemic in 1918 (which left tens of millions dead) is well known, and it's widely recognized that there is little to prevent a similar outbreak happening in future. There have been many less severe influenza pandemics (with perhaps a few million killed), but the annual seasonal flu epidemics (which kilsl around 400,000 people) tends to make it easy to accept the risk.

Although the risks from influenza are generally accepted (if not always fully understood and planned for), the possibility of other pandemics has always been there. This book, written two years before the Covid-19 pandemic, looks in detail at the risks from all the major families of infectious diseases, as well as of diseases yet to be discovered. It is based on the author's in depth experience working on the prevention and management of infectious diseases since the first cases of HIV / AIDS were noticed through to the SARS and MERS outbreaks. As a result the author can explain clearly not only the characteristics of the diseases themselves, but also the public health measures required to identify outbreaks before they get out of control, and the subsequent steps needed to prevent the outbreak from spreading.

This book should be an essential read for anyone involved in public health policy or planning. It includes some key policy lessons which were learned "the hard way", and which are easily forgotten. In addition, anyone involved in business continuity or emergency planning would do well to consider the detailed scenario provided for a full scale flu pandemic: it includes many second and third order effects which are easily missed and have real consequences for government, businesses, and individuals. Did you fail to predict what would happen during the Covid-19 epidemic? You might not if f you had read this first.

I found this a fascinating read during the Covid-19 epidemic. Normally when I read this type of book I have to ask myself how good the author's predictions are likely to be. But when reading this with the benefit of hindsight the answer is easy: pretty damn good.

Andy Greenberg, Doubleday , 2022

Many people think that Bitcoin is synonymous with anonymity.

But that's not true. It's a public ledger of transactions between addresses. The addresses start out anonymous, but once they are used to buy or sell Bitcoin with real money on an exchange, pay for membership at a dark web site, collect a ransomware payment, etc. that anonymity leaks away. Even devices designed to increase anonymity (such as "tumblers") fall victim to statistical analysis.

Add in side-channel attacks (ever looked up a Bitcoin address on a helpful website? Mentioned a Bitcoin address in an email or chat?) and that anonymity is even weaker.

Andy Greenberg's book is a must read for anybody who uses Bitcoin or any other crypto-currency for anything other than pure speculation. It describes the investigative steps taken by law enforcement to track down the administrators and users of well-known dark web sites: the operational security mistakes, the software used, the organizations involved. (Even if you are only speculating on Bitcoin, you should read this book if you're not planning to declare anything for tax purposes!)

Other crypto-currencies, even those designed specifically to make tracing transactions more difficult, also have weak points. Greenberg has a limited discussion of what some of these weak points might be: the people who know the state of the art aren't revealing their cards.

A worrying end section in this book reminds us that not all uses of the claimed anonymity of Bitcoin are for illegal drug dealing or child sexual abuse material. There are also political groups, good or bad, using it for fund-raising where the backers or group members prefer anonymity for good or bad reasons. The same techniques (and software) can be used by bad people as well as good: we may cheer when a maker of child pornography is caught, but be less happy when a dissident is identified and executed.


Roger A. Grimes, Wiley , 2021

Ransomware is one of the most common threats faced by any company. While malicious software has always been a threat, the advent of cryptocurrencies gave criminals a viable means of cashing-in once access to a system or network has been obtained. The threat from ransomware is both loss of data and exposure of data: pay us and you get your data back; don't pay us and we publish your data for all to see.

Backup helps, but recovering data and systems takes time and money. Recent ransomware cases have put companies and organizations out of action for weeks or months. In addition a common strategy of the attacker is to attempt to disable or corrupt backup tasks.

Roger Grimes' book is a comprehensive guide to ransomware. It covers methods of reducing and mitigating the risk, from prevention and cyber-insurance, through to detection, planning, response, and recovery. It also covers some legal aspects associated with paying ransomware - albeit from a US perspective.

Particularly useful is the short section "What Not To Do" which gives advice on common mistakes companies make when responding to a ransomware attack. It's worth having this book on hand and re-reading this chapter before making any response to a ransomware demand - particularly the reminder that the attacker may have been in your system for some time. Keep ransomware discussions offline where the attacker can't see them. Consider employing a professional negotiator who has handled ransomware incidents in the past. And never lie or insult your attacker: they may know more about the current state of your backups and your insurance policies than you do.

Relevant Books
If you purchase a book using one of these links, we receive a small payment from Amazon, which helps pay for this site.

See Also