How to Measure Anything in Cybersecurity Risk

I was assigned this as one of the texts for a graduate-level seminar in cybersecurity and cyberwarfare economic risk analysis. This book is remarkable in that it presents a clear framework for "non-mathies" to become statistically literate enough to debunk common misconceptions and move beyond the standard qualitative "stoplight chart" style risk matrix charts into true quantifiable probabilities. The authors hold the readers hand each step of the way, beginning with a simple 3-step process to easily replace the standard stoplight risk matrix with actual quantifiable numbers. Fundamental points made by the authors include: - Experts who claim some elements are purely qualitative and cannot be measured are simply wrong and haven't properly defined what they are trying to measure ye. - "We don't have enough information to measure this" is a statement that refutes itself, because it claims there IS some threshold of measurement beyond which it can be "measured" -- implying it can be measured now since it can be compared to that imaginary threshold. - Virtually everything we encounter in any situation has already been measured and has math models for predicting behavior, we just need to figure out what we are trying to measure and find the models for it. - Claiming "there aren't enough samples for statistical significance" shows the person doesn't understand statistics -- a LOT of useful info can be gleamed from very small samples, and all we need to do is REDUCE uncertainty to be useful, not eliminate it. The authors guide the read through the entire process of building a gut-level intuition for basic statistical and probabilistic thinking and modeling, allowing readers to immediately stop using vague "hi/med/low" assessments (that are just as full of errors as any mathematical formulation) and start using quantifiable predictions that can be easily improved as more information becomes available. A great leader once told me that we typically only have about 70% of the information we want to have when the time comes to make a decision. This book helps you increase that number before decision time runs out.

Interesting way of thinking differently about security problems especially during a time where most of the decisions are made without using quantitative analytics or using standard measuring methods that the insurance industry has been using to predict catastrophes and ROI.

This book is a must-read not only for cybersecurity professionals but also for data privacy professionals. The forward states that "you can't manage something that you cannot measure." The book then goes on to evaluate traditional approaches to measuring cybersecurity risk, proposes improvements to such approaches and introduces more effective approaches and techniques. These approaches and techniques apply not only to "perimeter defense” mechanisms and “access controls" traditionally associated with cybersecurity – they also apply to data use issues associated with data privacy versus cybersecurity. Recent changes in international data protection laws – which encompass both cybersecurity and data privacy – require that data be transformed into a “protect first” mode rather than remaining in "use first" mode where data remains vulnerable while in use. The new EU General Data Protection Regulation (GDPR) which goes into effect in 2018, and which includes fines of up to 4% of global revenues for infractions, calls this “protect first" mode "Data Protection by Default." Data Protection by Default under the GDPR requires that techniques be applied at the earliest opportunity (e.g., by pseudonymizing data at the earliest opportunity) so that data use is limited to the minimum extent and time necessary to support a specific product or service as expressly authorized by a data subject. Data Protection by Default and other “protect first” data protection regimes will require effective measurement of risks so they can be effectively implemented and managed. For these reasons, this book should be on the reading list of both cybersecurity as well as data protection professionals.

The book is worth it even if you just consider it a counterbalance to the prevailing opinion that cybersecurity "stuff" can be rated 1-5 or low-med-high. The book champions an alternative that involves: * making quantitative estimates, * training your experts and calibrating their assessments, and * merging quantitative estimates into models that can spit out real distributions of combined risk. Challenges you to be more rigorous, as long as you are willing to be challenged. I am yet to employ these methods, but a good wake-up call that I am looking to put to good use. I would have hoped for more coverage of sources of data (this is a substantial problem, especially with emerging products), but the book does provide some good tips to get one started.

Highly recommend this book for anyone who works specifically in Risk Management. For all of us who were taught in formal education to create Risk Matrices using ordinal scales (High/Med/Low) for risk...we were wrong! As a professional field, we need to correct our ways and take advice from actuarial science to do so. Insurance and other business entities have already solved this problem - it's time we use their techniques to solve ours in Cybersecurity Risk. Great work by the authors by moving beyond theory and working to make the advice as practical as possible for the rest of us. Concepts introduced in the book can be put into play on the job tomorrow. Side note: Don't be intimidated by the stats-heavy portions of the book. The authors and editors have done well to dumb these concepts down enough for the rest of us. Aside from perhaps 3 pages, there is very little math required to implement most of the advice in this book.

It's essentially a rehash of his previous book. Not bad, but a rehash. That being said, the book is in my library and it does have useful new analytical material. Particularly good is the explanation of the notion that mostly everything is some measure of something. Case in point: in a recent meeting I asked my colleagues to rate something Low Mod High. Someone objected that that was 'so subjective'. My reply was Yes, but at least we will know what people think subjectively, and also - you know - we can train to be better estimators...it's in the book and that's a major contribution. So, like I wrote to Mr. Hubbard when he rightly pushed back on my original 3 stars / re-hash but good review, he's correct: the book has a lot more than just a rehash; I stand corrected.

Absolutely essential for participants in any risk management program who want to get beyond faking things up with 3 level matrices. Quantitative risk analysis requires accuracy, but not absolute precision. This book gives great practical examples and training for getting to as much accuracy as you need for a given application. Study it, and make better decisions for your program.

Interesting read, and very relevant to calculating Risk. I just wish he would have gone deeper into how to actually implement these models.

It was good

Read it and found some value but a little generic and simple. Still glad I read it

This book has changed several models in my mind. I like so much because I started To study many new things about risks and about hoa To measure Them. I do think that This book in mandatory for everybody work in Cybersecurity, And also for who works in Risk management.

a must read for anybody who wants to know much more on security risk management and qualitative approaches. i absolutely recommend this book.

amazing book !!