*How To Measure Anything: Finding the Value of “Intangibles” in Business*. For future books in this franchise, we were considering titles such as

*How To Measure Anything in Project Management*or industry specific books like

*How To Measure Anything in Healthcare*. All we had to do was pick a good idea from a long list of possibilities.

Cybersecurity risk seemed like an ideal first book for this new series. It is extremely topical and filled with measurement challenges that may often seem impossible. We also believe it is an extremely important topic for personal reasons (as we are credit card users and have medical records, client data, intellectual property, and so on) as well as for the economy as a whole.

Do current risk assessment methods in cybersecurity work? Recent big security breaches have forced business and government to question their validity. Is there a way to fix them? How can risk even be assessed in cybersecurity?

Find the answers to these questions and more in our introduction webinar, *How to Measure Anything in Cybersecurity Risk. *

This two-hour webinar will change how you view cybersecurity and give you the tools to begin finding these critical answers – and better protecting your organization. Click on the button below to learn more.

# Downloads for Examples and Exercises from the Book Below

Welcome to the website for *How to Measure Anything in Cybersecurity Risk*. This is where readers can come to download examples mentioned in the book. These downloads include spreadsheet examples of the calculations, “Power Tools” and additional calibration exercises.

## Chapter 3: Simple One-for-One Substitution Example

This spreadsheet contains examples for the “one-for-one substitution” model descrbed in Chapter 3. There are three tabs. The first tab shows how tables 3.2 3.3, and 3.4 are computed in the book. The second tab shows how we add “residual” risk so that we can plot the “loss exceedance curves” (LEC) as shown in figure 3.3. Finally, there is a tab showing how multiple portfolios can be added up to to make an aggregate LEC.

## Chapter 3: (Updated for 2nd Edition) Rapid Risk Audit and Simple Monte Carlo Example

As explained in Chapter 3 of How to Measure Anything in Cybersecurity Risk, the Rapid Risk Audit is a very basic, yet quantitative assessment of risks. Like qualititative methods such as the Risk Matrix, the inputs can be subjective. But although estimates may be subjective, the quantitative estimates avoid some of the errors introduced by risk matrices. This Rapid Risk Audit proposes a cause-effect taxonomy, but it could be used for any taxonomy. It will produce a total expected annual loss. But it can’t produce a probability of losing various amounts in total. For that, we need the next worksheet, the Monte Carlo simulation.

## Chapter 5: (Updated for 2nd Edition) HDR Cybersecurity Survey

This was the survey conducted in 2016 for the first edition of this book. Now we are making the entire survey free for downloads.

## Chapter 6: Decomposition of One-for-One Substitution Model

## Chapter 7: Calibration Questions

## Chapter 7: Expected Distribution of Calibration Answers

## Chapter 8: Bayesian Threat Intel Example

## Chapter 8: (Updated for 2nd Edition) Bayesian Multifactor Authentication

This is an example of how to use a Bayesian method to update the probability that Multifactor Authentication is working even with very limited observations.

## Chapter 9: Beta Dist Example for Three Industries

## Chapter 9: (Updated for 2nd Edition) Log Odds Ratios for Simple Lens and SME Aggregation

This spreadsheet has two worksheets. The first is the LOR example in Chapter 9 which provides a quick subsystem risk based on past Lens models created by HDR. The second worksheet shows how the estimates of two SMEs might be combined using a highly simplified LOR method.

## Chapter 9: Log Odds Ratio Example

## Appendix A: Selected Distributions

These are the calculations for Appendix A: Selected Distributions. There are several useful random distributions here that apply to a variety of different cybersecurity risks. The Binary (aka Bernoulli) produces a “1” or “0” (which can be used as “event occurred” or “event didn’t occur”). It applies to whether a security event such as a data breach occurred in the first place. The other distributions are more appropriate for types of impacts that result after an event occurs – such as a system outage, a number of records compromised, the costs of legal liabilities, and so on.

## Appendix A: (Updated for 2nd Edition) Probability Distributions in Excel

These are some basic probability distributions we often use in Excel. These include formulas for the random number generation. Histograms are plotted for each.