“Cybersecurity practitioners are overloaded with new threats, new vulnerabilities, new tools, and with constant pressure to keep pace with their organizations’ ever changing needs. To address this complexity and variability, we need the knowledge, mechanisms, and means to accurately prioritize initiatives, measure risk, and evaluate proposed solutions. This book enables the reader to confidently move forward in a cybersecurity landscape that grows in complexity daily.”
Jason Chan, Former VP Information Security Netflix
“Companies can mitigate, transfer, or ignore their cyber risk. But in order to smartly manage it, CISOs must first quantify their risk. This book arms the CISO of the future with the tools needed to make business relevant decisions. These tools will empower leaders to build organizational cybersecurity resilience against an ever-changing cyber risk landscape.”
Vishaal “V8” Hariprasad, CEO, Resilience and Former Active Duty Cyber Effects Operations Officer, US Air Force
“How to Measure Anything in Cybersecurity Risk makes a strong case for quantifying what organizations are up against. This book is equally valuable for technical security practitioners, risk and compliance professionals as well as security leaders. It provides not only concepts but an essential roadmap for measuring risk, developing metrics, and determining return on investment. I recommend anyone looking for a scientific approach for measuring cybersecurity risk to take advantage of Doug Hubbard and Richard Seiersen’s expertise on this topic. “
Gerhard Eschelbeck, Former CISO at Google
Forward by Daniel E. Geer, Jr., ScD.: CISO In-Q-Tel
“It is my pleasure to recommend How to Measure Anything in Cybersecurity Risk….If you have any interest in taking care of yourself, of standing on your own two feet, of knowing where you are, then you owe it to yourself to exhaust this book. Its writing is clear, its pedagogy is straightforward, and its downloadable Excel spreadsheets leave no excuse for not trying.”
New Material For 2nd Edition!
Cybersecurity risk seemed like an ideal first book for this new series. It is extremely topical and filled with measurement challenges that may often seem impossible. We also believe it is an extremely important topic for personal reasons (as we are credit card users and have medical records, client data, intellectual property, and so on) as well as for the economy as a whole.
Do current risk assessment methods in cybersecurity work? Recent big security breaches have forced business and government to question their validity. Is there a way to fix them? How can risk even be assessed in cybersecurity?
Find the answers to these questions and more in our introduction webinar, How to Measure Anything in Cybersecurity Risk.
This two-hour webinar will change how you view cybersecurity and give you the tools to begin finding these critical answers – and better protecting your organization. Click on the button below to learn more.
Downloads for Examples and Exercises from the Book Below
Welcome to the website for How to Measure Anything in Cybersecurity Risk. This is where readers can come to download examples mentioned in the book. These downloads include spreadsheet examples of the calculations, “Power Tools” and additional calibration exercises.
Chapter 3: Simple One-for-One Substitution Example
This spreadsheet contains examples for the “one-for-one substitution” model descrbed in Chapter 3. There are three tabs. The first tab shows how tables 3.2 3.3, and 3.4 are computed in the book. The second tab shows how we add “residual” risk so that we can plot the “loss exceedance curves” (LEC) as shown in figure 3.3. Finally, there is a tab showing how multiple portfolios can be added up to to make an aggregate LEC.
Chapter 3: (Updated for 2nd Edition) Rapid Risk Audit and Simple Monte Carlo Example
As explained in Chapter 3 of How to Measure Anything in Cybersecurity Risk, the Rapid Risk Audit is a very basic, yet quantitative assessment of risks. Like qualititative methods such as the Risk Matrix, the inputs can be subjective. But although estimates may be subjective, the quantitative estimates avoid some of the errors introduced by risk matrices. This Rapid Risk Audit proposes a cause-effect taxonomy, but it could be used for any taxonomy. It will produce a total expected annual loss. But it can’t produce a probability of losing various amounts in total. For that, we need the next worksheet, the Monte Carlo simulation.
Chapter 5: (Updated for 2nd Edition) HDR Cybersecurity Survey
This was the survey conducted in 2016 for the first edition of this book. Now we are making the entire survey free for downloads.
Chapter 6: Decomposition of One-for-One Substitution Model
Chapter 7: Additional Calibration Questions
Additional calibration tests in case the tests in the book weren’t enough to get you fully calibrated.
Get the REAL calibration training here! HDR provides asynchronous training with self-paced videos so you can practice with proven methods, all while seeing your real-time calibration results on the calibrator dashboard. The data can even be used to optimize estimates on real-life problems with Team Calibrator!
Chapter 7: Expected Distribution of Calibration Answers
Chapter 8: Bayesian Threat Intel Example
Chapter 8: (Updated for 2nd Edition) Bayesian Multifactor Authentication
This is an example of how to use a Bayesian method to update the probability that Multifactor Authentication is working even with very limited observations.
Chapter 9: Beta Dist Example for Three Industries
Chapter 9: (Updated for 2nd Edition) Log Odds Ratios for Simple Lens and SME Aggregation
This spreadsheet has two worksheets. The first is the LOR example in Chapter 9 which provides a quick subsystem risk based on past Lens models created by HDR. The second worksheet shows how the estimates of two SMEs might be combined using a highly simplified LOR method.
Chapter 9: Log Odds Ratio Example
Appendix A: Selected Distributions
These are the calculations for Appendix A: Selected Distributions. There are several useful random distributions here that apply to a variety of different cybersecurity risks. The Binary (aka Bernoulli) produces a “1” or “0” (which can be used as “event occurred” or “event didn’t occur”). It applies to whether a security event such as a data breach occurred in the first place. The other distributions are more appropriate for types of impacts that result after an event occurs – such as a system outage, a number of records compromised, the costs of legal liabilities, and so on.
Appendix A: (Updated for 2nd Edition) Probability Distributions in Excel
These are some basic probability distributions we often use in Excel. These include formulas for the random number generation. Histograms are plotted for each.