*How To Measure Anything: Finding the Value of “Intangibles” in Business*. For future books in this franchise, we were considering titles such as

*How To Measure Anything in Project Management*or industry specific books like

*How To Measure Anything in Healthcare*. All we had to do was pick a good idea from a long list of possibilities.

Cybersecurity risk seemed like an ideal first book for this new series. It is extremely topical and filled with measurement challenges that may often seem impossible. We also believe it is an extremely important topic for personal reasons (as we are credit card users and have medical records, client data, intellectual property, and so on) as well as for the economy as a whole.

# Downloads for Examples and Exercises from the Book Below

Welcome to the website for *How to Measure Anything in Cybersecurity Risk*. This is where readers can come to download examples mentioned in the book. These downloads include spreadsheet examples of the calculations, “Power Tools” and additional calibration exercises.

*Note: Some users may experience download issues while using Google Chrome.

Or try using Firefox, Internet Explorer, Edge, or another browser.

Contact us if the issue persists.

## Chapter 3: Simple One-for-One Substitution Example

This spreadsheet contains examples for the “one-for-one substitution” model described in Chapter 3. It has been updated with a new appearance and new features since the release of the book. There are three tabs. The first tab, ‘Risk Estimates’, shows how you can estimate likelihood and impact for risks. It also contains collapsed columns for adding controls to compute a residual risk. The second tab, ‘Loss Exceedance Curve’, displays the Inherent Loss and Loss Exceedance Tolerance curves, as well as total expected losses. There are collapsed columns that, when revealed, include the Residual Loss curve as well. Finally, there is a tab showing how multiple portfolios can be added up to to make an aggregate LEC.

## Chapter 6: Decomposition of One-for-One Substitution Model

This is a table showing the calculations used in Figure 6.1 of Chapter 6. This is one example of how further decomposition could be applied to the Simple One-For-One Substitution Example in chapter 3. As with the chapter 3 example, every time you hit F9 you get one more random example of the entire portfolio of security events. The reader is encouraged to use this example to develop different and more detailed decompositions of their own. We left off the data table to generate scenarios, risk mitigations and the histograms needed for Loss Exceedance Curves. All of this was shown in the Simple One-For-One Substitution Example and the reader is encouraged to try to add those elements to this model.## Chapter 7: Calibration Questions

Additional calibration tests in case the tests in the book weren’t enough to get you fully calibrated.## Chapter 7: Expected Distribution of Calibration Answers

These charts are not actually shown in the book but there is a reference in chapter 7 regarding how calibration answers should be distributed if, in fact, all of the test-takers were perfectly calibrated. The tables below show how the scores on the 90% CI test of a perfectly calibrated group would be distributed using the binom.dist() function in Excel for both the 10-question and 20-question tests function in Excel. In reality, uncalibrated groups of test takers will not fall mostly in the green areas as calibrated people do, but will fall mostly in the red areas, which indicate overconfidence.## Chapter 8: Bayesian Threat Intel Example

This is the major data breach example from chapter 8. The tables below contain the calculations necessary to compute the table on the right from the inputs in the table on the left (in yellow).## Chapter 9: Beta Dist Example for Three Industries

This shows how the beta distribution could be used to compare breach frequencies based on a few breaches in an industry. Data from 2014 to the end of 2015 is shown. You can set “alpha” and “beta” as shown in the book to reflect “hits” and “misses” (i.e., breaches and non-breaches per company per year) to see how the estimate of breach frequency will change with even a single new breach reported.## Chapter 9: Log Odds Ratio Example

This spreadsheet shows an example of how to use Log Odds Ratios (LOR) to apply several conditions to a single probability. This spreadsheet will estimate the conditional probability of a cybersecurity event given the aggregate effect of several conditions. Further details are given in the areas to the left below.