What do you think?
Rate this book
How to Measure Anything in Cybersecurity Risk
A start-to-finish guide for realistically measuring cybersecurity risk
In the newly revised How to Measure Anything in Cybersecurity Risk, Second Edition, a pioneering information security professional and a leader in quantitative analysis methods delivers yet another eye-opening text applying the quantitative language of risk analysis to cybersecurity. In the book, the authors demonstrate how to quantify uncertainty and shed light on how to measure seemingly intangible goals. It's a practical guide to improving risk assessment with a straightforward and simple framework.
Advanced methods and detailed advice for a variety of use cases round out the book, which also
A new "Rapid Risk Audit" for a first quick quantitative risk assessment. New research on the real impact of reputation damage New Bayesian examples for assessing risk with little data New material on simple measurement and estimation, pseudo-random number generators, and advice on combining expert opinion Dispelling long-held beliefs and myths about information security, How to Measure Anything in Cybersecurity Risk is an essential roadmap for IT security managers, CFOs, risk and compliance professionals, and even statisticians looking for novel new ways to apply quantitative techniques to cybersecurity.
In the newly revised How to Measure Anything in Cybersecurity Risk, Second Edition, a pioneering information security professional and a leader in quantitative analysis methods delivers yet another eye-opening text applying the quantitative language of risk analysis to cybersecurity. In the book, the authors demonstrate how to quantify uncertainty and shed light on how to measure seemingly intangible goals. It's a practical guide to improving risk assessment with a straightforward and simple framework.
Advanced methods and detailed advice for a variety of use cases round out the book, which also
A new "Rapid Risk Audit" for a first quick quantitative risk assessment. New research on the real impact of reputation damage New Bayesian examples for assessing risk with little data New material on simple measurement and estimation, pseudo-random number generators, and advice on combining expert opinion Dispelling long-held beliefs and myths about information security, How to Measure Anything in Cybersecurity Risk is an essential roadmap for IT security managers, CFOs, risk and compliance professionals, and even statisticians looking for novel new ways to apply quantitative techniques to cybersecurity.
342 pages, Kindle Edition
First published April 25, 2016
387 people are currently reading
1112 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 20 of 20 reviews
December 27, 2019
I am a cybersecurity professional working primarily as a consultant to the Canadian federal government. The government has an information technology (IT) risk assessment methodology called the Harmonized Threat and Risk Assessment Methodology or HTRA. Most modern definitions of IT risk, including the definition in this book, centre on the frequency or probability and impact or magnitude of adverse events such as data breaches or denial-of-service attacks. The HTRA, however, assesses risk through a complicated "formula" involving a combination of factors that include asset value, threat severity, and vulnerability severity. These factors are presented using matrices, also known as heat maps, that show results in terms of of an ordinal scale ranging from "Very Low" to "Very High".
Authors Douglas W. Hubbard and Richard Seiersen explain here how the risk-matrix/ordinal-scale approach is ineffective and may, in the worst case, actually add to errors in risk assessments. Instead, they argue in the book's first section, we should use probabilities and numerical estimates. They suggest actual numerical metrics that we can use instead of vague, poorly defined risk factors. In their second section, Hubbard and Seiersen explain how to use quantitative methods to assess IT security risk, starting from a model that's only slightly different from today's qualitative models. They propose a gradual evolution from today's methods based on guesses to one that is more grounded in data. Finally, they expand their approach into risk management, using numerical methods to assess and update our risk assessments and to validate the benefits and costs of our security controls.
There is math and statistics involved, but the math can be done with a basic spreadsheet. The book provide example formulas and has a companion web site (http://www.howtomeasureanything.com/cybersecurity/#downloads) from which you can download sample spreadsheets described in the book and see for yourself how to use Excel functions to forecast risk.
I believe it is very important that my profession move away from its old, ineffective methods and towards more mature, data-based measurements and forecasts. Risk management, ultimately, is about applying limited resources as effectively as we can to reduce our greatest risks to a tolerable level. This book goes a very long way towards showing us how to do that.
Authors Douglas W. Hubbard and Richard Seiersen explain here how the risk-matrix/ordinal-scale approach is ineffective and may, in the worst case, actually add to errors in risk assessments. Instead, they argue in the book's first section, we should use probabilities and numerical estimates. They suggest actual numerical metrics that we can use instead of vague, poorly defined risk factors. In their second section, Hubbard and Seiersen explain how to use quantitative methods to assess IT security risk, starting from a model that's only slightly different from today's qualitative models. They propose a gradual evolution from today's methods based on guesses to one that is more grounded in data. Finally, they expand their approach into risk management, using numerical methods to assess and update our risk assessments and to validate the benefits and costs of our security controls.
There is math and statistics involved, but the math can be done with a basic spreadsheet. The book provide example formulas and has a companion web site (http://www.howtomeasureanything.com/cybersecurity/#downloads) from which you can download sample spreadsheets described in the book and see for yourself how to use Excel functions to forecast risk.
I believe it is very important that my profession move away from its old, ineffective methods and towards more mature, data-based measurements and forecasts. Risk management, ultimately, is about applying limited resources as effectively as we can to reduce our greatest risks to a tolerable level. This book goes a very long way towards showing us how to do that.
March 6, 2019
My experience with this book is a double edged sword. First I thought it did a decent job of convincing the reader that qualitative terms like Low, Medium, and High are not cutting it in today's risk management programs. Leadership and the Board of Director's need quantitative and monetary risk presentations that they receive in other areas. For example, we are allowing $10 million in fraud per year, or $10 million in account charge-offs. However, when it comes to cybersecurity the general population is hesitant to say, we expect $10 million in loss from breaches. This is odd as one form of risk treatment is risk transference. Companies do sell cyber insurance, so how much cyber insurance does one buy for a "Medium" risk?
Parts of the book I struggled with as my own mathematics and statistical knowledge is not what it once was. A good understanding of statistics and probability is useful. The author presents several spreadsheets with formulas. Your going to have to tailor to your environment and your going to want to have some background to understand what he is conveying. Personally I went back and read some of my Probability for Dummies and Statistics for Dummies just to refresh my mind.
So why not five stars? My biggest complaint was that there was no exercise section. I think we all learn concepts with various tools. For me, a nice laid out case study, showing step by step how to apply the concepts would have been nice. Taking each chapter and re-enforcing a XYZ company migrating to the concepts in the book.
Parts of the book I struggled with as my own mathematics and statistical knowledge is not what it once was. A good understanding of statistics and probability is useful. The author presents several spreadsheets with formulas. Your going to have to tailor to your environment and your going to want to have some background to understand what he is conveying. Personally I went back and read some of my Probability for Dummies and Statistics for Dummies just to refresh my mind.
So why not five stars? My biggest complaint was that there was no exercise section. I think we all learn concepts with various tools. For me, a nice laid out case study, showing step by step how to apply the concepts would have been nice. Taking each chapter and re-enforcing a XYZ company migrating to the concepts in the book.
December 22, 2018
Honestly, this book is of limited value in my humble opinion. The authors spend most of the time making the case for their methods but it never feels like they are developed to the point of being practically usable. Maybe cutting out some of the criticism of existing methods and summarising things in a more concise way with an end to end example would have helped. Some items such as CVS are criticized but alternatives are not clearly advanced. Furthermore, I feel like the book was written to do a find and replace with any subject they feel like later. So much of the sentence structure is generic and not applied specifically to cybersecurity. I'm giving two stars because it is interesting for background reading.
June 12, 2021
Before reading this book, I was a risk management skeptic. I have enough background in probability and statistics to follow most of the mathematical discussion.
After reading this book, I am still not convinced that this is worth my time and effort.
I think this *could* work in heavy industries like banking and insurance. However, for most cybersecurity professionals working in modern companies I am not sure if ideas in this book are useful.
An additional star because there are some interesting discussions in this book.
After reading this book, I am still not convinced that this is worth my time and effort.
I think this *could* work in heavy industries like banking and insurance. However, for most cybersecurity professionals working in modern companies I am not sure if ideas in this book are useful.
An additional star because there are some interesting discussions in this book.
May 26, 2019
I suspect this book is ludic fallacy top to bottom and nice busywork if you are a large corporation that needs to occupy a small army of risk managers and other accountant-y types. Whether the stuff in this book is practically applicable and generates better results per effort than other approaches, I don't think so but I would happily be proven wrong.
October 29, 2018
It is an interesting book, especially the second section of the book where Hubbard describe techniques and tools to apply on risk measurement. Most of these are also covered in other book from author "How To Measure Anything", but this book connect directly with cybersecurity examples. However the first section of the book disappointed me, I feel the author spend too many pages in discussing the shortcoming of existing measurement techniques. My wish is book should have covered the transition path to systematic statistical method. Overall book is a good read if you are new to statistical techniques and probability theory, because Hubbard is very good in describing those fundamental in very simple words and examples.
August 8, 2021
For me this opened whole new field to study. Antivirus tests compare their efficiency against known malware - 99.85, 99.90% etc., but how does this translate to actual situation - how secure is a company and how much safer each product makes it?
As a beginner in the field I'd say that this book gives good overview and some important points to think about. Though one must be ready to start learning about statistics, BI and analytics to use this knowledge in real world.
As a beginner in the field I'd say that this book gives good overview and some important points to think about. Though one must be ready to start learning about statistics, BI and analytics to use this knowledge in real world.
February 5, 2018
First, this was just a good read on how to get started on quantifying and managing information security risk. If your organization needs some improvement in this area, start here.
Secondly, apparently I'm late to the game because this book is now on a dozen desks in my office and nobody told me it was all the rage!
Secondly, apparently I'm late to the game because this book is now on a dozen desks in my office and nobody told me it was all the rage!
September 4, 2020
The authors make a compelling case for measuring risk, quantitatively, using statistical means of measuring uncertainty and handling sparse data. They also make a case against the much used risk-matrix and provide scenarios where a risk-matrix isn't just inaccurate but that it's lying to us.
February 3, 2023
If you lead or manage cybersecurity risk this book is a must-read. The first section describes how you can improve risk assessment with almost no additional effort, avoiding common pitfalls, before proceeding in the second section to describe how to iteratively improve.
November 1, 2023
Si te gustan las largas fórmulas estadísticas y mediciones de riesgo de cosas que probablemente jamás pasarán y saber cuanto dinero se va a tirar a la basura en que no pase eso que quizá no pase, este libro es para ti.
July 20, 2025
Great for introductory but falls short of giving end-to-end examples. I would appreciate if more than 1 influence diagrams were presented. The appendices actually did a fair job in presenting case studies, but again much more can be done.
October 6, 2018
This is a must-read book for all cybersecurity professionals. Read the review here:
https://researchcenter.paloaltonetwor...
https://researchcenter.paloaltonetwor...
Read
June 19, 2019Good book for cybersecurity threat.
July 30, 2019
Great book on quantitative cybersecurity risk
April 29, 2020
The most scientific approach to cyber risk measurement that I have come across.
August 21, 2024
New version of this. Mind opening. good
March 12, 2017
The book mostly repeats the message of How to Measure Anything: Finding the Value of Intangibles in Business - now with cybersecurity focus. The authors show how statistical methods help to bring understanding in cybersecurity even when the historical data is not available. Very interesting information and models, which could help in cysbersecurity management. This book makes you seriously doubt current defacto risk analysis frameworks.
February 17, 2017
This didn't give me many new insights from the original "How to measure anything" However, the cyber examples were of value. I gave the first HTMA 5 stars. Without having read the first HTMA, I would rate this 4 or 5 stars.
February 10, 2017
Everyone working in software should read this book to get a good idea of how to think about risk not only around security but also other aspects of software engineering.
Displaying 1 - 20 of 20 reviews