You are not alone! The number of people applying statistics to the security problem is increasing. More people are taking what may be considered sparse data and using it to make inferences about large risks. This is not to say “big data” and “data science” are excluded; rather, making actionable inferences using limited empirical data, beliefs, and simulations are increasingly important for informing strategy and even prioritizing tactical decisions. To that end, we have included a number of short papers from various researchers in industry and academia on this topic. Also, stay tuned to www.howtomeasureanything.com/cybersecurity, as we will be including more and more research like this on our book’s website.

Appendix B Contents

1. Aggregating Data Sources for Cyber Insights
   1. Jim Lipkis, Chuck Chan, and Thomas Lee
2. The Flaw of Averages in Cyber Security
   1. Sam Savage
3. Password Hacking
   1. Anton Mobley
4. Cyber-CI
   1. Douglas A. Samuelson
5. How Catastrophe Modeling Can Be Applied to Cyber Risk
   1. Scott Stransky and Tomas Girnius

Aggregating Data Sources for Cyber Insights

• Jim Lipkis, VP and GM at VivoSecurity Inc.
• Chuck Chan, chief researcher at VivoSecurity Inc.
• Thomas Lee, PhD, founder and CEO at VivoSecurity Inc.

Actuarial science provides a wellspring of metrics and insights that are invaluable for managing cybersecurity in a business context. Relevant historical data can be obtained from a wide variety of industry and government sources, and combining ...