Build a little. Test a little. Learn a lot.
—Rear Admiral Wayne Meyer,
Aegis Weapon System Program Manager
In this chapter we will propose a simple starting point for developing a quantitative risk assessment. Later, we will explore more detailed models (starting in Chapter 6) and more advanced methods (starting in Chapter 8). But for now we will start with a model that merely replaces the common risk matrix. It will simply be a way to capture subjective estimates of likelihood and impact, but do so probabilistically.
To make it work, we need to introduce a few methods. First, we need to introduce the idea of subjectively assessing probabilities, but we will defer the exercises to train you to do that until Chapter 7 (for now, hang in there). We will also introduce a very basic simulation method, and the work of actually building the simulation is mostly done for you. The example will be demonstrated with an Excel spreadsheet you can download from www.howtomeasureanything.com/cybersecurity.
When you are done with this chapter, you will have the foundation to build on for the rest of the book. Later, we will incrementally add further improvements. You will learn how to test your subjective assessments of probability and improve on them. You will learn how even a few observations can be used in mathematically sound ways to improve your estimates further. And you will learn how to improve ...