book

How to Measure Anything in Cybersecurity Risk, 2nd Edition

Name: How to Measure Anything in Cybersecurity Risk, 2nd Edition
ISBN: 9781119892304

by Douglas W. Hubbard, Richard Seiersen

April 2023

Intermediate to advanced

368 pages

10h 19m

English

Wiley

Audiobook available

Read now

Unlock full access

Cover
Title Page
Copyright
Dedication
Foreword for the Second Edition
Acknowledgments
Preface
Introduction
Why We Chose This TopicWhat Is This Book About?We Need More Than Technology
PART I: Why Cybersecurity Needs Better Measurements for Risk
CHAPTER 1: The One Patch Most Needed in Cybersecurity
Insurance: A Canary in the Coal MineThe Global Attack SurfaceThe Cyber Threat ResponseA Proposal for Cybersecurity Risk ManagementNotes

CHAPTER 2: A Measurement Primer for Cybersecurity
The Concept of MeasurementA Taxonomy of Measurement ScalesThe Object of MeasurementThe Methods of MeasurementNotes
CHAPTER 3: The Rapid Risk Audit
The Setup and TerminologyThe Rapid Audit StepsSome Initial Sources of DataThe Expert as the InstrumentSupporting the Decision: Return on ControlsDoing “Uncertainty Math”Visualizing Risk With a Loss Exceedance CurveWhere to Go from HereNotes
CHAPTER 4: The Single Most Important Measurement in Cybersecurity
The Analysis Placebo: Why We Can't Trust Opinion AloneHow You Have More Data than You ThinkWhen Algorithms Beat ExpertsTools for Improving the Human ComponentSummary and Next StepsNotes
CHAPTER 5: Risk Matrices, Lie Factors, Misconceptions, and Other Obstacles to Measuring Risk
Scanning the Landscape: A Survey of Cybersecurity ProfessionalsWhat Color Is Your Risk? The Ubiquitous—and Risky—Risk MatrixExsupero Ursus and Other FallaciesCommunication and Consensus ObjectionsConclusionNotes
PART II: Evolving the Model of Cybersecurity Risk
CHAPTER 6: Decompose It
Decomposing the Simple One‐for‐One Substitution ModelMore Decomposition Guidelines: Clear, Observable, UsefulA Hard Decomposition: Reputation DamageConclusionNotes
CHAPTER 7: Calibrated Estimates
Introduction to Subjective ProbabilityCalibration ExerciseMore Hints for Controlling OverconfidenceConceptual Obstacles to CalibrationThe Effects of CalibrationBeyond Initial Calibration Training: More Methods for Improving Subjective JudgmentNotesAnswers to Trivia Questions for Calibration Exercise
CHAPTER 8: Reducing Uncertainty with Bayesian Methods
A Brief Introduction to Bayes and Probability TheoryAn Example from Little Data: Does Multifactor Authentication Work?Other Ways Bayes AppliesNotes
CHAPTER 9: Some Powerful Methods Based on Bayes
Computing Frequencies with (Very) Few Data Points: The Beta DistributionDecomposing Probabilities with Many ConditionsReducing Uncertainty Further and When to Do ItMore Advanced Modeling ConsiderationsWrapping Up BayesNotes
PART III: Cybersecurity Risk Management for the Enterprise
CHAPTER 10: Toward Security Metrics Maturity
Introduction: Operational Security Metrics Maturity ModelSparse Data AnalyticsFunctional Security MetricsFunctional Security Metrics Applied: BOOM!Wait‐Time BaselinesSecurity Data MartsPrescriptive AnalyticsNotes
CHAPTER 11: How Well Are My Security Investments Working Together?
Security Metrics with the Modern Data StackModeling for Security Business IntelligenceAddressing BI ConcernsJust the Facts: What Is Dimensional Modeling, and Why Do I Need It?Dimensional Modeling Use Case: Advanced Data Stealing ThreatsModeling People ProcessesConclusionNotes
CHAPTER 12: A Call to Action
Establishing the CSRM Strategic CharterOrganizational Roles and Responsibilities for CSRMGetting Audit to AuditWhat the Cybersecurity Ecosystem Must Do to Support YouIntegrating CSRM with the Rest of the EnterpriseCan We Avoid the Big One?
APPENDIX A: Selected Distributions
Distribution Name: TriangularDistribution Name: BinaryDistribution Name: NormalDistribution Name: LognormalDistribution Name: BetaDistribution Name: Power Law
APPENDIX B: Guest Contributors
Appendix B Contents
Decision Analysis to Support Ransomware Cybersecurity Risk Management
Bayesian Networks: One Solution for Specific Challenges in Building ML Systems in Cybersecurity
The Flaw of Averages in Cyber Security
Password Hacking
How Catastrophe Modeling Can Be Applied to Cyber Risk
Index
End User License Agreement

Overview

A start-to-finish guide for realistically measuring cybersecurity risk

In the newly revised How to Measure Anything in Cybersecurity Risk, Second Edition, a pioneering information security professional and a leader in quantitative analysis methods delivers yet another eye-opening text applying the quantitative language of risk analysis to cybersecurity. In the book, the authors demonstrate how to quantify uncertainty and shed light on how to measure seemingly intangible goals. It's a practical guide to improving risk assessment with a straightforward and simple framework.

Advanced methods and detailed advice for a variety of use cases round out the book, which also includes:

A new "Rapid Risk Audit" for a first quick quantitative risk assessment.
New research on the real impact of reputation damage
New Bayesian examples for assessing risk with little data
New material on simple measurement and estimation, pseudo-random number generators, and advice on combining expert opinion

Dispelling long-held beliefs and myths about information security, How to Measure Anything in Cybersecurity Risk is an essential roadmap for IT security managers, CFOs, risk and compliance professionals, and even statisticians looking for novel new ways to apply quantitative techniques to cybersecurity.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

How to Measure Anything in Cybersecurity Risk, 2nd Edition

Publisher Resources

ISBN: 9781119892304Purchase Link

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills