Everything's fine today, that is our illusion.

—Voltaire, 1759¹

In a single year, cyberattacks resulted in one billion records compromised and financial losses of $400 billion.² This led Forbes Magazine to declare it “The Year of the Mega Data Breach.”^3,4 Soon afterward, the head of the largest insurer, Lloyd's of London—a marketplace for a collection of insurance companies, reinsurance companies, and other types of financial backers—said cybersecurity is the “biggest, most systemic risk” he has seen in his 42 years in insurance.⁵ The year of that article was 2014. A lot has happened since then.

By multiple measures, cybersecurity risk has been increasing every year since 2014. For example, records breached in 2021 were, according to one source, 22 times as high as 2014.⁶ It hasn't peaked. We will only become more dependent on—and more vulnerable to—the technologies that drive our prosperity. We can try to reduce these risks, but resources are limited. To management, these risks may seem abstract, especially if they haven't experienced these losses directly. And yet we need to convince management, in their language, that these issues require their attention and a significant budget. Once we have that, we can try to identify and address higher priority risks first.

The title of this book is self‐explanatory. We will talk about how we can measure risks in cybersecurity and why it is important to change how we currently do ...