How to Measure Anything in Cybersecurity Risk, 2nd Edition
by Douglas W. Hubbard, Richard Seiersen
CHAPTER 6Decompose It: Unpacking the Details
The everyday meanings of most terms contain ambiguities significant enough to render them inadequate for careful decision analysis.
—Ron Howard, Father of Decision Analysis1
Recall the cybersecurity analyst mentioned in Chapter 5 whose estimate of a loss was “$0 to $500 million” and who worried how upper management would react to such an uninformative range. Of course, if such extreme losses really were a concern, it would be wrong to hide it from upper management. Fortunately, there is an alternative: just decompose it. Surely such a risk would justify at least a little more analysis.
Impact usually starts out as a list of unidentified and undefined outcomes. Refining this is just a matter of understanding the object of measurement as discussed in Chapter 2. That is, we have to figure out what we are measuring by defining it better. In this chapter, we discuss how to break up an ambiguous pile of outcomes into at least a few major categories of impacts.
In Chapter 3 we showed how to make a simple quantitative model that simply makes exact replacements for steps in the familiar risk matrix but does so using quantitative methods. This is a very simple baseline, which we can make more detailed through decomposition. In Chapter 4 we discussed research showing how decomposition of an uncertainty especially helps when the uncertainty is particularly great—as is usually the case in cybersecurity. Now, we will exploit the benefits of ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access