Textbook in PDF format

A start-to-finish guide for realistically measuring cybersecurity risk.
In the newly revised How to Measure Anything in Cybersecurity Risk, Second Edition , a pioneering information security professional and a leader in quantitative analysis methods delivers yet another eye-opening text applying the quantitative language of risk analysis to cybersecurity. In the book, the authors demonstrate how to quantify uncertainty and shed light on how to measure seemingly intangible goals. It's a practical guide to improving risk assessment with a straightforward and simple framework.
Advanced methods and detailed advice for a variety of use cases round out the book, which also includes:
A new “Rapid Risk Audit” for a first quick quantitative risk assessment.
New research on the real impact of reputation damage
New Bayesian examples for assessing risk with little data
New material on simple measurement and estimation, pseudo-random number generators, and advice on combining expert opinion
Dispelling long-held beliefs and myths about information security, How to Measure Anything in Cybersecurity Risk is an essential roadmap for IT security managers, CFOs, risk and compliance professionals, and even statisticians looking for novel new ways to apply quantitative techniques to cybersecurity.
We don't expect our readers to be risk management experts or cybersecurity experts. The methods we apply to security can be applied to many other areas. Of course, we do hope it will make those who work in the field of cybersecurity better defenders and strategists. We also hope it will make the larger set of leaders more conscious of security risks in the process of becoming better decision makers.
If you really want to be sure this book is for you, here are the specific personas we are targeting:
• You are a decision maker looking to improve—that is, measurably improve—your high?stakes decision making.
• You are a security professional looking to become more strategic in your fight against the bad guys.
• You are neither of the above. Instead, you have an interest in understanding more about cybersecurity and/or risk management using readily accessible quantitative techniques.
• If you are a hard?core quant, consider skipping the purely quant parts. If you are a hard?core hacker, consider skipping the purely security parts. That said, we will often have a novel perspective, or “epiphanies of the obvious,” on topics you already know well. Read as you see fit.
Introduction
PART I WHY CYBERSECURITY NEEDS BETTER MEASUREMENTS FOR RISK
CHAPTER 1 The One Patch Most Needed in Cybersecurity
CHAPTER 2 A Measurement Primer for Cybersecurity
CHAPTER 3 The Rapid Risk Audit: Starting With a Simple Quantitative Risk Model
CHAPTER 4 The Single Most Important Measurement in Cybersecurity
CHAPTER 5 Risk Matrices, Lie Factors, Misconceptions, and Other Obstacles to Measuring Risk
PART II EVOLVING THE MODEL OF CYBERSECURITY RISK
CHAPTER 6 Decompose It: Unpacking the Details
CHAPTER 7 Calibrated Estimates: How Much Do You Know Now?
CHAPTER 8 Reducing Uncertainty with Bayesian Methods
CHAPTER 9 Some Powerful Methods Based on Bayes
PART III CYBERSECURITY RISK MANAGEMENT FOR THE ENTERPRISE
CHAPTER 10 Toward Security Metrics Maturity
CHAPTER 11 How Well Are My Security Investments Working Together?
CHAPTER 12 A Call to Action: How to Roll Out Cybersecurity Risk Management
APPENDIX A Selected Distributions
APPENDIX B Guest Contributors