How to Measure Anything in Cybersecurity Risk

Informationen zum Autor DOUGLAS W. HUBBARD is the inventor of the Applied Information Economics (AIE) method and the founder of Hubbard Decision Research. He is an internationally recognized expert in the area of decision analysis.RICHARD SEIERSEN is the Chief Risk Officer of Resilience, a cyberinsurance firm. He is the former Chief Information Security Officer at LendingClub, Twilio, and GE Healthcare and Co-founder of the cloud native security company Soluble - sold to Lacework in 2021. Klappentext A start-to-finish guide for realistically measuring cybersecurity riskIn the newly revised How to Measure Anything in Cybersecurity Risk, Second Edition, a pioneering information security professional and a leader in quantitative analysis methods delivers yet another eye-opening text applying the quantitative language of risk analysis to cybersecurity. In the book, the authors demonstrate how to quantify uncertainty and shed light on how to measure seemingly intangible goals. It's a practical guide to improving risk assessment with a straightforward and simple framework.Advanced methods and detailed advice for a variety of use cases round out the book, which also includes: A new "Rapid Risk Audit" for a first quick quantitative risk assessment. New research on the real impact of reputation damage New Bayesian examples for assessing risk with little data New material on simple measurement and estimation, pseudo-random number generators, and advice on combining expert opinionDispelling long-held beliefs and myths about information security, How to Measure Anything in Cybersecurity Risk is an essential roadmap for IT security managers, CFOs, risk and compliance professionals, and even statisticians looking for novel new ways to apply quantitative techniques to cybersecurity. Zusammenfassung A start-to-finish guide for realistically measuring cybersecurity riskIn the newly revised How to Measure Anything in Cybersecurity Risk, Second Edition, a pioneering information security professional and a leader in quantitative analysis methods delivers yet another eye-opening text applying the quantitative language of risk analysis to cybersecurity. In the book, the authors demonstrate how to quantify uncertainty and shed light on how to measure seemingly intangible goals. It's a practical guide to improving risk assessment with a straightforward and simple framework.Advanced methods and detailed advice for a variety of use cases round out the book, which also includes: A new "Rapid Risk Audit" for a first quick quantitative risk assessment. New research on the real impact of reputation damage New Bayesian examples for assessing risk with little data New material on simple measurement and estimation, pseudo-random number generators, and advice on combining expert opinionDispelling long-held beliefs and myths about information security, How to Measure Anything in Cybersecurity Risk is an essential roadmap for IT security managers, CFOs, risk and compliance professionals, and even statisticians looking for novel new ways to apply quantitative techniques to cybersecurity. Inhaltsverzeichnis Foreword for the Second Edition Jack Jones ixAcknowledgments xiiiPreface xvIntroduction 1Part I Why Cybersecurity Needs Better Measurements for Risk 5Chapter 1 The One Patch Most Needed in Cybersecurity 7Chapter 2 A Measurement Primer for Cybersecurity 21Chapter 3 The Rapid Risk Audit: Starting With a Simple Quantitative Risk Model 43Chapter 4 The Single Most Important Measurement in Cybersecurity 73Chapter 5 Risk Matrices, Lie Factors, Misconceptions, and Other Obstacles to Measuring Risk 101Part II Evolving the Model of Cybersecurity Risk 133Chapter 6 Decompose It: Unpacking the Details 135Chapter 7 Calibrated Estimates: How Much Do You Know Now? 155Chapter 8 Reducing Uncertainty with Bayesian Methods 183Chapter 9 Some Powerful Methods Based on Bayes 193Part II...

Auteur

DOUGLAS W. HUBBARD is the inventor of the Applied Information Economics (AIE) method and the founder of Hubbard Decision Research. He is an internationally recognized expert in the area of decision analysis. RICHARD SEIERSEN is the Chief Risk Officer of Resilience, a cyberinsurance firm. He is the former Chief Information Security Officer at LendingClub, Twilio, and GE Healthcare and Co-founder of the cloud native security company Soluble - sold to Lacework in 2021.

Texte du rabat

Praise for HOW TO MEASURE ANYTHING IN CYBERSECURITY RISK, SECOND EDITION "Whether you are a quantified risk skeptic or fan, this book will teach you new ways to think about the problem. I consider it mandatory reading for our field."
-John "Four" Flynn, CISO, Amazon Stores "This book arms the CISO of the future with the tools needed to make business relevant decisions. These tools will empower leaders to build organizational cybersecurity resilience against an ever-changing cyber risk landscape."
- Vishaal "V8" Hariprasad, CEO, Resilience and Former Active Duty Cyber Effects Operations Officer, U.S. Air Force "I recommend anyone looking for a scientific approach for measuring cybersecurity risk to take advantage of Doug Hubbard and Richard Seiersen's expertise on this topic."
-Gerhard Eschelbeck, Former CISO, Google "Cybersecurity practitioners are overloaded with new threats, new vulnerabilities, new tools, and with constant pressure to keep pace with the ever-changing needs of their organizations. To address this complexity and variability, we need the knowledge, mechanisms, and means to accurately prioritize initiatives, measure risk, and evaluate proposed solutions. This book enables the reader to confidently move forward in a cybersecurity landscape that grows in complexity daily."
-Jason Chan, Former VP, Information Security, Netflix "For quantifying cybersecurity risks, Doug Hubbard and Richard Seiersen are the proven thought leaders. The methods they describe are powerful, practical and I have used them many times in difficult measurement problems to support decisions. Everyone in cybersecurity should apply these insights."
-Nick Shevelyov, Former CISO of Silicon Valley Bank

Contenu

Foreword for the Second Edition Jack Jones ix

Acknowledgments xiii

Preface xv

Introduction 1

Part I Why Cybersecurity Needs Better Measurements for Risk 5

Chapter 1 The One Patch Most Needed in Cybersecurity 7

Chapter 2 A Measurement Primer for Cybersecurity 21

Chapter 3 The Rapid Risk Audit: Starting With a Simple Quantitative Risk Model 43

Chapter 4 The Single Most Important Measurement in Cybersecurity 73

Chapter 5 Risk Matrices, Lie Factors, Misconceptions, and Other Obstacles to Measuring Risk 101

Part II Evolving the Model of Cybersecurity Risk 133

Chapter 6 Decompose It: Unpacking the Details 135

Chapter 7 Calibrated Estimates: How Much Do You Know Now? 155

Chapter 8 Reducing Uncertainty with Bayesian Methods 183

Chapter 9 Some Powerful Methods Based on Bayes 193

Part III Cybersecurity Risk Management for the Enterprise 231

Chapter 10 Toward Security Metrics Maturity 233

Chapter 11 How Well Are My Security Investments Working Together? 257

Chapter 12 A Call to Action: How to Roll Out Cybersecurity Risk Management 277

Appendix A Selected Distributions 289

Appendix B Guest Contributors 297

Index 327