DOUGLAS W. HUBBARD is the inventor of Applied Information Economics (AIE), an internationally recognized expert in measurement and quantitative decision analysis, and best-selling author of How to Measure Anything, Third Edition, and The Failure of Risk Management. RICHARD SEIERSEN is general manager of Cyber Security & Privacy at GE Healthcare. He has more than twenty years of experience in such areas as cybersecurity; governance, risk and compliance (GRC); and analytics.
Foreword Daniel E. Geer, Jr. ix Foreword Stuart McClure xi Acknowledgments xiii About the Authors xv Introduction 1 PART I WHY CYBERSECURITY NEEDS BETTER MEASUREMENTS FOR RISK 5 CHAPTER 1 The One Patch Most Needed in Cybersecurity 7 CHAPTER 2 A Measurement Primer for Cybersecurity 19 CHAPTER 3 Model Now!: An Introduction to Practical Quantitative Methods for Cybersecurity 35 CHAPTER 4 The Single Most Important Measurement in Cybersecurity 55 CHAPTER 5 Risk Matrices, Lie Factors, Misconceptions, and Other Obstacles to Measuring Risk 81 PART II EVOLVING THE MODEL OF CYBERSECURITY RISK 111 CHAPTER 6 Decompose It: Unpacking the Details 113 CHAPTER 7 Calibrated Estimates: How Much Do You Know Now ? 133 CHAPTER 8 Reducing Uncertainty with Bayesian Methods 157 CHAPTER 9 Some Powerful Methods Based on Bayes 169 PART III CYBERSECURITY RISK MANAGEMENT FOR THE ENTERPRISE 197 CHAPTER 10 Toward Security Metrics Maturity 199 CHAPTER 11 How Well Are My Security Investments Working Together? 213 CHAPTER 12 A Call to Action: How to Roll Out Cybersecurity Risk Management 229 APPENDIX A Select Distributions 239 APPENDIX B Guest Contributors 247 Index 269