When we wrote the first edition of this book, we were cautiously optimistic about how well it would do. Some constructive criticisms of popular methods were long past due. We knew a lot of published research showed that although the ubiquitous risk matrix provided a kind of placebo effect and increased confidence in decision making, it actually harmed the quality of decision making.

The book quickly exceeded our expectations in terms of demand and the influence it has had on the content of training and standards in cybersecurity. Consequently, the publisher, Wiley, wanted to capitalize on this demand with a second edition.

A lot has happened in cybersecurity in the six years since the first edition was published. There have been new major cyberattacks and new threats have appeared. Ransomware was not perceived to be nearly as much a threat in 2016 as it is now. But there will always be a new threat, and there will always be new technologies developed in an attempt to reduce these risks. Any book about cyber risk that only addresses current problems and technical solutions will need to be rewritten much more frequently than once every few years.

So, if the only changes were technical details of threats and solutions, then a new edition would not be required. We felt it was time to write a new edition because we realize that some organizations need quicker, simpler solutions to quantify cybersecurity risks. At the same time, others are ready for a little more depth in the methods. In this edition we have attempted to provide more for both audiences.