Why We Chose This Topic

The first edition of this book was planned to be the first of a series of spinoffs from Douglas Hubbard's successful first book, How to Measure Anything: Finding the Value of “Intangibles” in Business. For future books in this franchise, we were considering titles such as How to Measure Anything in Project Management or industry‐specific books such as How to Measure Anything in Health Care. All we had to do was pick a good idea from a long list of possibilities.

Cybersecurity risk seemed like an ideal first book for this new series. It is extremely topical and filled with measurement challenges that may often seem impossible. We also believe it is an extremely important topic for personal reasons (as we are credit card users and have medical records, client data, intellectual property, and so on) as well as for the economy as a whole. The success of the first edition is why we chose to write another edition instead of exploring another How to Measure Anything topic outside of cybersecurity risk.

Another factor in choosing a topic was finding the right co‐author. Because Doug Hubbard—a generalist in measurement methods—would not be a specialist in any of the particular potential spinoff topics, he planned to find a co‐author who could write authoritatively on the topic. Hubbard was fortunate to find an enthusiastic volunteer in Richard Seiersen—someone with years of experience in the highest levels of cybersecurity management with some of the largest organizations.

So with a topical but difficult measurement subject, a broad and growing audience, and a good co‐author, cybersecurity seemed like an ideal fit.

What Is This Book About?

Even though this book focuses on cybersecurity risk, it still has a lot in common with the original How to Measure Anything book, including:

• Making better decisions when you are significantly uncertain about the present and future; and
• Reducing that uncertainty even when data seems unavailable or the targets of measurement seem ambiguous and intangible.

This book in particular offers an alternative to a set of deeply rooted risk assessment methods now widely used in cybersecurity but that have no basis in the mathematics of risk or scientific method. We argue that these methods impede decisions about a subject of growing criticality. We also argue that methods based on real evidence of improving decisions are not only practical but already have been applied to a wide variety of equally difficult problems, including cybersecurity itself. We will show that we can start at a simple level and then evolve to whatever level is required while avoiding problems inherent to risk matrices and risk scores. So there is no reason not to adopt better methods immediately.

In this book, you should expect a gentle introduction to measurably better decision making—specifically, improvement in high‐stakes decisions that have a lot of uncertainty and where, if you are wrong, your decisions could lead to catastrophe. We think security embodies all of these concerns.

We don't expect our readers to be risk management experts or cybersecurity experts. The methods we apply to security can be applied to many other areas. Of course, we do hope it will make those who work in the field of cybersecurity better defenders and strategists. We also hope it will make the larger set of leaders more conscious of security risks in the process of becoming better decision makers.

If you really want to be sure this book is for you, here are the specific personas we are targeting:

• You are a decision maker looking to improve—that is, measurably improve—your high‐stakes decision making.
• You are a security professional looking to become more strategic in your fight against the bad guys.
• You are neither of the above. Instead, you have an interest in understanding more about cybersecurity and/or risk management using readily accessible quantitative techniques.
• If you are a hard‐core quant, consider skipping the purely quant parts. If you are a hard‐core hacker, consider skipping the purely security parts. That said, we will often have a novel perspective, or “epiphanies of the obvious,” on topics you already know well. Read as you see fit.

We Need More Than Technology

We need to lose less often in the fight against the bad guys. Or, at least, lose more gracefully and recover more quickly. Many feel that this requires better technology. We clamor for more innovation from our vendors in the security space even though breach frequency has not been reduced. To effectively battle security threats, we think there is something equally important as innovative technology, if not more important. We believe that “something” must include a better way to think quantitatively about risk.

We need decision makers who consistently make better choices through better analysis. We also need decision makers who know how to deftly handle uncertainty in the face of looming catastrophe. Parts of this solution are sometimes referred to with current trendy terms such as “predictive analytics,” but more broadly this includes all of decision science or decision analysis and even properly applied statistics.

In order to help decision makers with this task, we hope this book will explain why we should be skeptical of many current methods, how quantitative methods (even some very simple ones) improve the situation, and how to scale and evolve the solution.