Book Review: "How To Measure Anything in Cybersecurity Risk"

"How To Measure Anything in Cybersecurity Risk" by Douglas W. Hubbard and Richard Seiersen is a hard hitting book on modern professional cyber security. It takes a data driven approach to assessing risk in the field of cyber security, from the perspective of statistics and probability analysis. It throws out many of the traditional cyber security methods of calculating risk (such as the risk matrix) and presents more tenured methods of risk analysis and loss estimation (probability theory). I listened to the book on Audible for ~$20 at ~10.5hrs, which was a little long winded, but well worth the message. Overall, I give the book 7 out of 10 stars, and highly recommend it to information security professionals as it clarifies some pretty fundamental methods in technically calculating risk, such as calculating the probability of a security event, the impact of a specific security event, and/or the potential effectiveness of applying a security control. The book spends a good deal questioning human error in estimating the probability of an event and suggests that most analysts are over-confident in their qualitative expert opinions, leading to grave miscalculations of risk. The book promotes using more quantitative methods for calculating risk over expert intuition, a message I strongly agree with. Further the book gives readers many spreadsheets and algorithms to compute these risk calculations. I also like how the book promotes theories such as Bayes and encourages the use of expert experience for the prior, something statisticians have historically frowned on. Finally the book also dispels many myths of data science, such as not being able to capture the data, not having enough data, or not being able to quantify the data. Check out the chapters of the book to get better insight into what it covers:

Foreword
Acknowledgements
About the Authors
Introduction
Why This Book, Why Now?
What Is This Book About?
What to Expect
Is This Book for Me?
We Need More Than Technology
New Tools for Decision Makers
Our Path Forward
PART 1: Why Cybersecurity Needs  Better Measurements for Risk
Chapter 1: The One Patch Most Needed in Cybersecurity
The Global Attack Surface
The Cyber Threat Response
A Proposal for Cybersecurity Risk Management
Notes
Chapter 2: A Measurement Primer for Cybersecurity 
The Concept of Measurement
The Object of Measurement
The Methods of Measurement
Notes
Chapter 3: Model Now!: An Introduction to Practical Quantitative Methods for Cybersecurity
A Simple One-for-One Substitution
The Expert as the Instrument
Doing "Uncertainty Math"
Visualizing Risk
Supporting the Decision: A Return on Mitigation
Where to Go from Here
Notes
Chapter 4: The Single Most Important Measurement in Cybersecurity
The Analysis Placebo: Why We Can't Trust Opinion Alone
How You Have More Data Than You Think
When Algorithms Beat Experts
Tools for Improving the Human Component
Summary and Next Steps
Notes
Chapter 5: Risk Matrices, Lie Factors, Misconceptions, and Other Obstacles to Measuring Risk
Scanning the Landscape: A Survey of Cybersecurity Professionals
What Color Is Your Risk? The Ubiquitous - and Risky - Risk Matrix
Exsupero Ursus and Other Fallacies
Conclusion
Notes
PART II: Evolving the Model of Cybersecurity Risk
Chapter 6: Decompose It: Unpacking the Details
Decomposing the Simple One-for-One Substitution Model
More Decomposition Guidelines: Clear, Observable, Useful
A Hard Decomposition: Reputation Damage Conclusion
Notes
Chapter 7: Calibrated Estimates: How Much Do You Know Now?
Intrusion to Subjective Probability
Calibration Exercise
Further Improvements on Calibration
Conceptual Obstacles to Calibration
The Effects of Calibration
Notes
Answers to Trivia Questions for Calibration Exercises
Chapter 8: Reducing Uncertainty with Bayesian Methods
A Major Data Breach Example
A Brief Introduction to Bayes and Probability Theory
Bayes Applied to the Cloud Breach Use Case
Notes
Chapter 9: Some Powerful Methods Based on Bayes
Computing Frequencies with (Very) Few Data Points: The Beta Distribution
Decomposing Probabilities with Many Conditions
Reducing Uncertainty Further and When To Do It
Levering Existing Resources to Reduce Uncertainty
Wrapping Up Bayes
Notes
PART III: Cybersecurity Risk Management for the Enterprise
Chapter 10: Toward Security Metrics Maturity
Introduction: Operational Security Metrics Maturity Model
Sparse Data Analytics
Functional Security Metrics
Security Data Marts
Prescriptive Analytics
Notes
Chapter 11: How Well Are My Security Investments Working Together?
Addressing BI Concerns
Just the Facts: What Is Dimensional Modeling and Why Do I Need It?
Dimensional Modeling Use Case: Advanced Data Stealing Threats
Modeling People Processes
Chapter 12: A Call to Action: How to Roll Out Cybersecurity Risk Management
Establishing the CSRM Strategic Charter
Organizational Roles and Responsibilities for CSRM
Getting Audit to Audit
What the Cybersecurity Ecosystem Must Do to Support You
Can We Avoid the Big One?
Appendix A: Selected Distributions
Distribution Name: Triangular
Distribution Name: Binary
Distribution Name: Normal
Distribution Name: Lognormal
Distribution Name: Beta
Distribution Name: Power Law
Distribution Name: Truncated Power Law
Appendix B: Guest Contributors
Appendix B Contents
Aggregating Data Sources for Cyber Insights
Forecasting - and Reducing - Occurrence of Espionage Attacks
Skyrocketing Breaches?
Financial Impact of Breaches
The Flaw of Averages in Cyber Security
Botnets
Password Hacking
Cyber-CI
How Catastrophe Modeling Can Be Applied to Cyber Risk
Notes

I really like the presentation of Bayes in this book, as it harnesses the expert's opinions in the prior, making the security analyst a key component in calculating the risk. Further, the book is clearly co-written by a security practitioner, as the book effortlessly paints world and trials of the modern cyber security professional. One of the parts I didn't like is that the book spends a lot of time trying to prove to cyber security analysts that these statistic methods are applicable, what feels like an entire third of the book. I totally agree with these methods and think these are sound approaches. Simply put, one should just present the subject matter and save the gratuitous text on trying to convince some strawman your methods are correct. That said, the book calls out many of the existing practices in information security, such as the threat matrix and CVSS scores as being mathematically unsound. The book looks at well established risk evaluation practices of other industries, such as healthcare, insurance, and actuarial science, and applies tried and true statistical methods to generate sound insight to data. The book promotes powerful statistical tools such as Monte-Carlo simulations and The Lens Model. The book includes its own companion site too, which includes many of spreadsheets, macros, and algorithms from the book that analysts can use in their own practice.