we we wrote the first edition of this book, we were cautiously opt-
about how well it would do. Some constructive criticisms of
popular methods were long past due, We knew a lot of published research.
showed that although the ubiquitous risk matrix provided a kind of placebo
effect and increased confidence in decision making, it actually harmed the
quality of decision making
The book quickly exceeded our expectations in terms of demand and
the influence it has had on the content of training and standards in cyber-
security, Consequently, the publisher, Wiley, wanted to capitalize on this
demand with a second edition,
A lot has happened in cybersecurity in the six years since the first edi-
n was published, There have been new major cyberattacks and new
threats have appeared. Ransomware was not perceived to be nearly as
much a threat in 2016 as it is now. But there will always be a new threat, and
there will always be new technologies developed in an attempt to reduce
these risks. Any book about cyber tisk that only addresses current problems
and technical solutions will nced to be rewritten much more frequently than
once every few years.
So, if the only changes were technical details of threats and solutions,
then a new edition would not be required, We felt it was time to write a new
edition because we realize that some organizations need quicker, simpler
solutions to quantify cybersecurity risks. At the same time, others are ready
for a little more depth in the methods. In this edition we have attempted to
provide more for both audiences.