Professional Documents
Culture Documents
Second Edition
DOUGLAS W. HUBBARD
RICHARD SEIERSEN
Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved.
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and
may not be used without written permission. All other trademarks are the property of
their respective owners. John Wiley & Sons, Inc. is not associated with any product or
vendor mentioned in this book.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their
best efforts in preparing this book, they make no representations or warranties with
respect to the accuracy or completeness of the contents of this book and specifically
disclaim any implied warranties of merchantability or fitness for a particular purpose. No
warranty may be created or extended by sales representatives or written sales materials.
The advice and strategies contained herein may not be suitable for your situation. You
should consult with a professional where appropriate. Further, readers should be aware
that websites listed in this work may have changed or disappeared between when this
work was written and when it is read. Neither the publisher nor author shall be liable for
any loss of profit or any other commercial damages, including but not limited to special,
incidental, consequential, or other damages.
For general information on our other products and services or for technical support,
please contact our Customer Care Department within the United States at (800) 762-
2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Introduction 1
vii
viii Contents
Index 327
Foreword for the Second Edition
Jack Jones
Chief Risk Scientist at RiskLens
Chairman of the FAIR Institute
I clearly recall my first conversation with Douglas about fifteen years ago.
In the midst of trying to build a consulting practice around my Factor
Analysis of Information Risk (FAIR) model, I had just read the first edi-
tion of his brilliant How to Measure Anything book and wanted to pick
his brain. But what stood out most during our conversation wasn’t Doug’s
incredible depth of knowledge—it was his passion for sharing insights with
others. Similarly, when I first met Richard at an SIRA conference some years
ago, he exhibited the same depth of knowledge and oozed the same pas-
sion. And although deep expertise is obviously important for their work,
it’s their passion for helping others that provides the energy and intestinal
fortitude to challenge conventional wisdom and lead our profession to
higher ground.
In this book, Doug and Richard continue to apply their passion to the
topic of reducing uncertainty and making (much) better decisions in a pro-
foundly complex problem space. As a cybersecurity professional for over
thirty-five years and a CISO for over 10 years, I can attest to how important
this is.
Anyone who’s been in the cybersecurity trenches for any length of
time will be familiar with some of the common measurement-related chal-
lenges we face. “Religious debates” about whether something is “high risk”
or “medium risk,” an inability to effectively measure and communicate to
stakeholders the dangers associated with changes in the risk landscape or
the value of improved controls, even simply being confident and logically
consistent in determining which problems deserve the most attention has
been an elusive objective for many in the profession. This is also why I’ve
focused so strongly on understanding and measuring cybersecurity risk for
over 20 years, which led me to develop the FAIR and FAIR Controls Analyt-
ics (FAIR-CAM) models.
ix
x Foreword for the Second Edition
■■ Jack Jones
■■ Jack Freund
■■ Wade Baker
■■ Jim Lipkis
■■ Thomas Lee
■■ Christopher “Kip” Bohn
■■ Scott Stransky
■■ Tomas Girnius
■■ Jay Jacobs
■■ Sam Savage
■■ Tony Cox
■■ Michael Murray
■■ Patrick Heim
■■ Cheng-Ping Li
■■ Michael Sardaryzadeh
■■ Stuart McClure
■■ Rick Rankin
■■ Anton Mobley
■■ Vinnie Liu
■■ SIRA.org Team
■■ Dan Geer
■■ Robert Brown
xiii
xiv Acknowledgments
■■ Elizabeth Swan
■■ Peter Mallik
■■ Philip Martin
■■ Bobby Weant
■■ Andrew Adams
■■ Richie Modad
Preface
W hen we wrote the first edition of this book, we were cautiously opti-
mistic about how well it would do. Some constructive criticisms of
popular methods were long past due. We knew a lot of published research
showed that although the ubiquitous risk matrix provided a kind of placebo
effect and increased confidence in decision making, it actually harmed the
quality of decision making.
The book quickly exceeded our expectations in terms of demand and
the influence it has had on the content of training and standards in cyber-
security. Consequently, the publisher, Wiley, wanted to capitalize on this
demand with a second edition.
A lot has happened in cybersecurity in the six years since the first edi-
tion was published. There have been new major cyberattacks and new
threats have appeared. Ransomware was not perceived to be nearly as
much a threat in 2016 as it is now. But there will always be a new threat, and
there will always be new technologies developed in an attempt to reduce
these risks. Any book about cyber risk that only addresses current problems
and technical solutions will need to be rewritten much more frequently than
once every few years.
So, if the only changes were technical details of threats and solutions,
then a new edition would not be required. We felt it was time to write a new
edition because we realize that some organizations need quicker, simpler
solutions to quantify cybersecurity risks. At the same time, others are ready
for a little more depth in the methods. In this edition we have attempted to
provide more for both audiences.
xv
How to Measure Anything in
Cybersecurity Risk
Introduction
1
2 Introduction
■■ Making better decisions when you are significantly uncertain about the
present and future; and
■■ Reducing that uncertainty even when data seems unavailable or the
targets of measurement seem ambiguous and intangible.
5
CHAPTER 1
The One Patch Most Needed
in Cybersecurity
7
8 Why Cybersecurity Needs Better Measurements for Risk
The Bass.
REIGN OF WILLIAM III.: 1695–1702.