Douglas W.Hubbard - How to Measure Anything in Cybersecurity Risk

1. Chapter 3
2. Chapter 5
3. Chapter 6
4. Chapter 7
5. Chapter 9
6. Chapter 11

1. Chapter 1
2. Chapter 3
3. Chapter 4
4. Chapter 5
5. Chapter 6
6. Chapter 7
7. Chapter 9
8. Chapter 10
9. Chapter 11
10. Chapter 12
11. Appendix A

Second Edition

DOUGLAS W. HUBBARD

RICHARD SEIERSEN

Copyright 2023 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate percopy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 7508400, fax (978) 6468600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 7486011, fax (201) 7486008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 7622974, outside the United States at (317) 5723993 or fax (317) 5724002.

Wiley publishes in a variety of print and electronic formats and by printondemand. Some material included with standard print versions of this book may not be included in ebooks or in printondemand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress CataloginginPublication Data is Available:

ISBN 9781119892304 (Hardback)

ISBN 9781119892328 (ePDF)

ISBN 9781119892311 (ePub)

Cover Design: Wiley

Cover Images: Cyber security lock Henrik5000/iStockphoto;

Cyber eye kasahasa/Getty Images;

Internet Security concept bluebay2014/Getty Images;

Background omergenc/Getty Images;

Abstract business background Natal'ya Bondarenko/Getty Images;

Abstract business background procurator/Getty Images;

Cloud Computing derrrek/Getty Images

Douglas Hubbard's dedication: To my children, Evan, Madeleine, and Steven, as the continuing sources of inspiration in my life; and to my wife, Janet, for doing all the things that make it possible for me to have time to write a book, and for being the ultimate proofreader.

Richard Seiersen's dedication: To all the ladies in my life: Helena, Kaela, Anika, and Brenna. Thank you for your love and support through the book and life. You make it fun.

Doug and Richard would also like to dedicate this book to the military and law enforcement professionals who specialize in cybersecurity.

Jack Jones

Chief Risk Scientist at RiskLens

Chairman of the FAIR Institute

I clearly recall my first conversation with Douglas about fifteen years ago. In the midst of trying to build a consulting practice around my Factor Analysis of Information Risk (FAIR) model, I had just read the first edition of his brilliant How to Measure Anything book and wanted to pick his brain. But what stood out most during our conversation wasn't Doug's incredible depth of knowledgeit was his passion for sharing insights with others. Similarly, when I first met Richard at an SIRA conference some years ago, he exhibited the same depth of knowledge and oozed the same passion. And although deep expertise is obviously important for their work, it's their passion for helping others that provides the energy and intestinal fortitude to challenge conventional wisdom and lead our profession to higher ground.

In this book, Doug and Richard continue to apply their passion to the topic of reducing uncertainty and making (much) better decisions in a profoundly complex problem space. As a cybersecurity professional for over thirtyfive years and a CISO for over 10 years, I can attest to how important this is.

Anyone who's been in the cybersecurity trenches for any length of time will be familiar with some of the common measurementrelated challenges we face. Religious debates about whether something is high risk or medium risk, an inability to effectively measure and communicate to stakeholders the dangers associated with changes in the risk landscape or the value of improved controls, even simply being confident and logically consistent in determining which problems deserve the most attention has been an elusive objective for many in the profession. This is also why I've focused so strongly on understanding and measuring cybersecurity risk for over 20 years, which led me to develop the FAIR and FAIR Controls Analytics (FAIRCAM) models.

My own research also allows me to attest to the strengths of Doug and Rich's methods. It is, unfortunately, incredibly easy to apply quantitative methods badly, which results not only in poorly informed decisions but also a false sense of security because you used numbers. This book does an outstanding job of laying the groundwork for defensible measurements.

That said, if you're concerned about whether this book might be too mathy, rest assured that you do not need a background in calculus or statistics to find tremendous value here. Doug and Rich discuss the pitfalls of common approaches such as risk matrices and unaided intuition, dismantle prevailing misperceptions surrounding risk measurement, and describe the fundamental principles of good measurement in terms that anyone can understand and apply. They also provide very pragmatic methods and tools that anyone can use.