How to Measure Anything in Cybersecurity Risk

The cybersecurity profession is rich in data and the boardroom is desperate for meaningful risk analysis, but our traditional ways of communicating risk doesn't use the data and favors vague phrases to communicate the message. This book aims to remedy this problem and does so masterfully. Many readers will need to un-learn some habits in order to embrace risk measurement, but the authors make a solid case for why the traditional qualitative risk register isn't adequate for the modern landscape. I personally had to read some sections more than once, which is a complement to the authors. Some of the best books I read involve some struggle and "How to Measure Anything in Cybersecurity Risk" is easily among the top ten books in this profession I've read. I'll further add that I'm not often a five star sort of reviewer, thinking often the truth lies in middle but this book is the exception to the rule. If you work in cybersecurity and want to improve your decision making ability this book is for you.

This is a masterpiece for those of us who are engineers. The author gives the tools to solve many difficult situations, where measuring is fundamental, as it is in risk management.

The bad reviews seem inorganic for this book. No comments for all but one bad review. This books was transformative for me and our organization. I read the original version in 2017 and am currently reading the updated version. The authors make the case for quantitative risk. The readers of the book may understand but it is really important that they can CONVINCE others that quantitative risk is much better than qualitative risk. The book then delves into how you can relatively easily use math to build quantitative models. Following "How to Measure Anything in Cybersecurity Risk" will lead to much better results and allow for even small organizations to use quantitative risk.

I think the book preaches a good method. However I found the explanations a bit dense and certain terminology could have been explained better. Having visual charts/graphs to explain would have made this easier to digest. I’d sometimes read a page regarding a specific statistical term or process multiple times and still not understanding it. A quick google search on that term always seems to clarify what I don’t understand instantly…. Which made me frustrated and wondering why the book didn’t do a better job.

Think risk quantification is too hard? I promise it's not as hard as trying to figure out what to spend on a "high" risk. Even small improvements in your methods will reap huge rewards. Start here, you wont regret it!

muy buen producto

Simple, actionable and invaluable resource for any CISO or product security Exec.

I was hoping for some practical new ideas for methods of exploring and quantifying likelyhood and impact. This book provides a DEEP dive into Bayesian Statistical analysis, but it spends the first half of itself going into why it's needed and what is wrong with current subjective methods. I already knew what was wrong and why, that's why I bought the book. The techniques described will require a complete refit of what you are doing at a computational level, plus a complete mindshift away from normative practice. Disappointed ....

The book is really interesting, with a very reader-friendly approach, as it is accessible to anyone who has the curiosity to learn more about cyber risk assessment. Reading this book was even fun for me because of the opportunity it gave me to be introduced to statistical laws.

Muchas ideas de este libro por muy innovadoras que suenen no se desarrollan a una profundidad profesional. A veces el autor evita explicar tópicos esenciales que promete el libro porque sencillamente ni él mismo domina la materia o porque le interesa que muerdas el anzuelo de consultoría.

amazing book good seller must buy for risk management

One of the greatest books on this topic