Jack Jones

Chief Risk Scientist at RiskLens

Chairman of the FAIR Institute

I clearly recall my first conversation with Douglas about fifteen years ago. In the midst of trying to build a consulting practice around my Factor Analysis of Information Risk (FAIR) model, I had just read the first edition of his brilliant How to Measure Anything book and wanted to pick his brain. But what stood out most during our conversation wasn't Doug's incredible depth of knowledge—it was his passion for sharing insights with others. Similarly, when I first met Richard at an SIRA conference some years ago, he exhibited the same depth of knowledge and oozed the same passion. And although deep expertise is obviously important for their work, it's their passion for helping others that provides the energy and intestinal fortitude to challenge conventional wisdom and lead our profession to higher ground.

In this book, Doug and Richard continue to apply their passion to the topic of reducing uncertainty and making (much) better decisions in a profoundly complex problem space. As a cybersecurity professional for over thirty‐five years and a CISO for over 10 years, I can attest to how important this is.

Anyone who's been in the cybersecurity trenches for any length of time will be familiar with some of the common measurement‐related challenges we face. “Religious debates” about whether something is “high risk” or “medium risk,” an inability to effectively measure and communicate to stakeholders the dangers associated with changes in the risk landscape or the value of improved controls, even simply being confident and logically consistent in determining which problems deserve the most attention has been an elusive objective for many in the profession. This is also why I've focused so strongly on understanding and measuring cybersecurity risk for over 20 years, which led me to develop the FAIR and FAIR Controls Analytics (FAIR‐CAM) models.

My own research also allows me to attest to the strengths of Doug and Rich's methods. It is, unfortunately, incredibly easy to apply quantitative methods badly, which results not only in poorly informed decisions but also a false sense of security because you used numbers. This book does an outstanding job of laying the groundwork for defensible measurements.

That said, if you're concerned about whether this book might be too “mathy,” rest assured that you do not need a background in calculus or statistics to find tremendous value here. Doug and Rich discuss the pitfalls of common approaches such as risk matrices and unaided intuition, dismantle prevailing misperceptions surrounding risk measurement, and describe the fundamental principles of good measurement in terms that anyone can understand and apply. They also provide very pragmatic methods and tools that anyone can use.

If you're in the early stages of your cybersecurity career, this book will undoubtedly help you mature your understanding of the problem space far more quickly. Conversely, if you've been in the profession awhile, you will be able to better leverage your hard‐won experience by looking at the cybersecurity landscape through a new and clearer lens. In either case your performance and value as a professional will increase.

The first edition of this book has been a key contributor to cybersecurity's growing but still nascent transition from a qualitative, grossly oversimplified approach to risk measurement to one that is quantitatively based and logically defensible. If you already own the first edition, you'll find that this second edition contains significant new and updated material. A few examples of the new material include:

• Updated research on the impact of data breaches on stock prices;
• New examples of how to make incremental reductions in uncertainty from just a few observations;
• New research regarding how issues such as MFA, encryption, and user counts change risk;
• New distributions for modeling risk and how to implement them in Excel or R;
• How cybersecurity can/should integrate with enterprise risk management and decision analysis;

Consequently, upgrading to this edition should be a no‐brainer.

The bottom line is that managing cybersecurity well requires being able to identify and focus on what matters most. This is true whether the scope of your responsibilities is strategic and enterprise‐wide or more tactical. Regardless, these decisions are always based on comparisons, which are inevitably based on some form of measurement. And if your measurements are poor, your ability to make good decisions is hamstrung. As a result, if I had my way, this book would be required reading for every cybersecurity professional. Short of that, if I was still a CISO, this book would be required reading for anyone in my organization. It's simply that important.