# Chapter 3

Model Now!: *An Introduction to Practical Quantitative Methods for Cybersecurity*

Build a little. Test a little. Learn a lot.—Rear Admiral Wayne Meyer,

Aegis Weapon System Program Manager

In this chapter we will propose a simple starting point for developing a quantitative risk assessment. Later, we will explore more detailed models (starting in Chapter 6) and more advanced methods (starting in Chapter 8). But for now we will start with a model that merely replaces the common risk matrix. It will simply be a way to capture subjective estimates of likelihood and impact, but do so probabilistically.

To make it work, we need to introduce a few methods. First, we need to introduce the idea of subjectively assessing probabilities, but we will defer the exercises to train you to do that until Chapter 7 (for now, hang in there). We will also introduce a very basic simulation method, and the work of actually building the simulation is mostly done for you. The example...