Book Image

How to Measure Anything in Cybersecurity Risk

By : Douglas W. Hubbard, Richard Seiersen
Book Image

How to Measure Anything in Cybersecurity Risk

By: Douglas W. Hubbard, Richard Seiersen

Overview of this book

How to Measure Anything in Cybersecurity Risk exposes the shortcomings of current “risk management” practices, and offers a series of improvement techniques that help you fill the holes and ramp up security. In his bestselling book How to Measure Anything, author Douglas W. Hubbard opened the business world’s eyes to the critical need for better measurement. This book expands upon that premise and draws from The Failure of Risk Management to sound the alarm in the cybersecurity realm. Some of the field’s premier risk management approaches actually create more risk than they mitigate, and questionable methods have been duplicated across industries and embedded in the products accepted as gospel. This book sheds light on these blatant risks and provides alternate techniques that can help improve your current situation. You’ll also learn which approaches are too risky to save and are actually more damaging than a total lack of any security. Dangerous risk management methods abound; there is no industry more critically in need of solutions than cybersecurity. This book provides solutions where they exist and advises when to change tracks entirely.
Table of Contents (12 chapters)
Free Chapter
1
Foreword
2
Foreword
3
Acknowledgments
4
About the Authors
9
Index
10
EULA

Chapter 11
How Well Are My Security Investments Working Together?

In Chapter 10, we shared an operational security-metrics maturity model. The model started with sparse data analytics. That really is the main theme of this book: “how to measure and then decide on what to invest in when you have a lot of uncertainty caused by limited empirical data.” Chapters 8 and 9 represent the main modeling techniques used in sparse data analytics. The goal is to make the best decision given the circumstances. And as you may recall, a decision is an “irrevocable allocation of resources.” In short, you know you’ve made a decision when you have written a check. Is measurement all over once you have made an investment? Certainly not!

What do you measure once you have made a decision (i.e., an investment)? You determine if your investment is meeting the performance goals you have set for it. For the security professional this is the realm of operational security metrics...