Cipher Book Review, Issue E134

How to Measure Anything in Cybersecurity Risk
Douglas W. Hubbard and Richard Seiersen

ISBN 978-1-119-08529-4. Wiley 2016.
Table of Contents:

Reviewed by  Richard Austin   Sep 16, 2016 

This is a very useful follow-up to Hubbard's previous book "How to Measure Anything: Finding the Value of Intangibles in Business" applied to cybersecurity risk. Though this book can be read standalone, many details are referenced to the previous one, and it would be good to have a copy at hand for reference. The book addresses the very important question: Is it really possible to do anything beyond rating scales when assessing cybersecurity risk? We're all familiar with variations of high-medium-low and the sometimes arcane rituals of how to "multiply" a medium rate of occurrence by a low impact. We've also likely felt vaguely uncomfortable about doing math on ratings but haven't really had an alternative.

The authors are quick to assure us that there is a better way that will allow us to defensibly produce quantitative risk assessments using the data and knowledge we have (but may not realize we have).

Their techniques relies on simulation - they call it "Monte Carlo" which would have put my long-ago professor in a computer simulation course into hysterics: "Monte Carlo is a method for integrating messy functions not a catchy byword for applying simulation to problems". A quick Google shows that "Monte Carlo" enjoys wide usage in the sense used by the authors but I still have the emotional scars from that course and won't use the term that way.

To do a good simulation, you need reasonable data and the authors spend a good portion of the book showing that we know a lot more than we think we do. One of their core techniques is "calibration" which basically means that when an expert says that something has a probability of .2 to .4 they really mean it. While that sounds suspiciously obvious, the authors quote substantial research to show that experts, in the beginning, really don't believe their estimates (in the sense of being willing to wager on the outcome) but can be taught to produce good estimates.

The tool they use for their simulation studies is the spreadsheet (examples available on the book's website), but rather than creating another spreadsheet oracle, they clearly explain how the spreadsheet calculations work so that the astute reader will be able to understand and defend their conclusions.

There are a couple of pimples on this otherwise excellent presentation. First is that too much is made of the great frequentist versus subjectivist divide in the field of statistics. Outside of academia, I find that the professional statisticians I know (a biased sample if ever there was one) are frequentists when they can be and subjectivists the rest of the time. As one of the more waggish opined: "Whatever makes the math easier". If you must classify yourself, my advice is to follow the authors and be unabashedly subjectivist (or Bayesian). The second is the some of the presentation is frankly polemical and boils down to "If you don't agree with us then you don't understand statistics at all". The authors are experts in their field (otherwise we wouldn't be reading their book) and the research results of applying their techniques speak for themselves, so the polemics could have been left out with no loss to the presentation.

Some readers may suffer from a phobia when it comes to statistics and probability (usually traceable to a bad experience in their first statistics class). The authors have successfully taught their methods to audiences from many backgrounds and the book is heavily tutorial in nature. When you finish working your way through it, you will be able to stare probability distributions, confidence intervals and other scary accoutrements of quantitative risk assessment in the eye without flinching.

This is an awesome book on a critical topic. The decisions we made in securing our information assets, the infrastructures that support them and the services that depend on them are too critical for us to depend on mumbo jumbo when making decisions about risk. The authors make a forceful case that there is a better way that depends on comprehensible techniques with a substantial body of research in many fields behind them. I fervently hope that you will studiously read this book and apply its techniques in your own work. We and our profession will be all the better for it.

It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin has fearlessly sampled the latest offerings of the publishing houses and opines as to which might most profitably occupy your scarce reading time.

Fare thee well!

The time has come for your humble correspondent to retire from the workaday world and start a new phase of life as a professional grandpa. I have thoroughly enjoyed these ten years of writing book reviews for IEEE Cipher and want to express my deep appreciation to you, our readers, the IEEE Computer Society Technical Committee on Security and Privacy and my longsuffering editor, Hilarie Orman (who has taught me there is always a better way to say things), for this once-in-a-lifetime opportunity.

I wish you well as you carry our wonderful profession into the future and confront the myriad challenges that make this the most interesting profession on Earth.

With fond regards.
Richard Austin MS, CISSP