Foreword for the Second Edition Jack Jones ixAcknowledgments xiiiPreface xvIntroduction 1Part I Why Cybersecurity Needs Better Measurements for Risk 5Chapter 1 The One Patch Most Needed in Cybersecurity 7Chapter 2 A Measurement Primer for Cybersecurity 21Chapter 3 The Rapid Risk Audit: Starting With a Simple Quantitative Risk Model 43Chapter 4 The Single Most Important Measurement in Cybersecurity 73Chapter 5 Risk Matrices, Lie Factors, Misconceptions, and Other Obstacles to Measuring Risk 101Part II Evolving the Model of Cybersecurity Risk 133Chapter 6 Decompose It: Unpacking the Details 135Chapter 7 Calibrated Estimates: How Much Do You Know Now? 155Chapter 8 Reducing Uncertainty with Bayesian Methods 183Chapter 9 Some Powerful Methods Based on Bayes 193Part III Cybersecurity Risk Management for the Enterprise 231Chapter 10 Toward Security Metrics Maturity 233Chapter 11 How Well Are My Security Investments Working Together? 257Chapter 12 A Call to Action: How to Roll Out Cybersecurity Risk Management 277Appendix A Selected Distributions 289Appendix B Guest Contributors 297Index 327

DOUGLAS W. HUBBARD is the inventor of the Applied Information Economics (AIE) method and the founder of Hubbard Decision Research. He is an internationally recognized expert in the area of decision analysis.RICHARD SEIERSEN is the Chief Risk Officer of Resilience, a cyberinsurance firm. He is the former Chief Information Security Officer at LendingClub, Twilio, and GE Healthcare and Co-founder of the cloud native security company Soluble - sold to Lacework in 2021.