2nd Edition: How to Measure Anything in Cybersecurity Risk - Doug Hubbard - BSW Vault

The podcast discusses the second edition of the book, 'How to Measure Anything in Cybersecurity Risk,' which provides a mathematical approach to risk assessment in cybersecurity. The authors emphasize the limitations of qualitative risk assessment methods and advocate for quantitative methods like Monte Carlo simulations and Bayesian analysis, arguing that they provide more accurate and useful results. The book also delves into topics like the cost of data breaches and the Franken SME method for aggregating expert knowledge.

Cybersecurity is not unique

• 00:00:50 Cybersecurity professionals often claim their field is uniquely complex, but the authors argue that many other industries face similar challenges with intelligent adversaries and rapidly changing technology. They contend that methods used in other fields, like insurance and military operations, are applicable to cybersecurity, demonstrating that the field is not as unique as it is often perceived.

Quantitative vs. Qualitative Risk Assessment

• 00:00:05 The podcast emphasizes the limitations of traditional qualitative risk assessment methods, such as risk matrices, which often rely on subjective scoring and lack mathematical rigor. Instead, it advocates for the use of quantitative methods that incorporate probabilities and simulations, arguing that these methods produce more accurate and reliable risk estimates.

The Cost of Cybersecurity Breaches

• 00:24:00 The authors discuss the cost of cybersecurity breaches, particularly the impact on stock prices and reputation. They suggest that for many companies, the cost of a breach is primarily associated with fines, legal liabilities, and 'penance projects' aimed at regaining stakeholder trust rather than a significant stock price drop. Data from GDPR violations and breach responses like T-Mobile's are used as examples.

Franken SME Method

• 00:34:01 The Franken SME (Subject Matter Expert) method is a novel approach to aggregate the knowledge of multiple experts, recognizing that individuals can have biases and inconsistencies in their judgments. By algorithmically combining their estimates, it aims to produce more accurate probabilities and insights than relying on a single expert. The method draws parallels with the concept of creating a composite player in baseball statistics as presented in 'Moneyball'.

Subjectivity and Customization

• 00:16:11 The authors address concerns about the subjectivity of organizations and the challenges of standardizing risk assessment algorithms while maintaining flexibility. They emphasize that all models, including those based on intuition, are inherently approximations. The goal is to use algorithms that are demonstrably less wrong than alternatives, rather than striving for perfection, and they offer ways to incorporate organization-specific data into the models.