Daniel Geer is a security researcher with a quantitative bent. His group at MIT produced Kerberos, and a number of startups later he is still at it—today as chief information security officer at In-Q-Tel. He writes a lot at every length, and sometimes it gets read. He’s an electrical engineer, a statistician, and someone who thinks truth is best achieved by adversarial procedures.

It is my pleasure to recommend How to Measure Anything in Cybersecurity Risk. The topic is nothing if not pressing, and it is one that I have myself been dancing around for some time.¹ It is a hard problem, which allows me to quote Secretary of State John Foster Dulles: “The measure of success is not whether you have a tough problem to deal with, but whether it is the same problem you had last year.” At its simplest, this book promises to help you put some old, hard problems behind you.

The practice of cybersecurity is part engineering and part inference. The central truth of engineering is that design pays if and only if the problem statement is itself well understood. The central truth of statistical inference is that all data has bias—the question being whether you can correct for it. Both engineering and inference depend on measurement. When measurement gets good enough, metrics become possible.

I say “metrics” because metrics are derivatives of measurement. A metric encapsulates measurements for the purpose of ongoing decision support. I and you, dear reader, are not in cybersecurity for reasons of science, though those who are in it for science (or philosophy) will also want measurement of some sort to backstop their theorizing. We need metrics derived from solid measurement because the scale of our task compared to the scale of our tools demands force multiplication. In any case, no game play improves without a way to keep score.

Early in the present author’s career, a meeting was held inside a market-maker bank. The CISO, who was an unwilling promotion from Internal Audit, was caustic even by the standards of NYC finance. He began his comments mildly enough:

Are you security people so stupid that you can’t tell me:

• How secure am I?
• Am I better off than I was this time last year?
• Am I spending the right amount of money?
• How do I compare to my peers?
• What risk transfer options do I have?

Twenty-five years later, those questions remain germane. Answering them, and others, comes only from measurement; that is the “Why?” of this book.

Yet even if we all agree on “Why?,” the real value of this book is not “Why?” but “How?”: how to measure and then choose among methods, how to do that both consistently and repeatedly, and how to move up from one method to a better one as your skill improves.

Some will say that cybersecurity is impossible if you face a sufficiently skilled opponent. That’s true. It is also irrelevant. Our opponents by and large pick the targets that maximize their return on their investment, which is a polite way of saying that you may not be able to thwart the most singularly determined opponent for whom cost is no object, but you can sure as the world make other targets more attractive than you are. As I said, no game play improves without a way to keep score. That is what this book offers you—a way to improve your game.

This all requires numbers because numbers are the only input to both engineering and inference. Adjectives are not. Color codes are not. If you have any interest in taking care of yourself, of standing on your own two feet, of knowing where you are, then you owe it to yourself to exhaust this book. Its writing is clear, its pedagogy is straightforward, and its downloadable Excel spreadsheets leave no excuse for not trying.

Have I made the case? I hope so.