What do you think?
Rate this book
Solving Cyber Risk: Protecting Your Company and Society
The non-technical handbook for cyber security risk management Solving Cyber Risk distills a decade of research into a practical framework for cyber security. Blending statistical data and cost information with research into the culture, psychology, and business models of the hacker community, this book provides business executives, policy-makers, and individuals with a deeper understanding of existing future threats, and an action plan for safeguarding their organizations. Key Risk Indicators reveal vulnerabilities based on organization type, IT infrastructure and existing security measures, while expert discussion from leading cyber risk specialists details practical, real-world methods of risk reduction and mitigation.
By the nature of the business, your organization’s customer database is packed with highly sensitive information that is essentially hacker-bait, and even a minor flaw in security protocol could spell disaster. This book takes you deep into the cyber threat landscape to show you how to keep your data secure. By applying risk management principles to cyber security, non-technical leadership gains a greater understanding of the types of threat, level of threat, and level of investment needed to fortify the organization against attack. Just because you have not been hit does not mean your data is safe, and hackers rely on their targets’ complacence to help maximize their haul. Solving Cyber Risk gives you a concrete action plan for implementing top-notch preventative measures before you’re forced to implement damage control.
By the nature of the business, your organization’s customer database is packed with highly sensitive information that is essentially hacker-bait, and even a minor flaw in security protocol could spell disaster. This book takes you deep into the cyber threat landscape to show you how to keep your data secure. By applying risk management principles to cyber security, non-technical leadership gains a greater understanding of the types of threat, level of threat, and level of investment needed to fortify the organization against attack. Just because you have not been hit does not mean your data is safe, and hackers rely on their targets’ complacence to help maximize their haul. Solving Cyber Risk gives you a concrete action plan for implementing top-notch preventative measures before you’re forced to implement damage control.
384 pages, Hardcover
Published December 18, 2018
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 2 of 2 reviews
November 19, 2024
I'm not entirely sure what to tell you about this book. I gave it two stars, mostly because I found myself skimming most of it, not because I had any real problem with the content. The content is fine for what it is; however, I'm not sure that we even needed this book. It doesn't really say anything new; it certainly doesn't say anything about what the title says it will.
Let's tackle that first. "Solving Cyber Risk." Okaaaay. I read this whole book looking for the suggested solutions. Something along the lines of "here is how you can tackle this problem." I didn't find anything like that in this book. What this book did do was give a quite good overview of the problems in cyber security (gag, can we use information security again, please?). From threats, to vulnerabilities, to loss magnitudes, to some mitigations (mostly insurance). It doesn't get into architectures (zero trust or otherwise) or other technical tools (SIEM, EPP, FW, etc.). but does like to point out the use of cryptography a lot. However, books that describe all of this already exist. I guess though that people want current books since "cyber" moves so "fast." (It doesn't really). So a book published in 2019 will sell better than one published in 2009.
There is a touch of security utopianism to this book. "If only we did this, we could solve a lot of problems." Or "if businesses would X, then these problems would go away." Which is ironic for a book that has a pretty good chapter on the economics of security. The economic imperative and the trade-offs that are implicit mean that businesses aren't going to do X, and the security industry isn't going to be able to influence the business, society, or government in such a way as to fundamentally alter things. For a book that takes a long, hard look at the ugly reality of the history of threats, I would have expected better "solutions" than mostly the same old wishful thinking I've heard in the past.
A few quibbles: The NIST CSF is *not* a risk management framework. It's a security control framework. Bug-free software isn't possible. The Halting Problem is real. Yes, I realize this isn't strictly what the halting problem says.
Let's tackle that first. "Solving Cyber Risk." Okaaaay. I read this whole book looking for the suggested solutions. Something along the lines of "here is how you can tackle this problem." I didn't find anything like that in this book. What this book did do was give a quite good overview of the problems in cyber security (gag, can we use information security again, please?). From threats, to vulnerabilities, to loss magnitudes, to some mitigations (mostly insurance). It doesn't get into architectures (zero trust or otherwise) or other technical tools (SIEM, EPP, FW, etc.). but does like to point out the use of cryptography a lot. However, books that describe all of this already exist. I guess though that people want current books since "cyber" moves so "fast." (It doesn't really). So a book published in 2019 will sell better than one published in 2009.
There is a touch of security utopianism to this book. "If only we did this, we could solve a lot of problems." Or "if businesses would X, then these problems would go away." Which is ironic for a book that has a pretty good chapter on the economics of security. The economic imperative and the trade-offs that are implicit mean that businesses aren't going to do X, and the security industry isn't going to be able to influence the business, society, or government in such a way as to fundamentally alter things. For a book that takes a long, hard look at the ugly reality of the history of threats, I would have expected better "solutions" than mostly the same old wishful thinking I've heard in the past.
A few quibbles: The NIST CSF is *not* a risk management framework. It's a security control framework. Bug-free software isn't possible. The Halting Problem is real. Yes, I realize this isn't strictly what the halting problem says.
May 25, 2019
The authors opt for a reference book rather than a continuous argument. Breaking the topics down into sections, sub-sections and sub-sub-sections will no doubt help when I return to the book in the future. This makes a lot of sense for a security book given that security is a fox subject (need to know many small things) rather than a hedgehog subject (need to know one big thing), as Ross Anderson has argued in the past. It also helps synthesise authors with very different voices. Not many authors would opine about both the dying art of artisinal packet crafting and the value of counterfactual analysis.
Also this was the first time I have read about my own research in a book!
Also this was the first time I have read about my own research in a book!
Displaying 1 - 2 of 2 reviews