How to Measure Anything in Cybersecurity Risk

by Douglas W. Hubbard

it is a mathematically valid position to use a subjective probability to represent the prior state of uncertainty of a subject matter expert. In fact, there are problems in statistics that can only be solved by using a probabilistically expressed prior state of uncertainty. And these are actually the very situations most relevant to decision making in any field, including cybersecurity.

Remember, if the primary concern about using probabilistic methods is the lack of data, then you also lack the data to use nonquantitative methods.

researchers discovered that assessing uncertainty is a general skill that can be taught with a measurable improvement. That is, when calibrated cybersecurity experts say they are 85% confident that a major data breach will occur in their industry in the next 12 months, there really is an 85% chance it will occur.