* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/)
* The Cybersecurity Canon: ...

# The Cybersecurity Canon: How to Measure Anything in Cybersecurity Risk

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F12%2Fcybersecurity-canon-measure-anything-cybersecurity-risk%2F)  
[](https://twitter.com/share?text=The+Cybersecurity+Canon%3A+How+to+Measure+Anything+in+Cybersecurity+Risk&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F12%2Fcybersecurity-canon-measure-anything-cybersecurity-risk%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F12%2Fcybersecurity-canon-measure-anything-cybersecurity-risk%2F&title=The+Cybersecurity+Canon%3A+How+to+Measure+Anything+in+Cybersecurity+Risk&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2016/12/cybersecurity-canon-measure-anything-cybersecurity-risk/&ts=markdown)  
\[\](mailto:?subject=The Cybersecurity Canon: How to Measure Anything in Cybersecurity Risk)  
Link copied  
By [Steve Winterfeld](https://www.paloaltonetworks.com/blog/author/steve-winterfeld/?ts=markdown "Posts by Steve Winterfeld")  
Dec 02, 2016  
6 minutes  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown)  
[cybersecurity canon](https://www.paloaltonetworks.com/blog/tag/cybersecurity-canon/?ts=markdown)  
[Douglas Hubbard](https://www.paloaltonetworks.com/blog/tag/douglas-hubbard/?ts=markdown)  
[How to measure everything](https://www.paloaltonetworks.com/blog/tag/how-to-measure-everything/?ts=markdown)  
[Richard Seiersen](https://www.paloaltonetworks.com/blog/tag/richard-seiersen/?ts=markdown)  
[Steve Winterfeld](https://www.paloaltonetworks.com/blog/tag/steve-winterfeld/?ts=markdown)

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Big-Canon-Banner.png)  
[![big-canon-banner](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Big-Canon-Banner.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2016/10/Big-Canon-Banner.png)

*We modeled the* [*Cybersecurity Canon*](https://www.paloaltonetworks.com/threat-research/cybercanon.html)*after the Baseball or Rock \& Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.*

*The Cybersecurity Canon is a real thing for our community. We have designed it so that you can* [*directly participate in the process*](https://www.paloaltonetworks.com/threat-research/cybercanon/nominate-a-book)*. Please do so!*

Book Review by [Canon Committee Member, Steve Winterfeld](https://www.paloaltonetworks.com/threat-research/cybercanon/cyber-security-canon-bios.html): *How to Measure Anything in Cybersecurity Risk* (2016)by Douglas W. Hubbard and Richard Seiersen

### Executive Summary

*How to Measure Anything in Cybersecurity Risk*is a book that reads like a college statistics textbook (but the good kind you highlight a lot). It is a book anyone who is responsible for measuring risk, developing metrics, or determining return on investment should read. It is grounded in classic quantitative analysis methodologies and provides a good balance of background and practical examples. This book belongs in the Cybersecurity Canon under Governance Risk and Compliance (GRC).

### Review

As I said, this book reads like an education in quantitative modeling and how to apply the methodology to cybersecurity. It truly challenges the current common practices in use to develop expert opinion-based risk frameworks. Here is a snippet from the book:

"So let's be clear about our position on current methods: They are a failure. They do not work. A thorough investigation of the research on these methods and decision-making methods in general indicates the following: There is no evidence that the types of scoring and risk matrix methods widely used in cybersecurity improve judgment. On the contrary, there is evidence these methods add noise and error to the judgment process. Any appearance of "working" is probably a type of "analysis placebo." That is, a method may make you feel better even though the activity provides no measurable improvement in estimating risks (or even adds error). There is overwhelming evidence in published research that quantitative, probabilistic methods are effective. Fortunately, most cybersecurity experts seem willing and able to adopt better quantitative solutions. But common misconceptions held by some---including misconceptions about basic statistics---create some obstacles for adopting better methods. How cybersecurity assesses risk, and how it determines how much it reduces risk, are the basis for determining where cybersecurity needs to prioritize the use of resources. And if this method is broken---or even just leaves room for significant improvement---then that is the highest-priority problem for cybersecurity to tackle!"

The authors lay out the book in three sections:

* **Part I sets the stage for reasoning about uncertainty in security.** It outlines terms on things like security, uncertainty, measurement and risk management. Plus, it argues against toxic misunderstandings of these terms and why we need a better approach to measuring cybersecurity risk and, for that matter, measuring the performance of cybersecurity risk analysis itself. Finally, it introduces a simple quantitative method that could serve as a starting point for anyone, no matter how averse the person may be to complexity.
* **Part II delves further into evolutionary steps we can take with a simple quantitative model.** It explains how to add further complexity to a model and how to use even minimal amounts of data to improve those models.
* **Part III describes what is needed to implement these methods in the organization.** It addresses the implications of this book for the entire cybersecurity "ecosystem," including standards organizations and vendors.

The cybersecurity community suffers from not having standard evaluation metrics, like earnings before interest, taxes, depreciation and amortization (EBITDA). The authors try to bring some discipline to terms by offering standard definitions coming from the quantitative analytics field. From the book:

* Definitions for Uncertainty and Risk, and Their Measurements Uncertainty: The lack of complete certainty, that is, the existence of more than one possibility. The "true" outcome/state/ result/value is not known. Measurement of Uncertainty: A set of probabilities assigned to a set of possibilities. For example: "There is a 20% chance we will have a data breach sometime in the next five years." Risk: A state of uncertainty where some of the possibilities involve a loss, catastrophe, or other undesirable outcome. Measurement of Risk: A set of possibilities, each with quantified probabilities and quantified losses. For example: "We believe there is a 10% chance that a data breach will result in a legal liability exceeding $10 million."

They also walk the reader through established methodologies like: Monte Carlo simulations, Bayesian interpretation, risk matrix, loss exceedance curve, heat maps, chain rule tree, beta distribution changes, regression model predations, analytics maturity mode, power law distribution, subjective probability, calibration, dimensional modeling, expected opportunity loss, bunch of guys sitting around talking, expected value of prefect information, NIST and ISO. They explain how, in Excel, so they are truly practical. They also lay out survey results from attitudes toward quantitative methods, global information security workforce study, and stats literacy and acceptance studies.

This work follows other work like Factor Analysis of Information Risk (FAIR) which is a well-recognized value at risk (VaR) framework. They outline another Monte Carlo--based methodology and tools like those developed by Jack Jones and Jack Freund. Another similar work is*The Wisdom of Crowds* by James Surowiecki.

Finally the book has some [great online resources](http://www.howtomeasureanything.com/cybersecurity). You can find eight sample downloads of the methods explained, as well as webinar/blog info.

### Conclusion

*How to Measure Anything in Cybersecurity Risk* is an extension of Hubbard's successful first book, *How to Measure Anything: Finding the Value of "Intangibles" in Business*. It lays out why statistical models beat expertise every time. It is a book anyone who is responsible for measuring risk, developing metrics, or determining return on investment should read. It provides a strong foundation in qualitative analytics with practical application guidance.

Bottom line: The authors lay out a solid case for why other industries with the similar challenges of lack of quantifiable, standardized or historical actuarial table-like data are able to use classic statistical modeling and methodologies to measure risk in a qualified, repeatable way. Definitely worth considering.

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)

[#### And the 2017 Cybersecurity Canon Winners Are...](https://www.paloaltonetworks.com/blog/2017/05/2017-cybersecurity-canon-winners/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown)

[#### The Cybersecurity Canon - How to Measure Anything: Finding the Value of 'Intangibles' in Business](https://www.paloaltonetworks.com/blog/2017/07/cybersecurity-canon-measure-anything-finding-value-intangibles-business/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Cybersecurity Canon Candidate Book Review: "Abundance: The Future Is Better Than You Think](https://www.paloaltonetworks.com/blog/2018/09/cybersecurity-canon-candidate-book-review-abundance-future-better-think/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### The Cybersecurity Canon - American Kingpin: The Epic Hunt for the Criminal Mastermind Behind the Silk Road](https://www.paloaltonetworks.com/blog/2018/01/cybersecurity-canon-american-kingpin-epic-hunt-criminal-mastermind-behind-silk-road/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown)

[#### We're Down to the Last Two Contestants In the 2018 Cybersecurity Canon People's Choice Awards!](https://www.paloaltonetworks.com/blog/2017/10/last-two-contestants-2018-cybersecurity-canon-peoples-choice-awards/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown)

[#### 2018 Cybersecurity Canon People's Choice Awards: The Final Four](https://www.paloaltonetworks.com/blog/2017/10/2018-cybersecurity-canon-peoples-choice-awards-final-four/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language