I came to know about this while hearing a podcast back in 2024. I don’t remember exactly which podcast was it, although it was related to application or cloud security related. In this podcast this book was mentioned and recommend to read for security professionals. Having read this book I must say that was a really good read. I have not read first edition of this book, although parts of first edition is covered in 2nd edition.
The current way of measuring risk based on risk matrices is wrong.
In this book it is very well covered what are the drawbacks of the approaches where risk matrices or ordinal scales are used to measure risk. Risk matrices are very subjective. From my own experience I have seen this first hand also doing the same mistake myself.
This book provide solution to how to measure risk using probabilistic method like “Bayesian” i.e. how bayesian method can be used to estimate risk when uncertain.The advantage of using bayesian method for measuring risk its ability to continuously update risk estimate by updating prior knowledge with new data. In simple words as we get more data or prior we can estimate risk better.
There is an example in this book about calculating probability using bayesian method about if MFA works reducing data breaches. As information is present stating from vendors MFA works and also techniques from various resources to bypass MFA. Now after calculating the probability if MFA works, we got more information about how many breaches were in the industry where our company belongs. With this new information we can compute to update probability that MFA works.
This book discuss more powerful methods based on bayes, in fact a chapter is dedicated for this. I must say reading about probability after long time needed some time to understand. I do feel I need to re read this book again to pick up more info which I have missed in my first read. As it has lot of info covering quantitative and probabilistic methods. By using much better method than matrices or ordinal scale which are giving really not so good picture of risk. Therefore this risk model from risk matrices and ordinal scale are wrong and it is very well covered in this book. One good resource to understand bayes method is here. One example where bayes is used in spam email estimate.
All models are wrong, but some are useful
George Box
There is companion website to this book which has some good resources referenced in this book. I would definitely recommend this book if you are working in cyber security. It challenges us about what is being used for risk estimates i.e. risk matrices and why they are not doing good at estimating risk. I do believe authors have done a good job to explain their point. While for me it will be to think and apply learnings from this book.
There is also a podcast which discusses about this book with one of the aurthor, please take a look at it to get good idea about what is this book about. Happy reading!