How to Measure Anything in Cybersecurity Risk

How secure am I? Am I better off than I was this time last year? Am I spending the right amount of money? How do I compare to my peers? What risk transfer options do I have?

What you want to know is whether you have less uncertainty after considering some source of data and whether that reduction in uncertainty warrants some change in actions.

We might also define an “Enterprise Attack Surface” that not only consists of all systems and networks in that organization but also the exposure of third parties. This includes everyone in the enterprise “ecosystem” including major customers, vendors, and perhaps government agencies. (Recall that in the case of the Target breach, the exploit came

Mostly, they seek out vulnerabilities, detect attacks, and eliminate compromises. Of course, the size of the attack surface and the sheer volume of vulnerabilities, attacks, and compromises means organizations must make tough choices; not everything gets fixed, stopped, recovered, and so forth. There will need to be some form of acceptable (tolerab