How to Measure Anything in Cybersecurity Risk

We might also define an “Enterprise Attack Surface” that not only consists of all systems and networks in that organization but also the exposure of third parties. This includes everyone in the enterprise “ecosystem” including major customers, vendors, and perhaps government agencies. (Recall that in the case of the Target breach, the exploit came

What you want to know is whether you have less uncertainty after considering some source of data and whether that reduction in uncertainty warrants some change in actions.

How secure am I? Am I better off than I was this time last year? Am I spending the right amount of money? How do I compare to my peers? What risk transfer options do I have?

Sometimes even small uncertainty reductions can be worth millions of dollars.