How To Measure Anything In Cybersecurity Risk (Private Seminar Plus)


In this 2-day Private Seminar, designed for up to 20 people at your location, Douglas Hubbard provides an introduction to how to measurably improve cybersecurity risk analysis. Several examples are shown with spreadsheet templates provided for the class. This will change the way you look at assessing cybersecurity risk. You will never be satisfied with soft scores and “risk matrices” again.

*Plus travel for domestic locations. This base price includes 3 live sessions and asynchronous Calibration Training, add a 4th live session (including live Calibration Training) for an additional $2,000. Further customization of materials may be extra (see options in the description below).

Optional $4,000.00/day for deep dive workshop into specific problem chosen by the client

Contact us for schedules, international location rates and additional details.


Drawing on techniques in Hubbard’s book, How to Measure Anything in Cybersecurity Risk, this session will completely change how you look at assessing risk in cybersecurity.

Topics in this session include: Principles of assessing and communicating risks, measuring “intangibles” like damage to reputation, measuring an expert’s skill at providing “calibrated estimates” of probabilities, using spreadsheet-based simulations, and how to make the case for quantitative methods in your organization. The session consists of core topics and optional topics as follows.

Core Topics:  The following topics are included in the standard version of the seminar (the first day of the 2-day event).

  • Introduction to the challenge of measuring cybersecurity risk and how common misconceptions lead to the belief that cybersecurity risk is not measurable.
  • Overview of how the performance of some of the most popular risk assessment methods, like heat maps, have been objectively measured – and how they failed.
  • See how a simple, quantitative model can replace heat maps – even with limited data – in a way that is consistent with actuarial methods.
  • Review the material using a case example for estimating cybersecurity risk.
  • Training in subjective assessment of probabilities in a way that your performance can be measured.

Additional Training Blocks: Build your second day by choosing from these half-day sessions or add a third day to cover all topics.

  • Calibration Training: HDR will teach the techniques behind subjectively assessing the probability of uncertain events and the ranges of uncertain quantities. This is an essential skill for anyone who needs to consider chance in decisions. Participants will see their skills measurably improve during the training with a series of “calibration exams.” Participants will also learn some of the techniques involved in training others to be calibrated. This training is completed asynchronously on our new, fully on-demand platform. If you would like to substitute this asynchronous Calibration Training with a live version, that is available for an additional $2,000. Note: this results in 4 total live sessions across the 2 days.
  • More Advanced Cybersecurity Measurement Topics: Participants will learn additional methods for more advanced cybersecurity measurement topics. These include statistical methods for reducing expert inconsistency, and updating models with new empirical data.
  • Challenges, Solutions, Next Step (CSN) Workshop: The objective of the CSN workshop is to help participants identify opportunities to apply the methods they learned to specific cybersecurity risk problems identified by you. The workshop will identify the appropriate methods for the problems and discuss how to get started on developing a full cybersecurity risk solution. This module allows participants to see the practical applications of what they learned and begin to plan details of next steps.

Optional Customization: If you need content developed specifically for your industry or your firm, email us to discuss an estimate for a customization effort.

Considering the remote option? These training blocks can be delivered via HDR’s Teams platform (or your company’s platform) over the course of consecutive days or spread out over a few weeks. We are happy to design the delivery timeline based on what works for your team and environment.