Inside the Book

Whether you're running your first quantitative risk assessment or building an enterprise CRQ program, you can start wherever you need to. The book builds conceptually from start to finish, but many readers jump directly to the chapters most relevant to their role or current problem. The outline below will help you decide where to begin.

Prologue: Risky Business

Why traditional cyber risk reporting fails to support real executive decisions, and what led to a practitioner-first approach to risk quantification.

Part 1: Foundations

Chapter 1: Welcome to the Rebellion Explains why modern cyber risk programs often reward the appearance of progress rather than real risk reduction. Introduces uncertainty as a normal condition and frames quantitative risk as a practical alternative to heatmaps and compliance theater.

Chapter 2: Probability's Plot Twist: After 300 Years, We Colored It Red Traces the history of risk analysis from probability theory to modern risk matrices. Clarifies the fundamental differences between qualitative and quantitative approaches and explains how cybersecurity ended up on the wrong path.

Chapter 3: GenAI Needs Adult Supervision Shows how generative AI can support risk analysis without replacing human judgment. Provides simple rules for using AI responsibly in research, modeling, and analysis work.

Part 2: Getting Your Risk Muscles Working

Chapter 4: Foundations Builds the core mental models needed for quantitative thinking, including ranges, uncertainty, frequency, and magnitude. Introduces essential vocabulary and the "less wrong" mindset used throughout the book.

Chapter 5: Your First Quantitative Risk Assessment Walks step by step through building a simple quantitative risk model using Monte Carlo simulation. Demonstrates how to forecast frequency and magnitude and interpret results meaningfully.

Chapter 6: Interpreting and Communicating Quantitative Results Explains how to turn numerical outputs into clear narratives for decision-makers. Covers histograms, loss exceedance curves, and how to communicate uncertainty without overwhelming executives.

Chapter 7: From Risk Statements to Assessment Scope Shows how to translate vague concerns into clear, measurable risk scenarios. Introduces structured methods for defining scope and building a data collection roadmap.

Chapter 8: Understanding Loss: The Six Forms Breaks loss into six practical categories used in cyber risk analysis. Provides guidance on when to decompose loss, how to estimate magnitude, and how to avoid double counting.

Part 3: Solving the Data Problem

Chapter 9: Getting Unstuck with Data Dismantles common myths about data availability in cyber risk. Introduces the three core data sources: external data, internal data, and subject matter expert judgment.

Chapter 10: How to Vet and Believe Your Data Provides a simple, time-boxed method for evaluating data quality. Shows how to make defensible decisions even when data is incomplete or imperfect.

Chapter 11: Finding and Using External Data Explains how to locate, evaluate, and apply external research. Covers multiple ways external data can support scenario building, modeling, and validation.

Chapter 12: Your Best Evidence: Finding and Using Internal Data Shows how to extract meaningful insights from operational, incident, and audit data. Includes practical methods for transforming raw internal data into usable inputs.

Chapter 13: Your Secret Weapon: Subject Matter Experts Explains how to work effectively with SMEs, even when they are not calibrated estimators. Introduces structured elicitation techniques and practical workshop formats.

Chapter 14: How to Blend Data Introduces Bayesian thinking as a practical mental model for combining data sources. Walks through a step-by-step blending process with worked examples.

Part 4: Risk Assessment in Action

Chapter 15: Extending This to CRQ Shows how quantitative analysis supports what-if analysis, sensitivity testing, and return on security investment discussions. Connects modeling outputs directly to decisions.

Chapter 16: Extending to FAIR Explains FAIR in plain language and shows how to apply only as much decomposition as needed. Demonstrates how the techniques in this book map cleanly to the FAIR ontology.

Chapter 17: How to Run a Complete CRQ Assessment (A Full Walkthrough) Provides a full end-to-end walkthrough using a realistic ransomware scenario. Brings together scenario framing, data collection, modeling, and decision support.

Part 5: Making It Stick

Chapter 18: CRQ in the Org Explores why CRQ programs succeed or fail in real companies. Introduces the Six Levers that shape risk over time and explains how to sustain momentum.

Chapter 19: Making Better Decisions with CRQ Connects quantitative risk analysis to real decision types, including investments, strategy, and board-level reporting. Focuses on turning analysis into action.

Chapter 20: The Future of CRQ (And Yours Too) Looks ahead at how AI, the shift from compliance-oriented analysts to quantitative thinkers, and organizational change are reshaping the field. Closes with guidance for building a long-term career in quantitative risk.

Appendixes

Appendix A: Jargon-less Risk Glossary Plain-language glossary organized by category, with chapter cross-references.

Appendix B: Six Forms of Loss – Detailed Reference Guide Calculation frameworks, measurement proxies, and data sourcing guidance for each of the six FAIR loss categories.

Appendix C: Data Types Quick Reference A guide to the data formats you'll encounter when gathering evidence: counts, frequencies, probabilities, monetary values, time durations, and more.

Appendix D: Data Source Evaluation Framework A checklist for assessing external data quality, covering bias, definitional drift, geographic mismatch, and outdated sources.