Ben's Book of the Month: Review of "Understand, Manage, and Measure Cyber Risk"

Posted on by Ben Rothke

In the 1964 US Supreme Court case of Jacobellis v. Ohio, Supreme Court Justice Potter Stewart delivered what has become the famous line of “I know it when I see it.” While the case there was about pornography, too many people use a similar approach when it comes to information risk management. They don’t measure, understand, or define it but think they know it when they see it.


In Understand, Manage, and Measure Cyber Risk: Practical Solutions for Creating a Sustainable Cyber Program (Apress), author Ryan Leirvik has written a helpful reference to guide the reader in creating a risk management program.


Measuring risk, like measuring blood pressure, is one thing. But the goal is not just to measure it once; rather, it is to create a long-term program. Creating a sustainable program to deal with that is another goal in and of itself. And that is a unique thing the book brings. With that, Leirvik shows how to create a program that will work over the long term.


The book opens by noting that the problem around risk is threefold:

  • Technology is an enabler
  • Inherently flawed humans build technology
  • Advantageous actors misuse technology to reap rewards


He then details the many component parts of a risk management program. Leirvik has extensive real-world experience, and besides detailing what needs to be done, he also cautions the reader of numerous pitfalls to avoid. In the sometimes irrational exuberance to create a risk management program, a firm can, in fact, introduce greater risk if they do not implement it correctly. And Leirvik does a good job of showing the reader how to do it correctly.


The definitive text on measuring risk is Measuring and Managing Information Risk: A FAIR Approach by Dr. Jack Freund and Jack Jones. At 200 pages, this is an introduction and far from being a comprehensive reference on the topic. But for those who are serious about building out their risk management program, Understand, Manage, and Measure Cyber Risk is an excellent resource to start with.

Ben Rothke

Senior Information Security Manager, Tapad

RSAC Insights

risk management practitioner perspectives risk & vulnerability assessment

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community