How to Measure Anything in Cybersecurity Risk, by Douglas Hubbard and Richard Seiersen, addressed one of the most persistent failures in enterprise security: the inability to make rigorous, quantitative decisions about risk. Most security programs in 2016 relied on qualitative ratings — high, medium, low — that created the appearance of analysis without its substance. Hubbard and Seiersen brought the applied information economics framework that Hubbard had pioneered in other domains into the security context, demonstrating that cybersecurity risk is in fact measurable and that organizations that treat it as such make fundamentally better decisions.
Stuart McClure's foreword to this volume reflects his long-standing belief that security must be approached empirically rather than intuitively. His experience at Cylance — building a company whose central argument was that prevention was measurably better than detection and response — made him acutely aware of how much of the industry's conventional wisdom was built on assertion rather than evidence. The book's argument that even uncertain quantities can be measured, and that imperfect measurement is better than no measurement, aligned directly with the epistemological framework that drove the AI-first prevention thesis.
The foreword situates the book within the broader challenge of security leadership: making resource allocation decisions in an environment of genuine uncertainty, where the consequences of error are severe and the data available to inform decisions is incomplete. Stuart's perspective as a CEO and founder — someone who had to make large capital commitments based on assessments of risk and opportunity — gave him standing to endorse the book's insistence that better analytical methods yield better decisions, even in domains that seem resistant to quantification.
How to Measure Anything in Cybersecurity Risk has become a foundational text for security risk professionals who want to move beyond frameworks that substitute categorization for analysis. Stuart's foreword helped position it at its publication as essential reading not just for risk analysts but for security executives who set the standards by which risk is communicated and evaluated across their organizations.