I also listened to How to Measure Anything in Cybersecurity Risk 2nd Edition by the same author. I had a huge amount of overlapping content with The Failure of Risk Management (and the non-overlapping parts were quite dry), but I still learned a few things:
Executives of big companies now care a lot about cybersecurity (e.g. citing it as one of the main threats they have to face), which wasn’t true in ~2010.
Evaluation of cybersecurity risk is not at all synonyms with red teaming. This book is entirely about risk assessment in cyber and doesn’t speak about red teaming at all. Rather, it focuses on reference class forecasting, comparison with other incidents in the industry, trying to estimate the damages if there is a breach, … It only captures information from red teaming indirectly via expert interviews.
I’d like to find a good resource that explains how red teaming (including intrusion tests, bug bounties, …) can fit into a quantitative risk assessment.
I’m interested in using the SAEs and auto-interp GPT-3.5-Turbo feature explanations for RES-JB for some experiments. Is there a way to download this data?