Hey there,

Thanks for being one of the very first subscribers. I'm really glad you're here.

✉️ Why Issue 0?

This is a special celebration edition: part book deal announcement, part welcome note, and part "let's get you started on your first CRQ assessment right now."

From Heatmaps to Histograms: Field Notes officially kicks off in July 2025, with monthly issues featuring CRQ tactics, prompts, tools, and deep dives. Consider this your early-access sneak peek. Thanks for being here from the start.

🎉 HUGE NEWS: I Signed a Book Deal!

I'm absolutely thrilled to share that I've officially signed with Apress to publish my first book! After years of writing, testing, and refining these ideas in the field, From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification will hit shelves in early 2026 in both print and ebook formats, wherever books are sold.

This feels surreal and I'm incredibly excited to get this knowledge into your hands. Here's the book description:

Cyber risk quantification (CRQ) is the practice of measuring cybersecurity risk using numbers —not colors or guesswork. Instead of labeling risks “high,” “medium,” or “low,” CRQ uses probabilities, ranges, and impact estimates to help organizations make better, data-informed decisions about risk.

In a world where ransomware gangs operate like small businesses, every core function of an organization is digital, and Boards and regulators are demanding meaningful, defensible risk metrics, CRQ has never been more relevant than now. And thanks to AI, it’s about to scale fast.

At the same time, CRQ is often misunderstood as expensive, technical, or just “voodoo math.” People assume you need a stats degree, six-figure software, or a room full of analysts. This book is here to prove otherwise.

From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification is a hands-on, plain-English guide written by a seasoned practitioner who’s built CRQ programs at top global companies. It’s packed with step-by-step instructions, practical tips, templates, shortcuts, AI prompts, and plenty of myth-busting to take you from CRQ skeptic to CRQ champion—even if you’ve never cracked open a statistics book.

All techniques in this book can be performed in Excel or Google Sheets—no coding required. But for readers who want to go further, you’ll find dozens of GenAI prompts that help you generate risk scenarios, clean messy data, or even “vibe-code” your way through a Monte Carlo simulation in Python or R. You'll also get guidance on when to not use AI, how to spot hallucinations, and how to integrate it responsibly into your risk practice.

CRQ is no longer optional. This is your roadmap for making it work—cheaply, ethically, and effectively.

🎯 Your First CRQ Assessment: Start Here

The key insight: Your first CRQ assessment should analyze a risk that informs a concrete business decision that's already on the table. Don't pick a random "hot risk" and hope it becomes relevant later.

Ask: "What decision do we need to make where risk is genuinely a factor?"

Look for upcoming decisions like:

• "Should we buy cyber insurance this year?"

• "Is this $200K security tool worth it?"

• "Is it safer to move this system to the cloud?"

Why this works: You get built-in stakeholders who already care about the outcome, clear success metrics, and immediate relevance.

Pick the Right Risk to Quantify

Once you've identified that business decision, your next step is choosing which risk to analyze that would most influence that choice.

Start with what's already keeping people up at night. Your assessment should tackle something leaders are already discussing:

• "How bad could a ransomware attack really get?"

• "What if we get hit with a data breach like [recent headline]?"

• "What's our realistic exposure if this vendor gets compromised?"

Pick a topic that's already on someone's mind, and you'll get faster traction and better engagement.

Keep it simple and contained. Don't pick abstract risks like "third-party risk" or scenarios with endless branches. Good starter risks have clear loss paths:

High-Impact, Manageable Scenarios

• Ransomware attacks - Plenty of public data on frequency, ransom amounts, recovery costs

• Business email compromise - Clear financial impact, documented rates by industry

• Data breaches - Well-researched cost data available (Verizon DBIR, Cyentia IRIS 2025)

Gather Your Data

Ask "Where can I get numbers?" You don't need perfect data, but pick something you can estimate:

• Has this happened to companies like yours?

• Can you find public research or get SME opinions?

• Can you describe the loss in 4-5 clear steps?

The goal isn't precision; it's building a reasonable model that informs your decision.

Report Risk that Supports the Decision

Your analysis should directly feed into the business choice you identified at the start. The best CRQ assessments answer specific questions:

• Will this help leadership say yes or no to a specific investment?

• Could it inform budget, policy, or insurance decisions?

• Does it feed into an upcoming board presentation or audit?

Remember: CRQ works best when it supports actual business choices, not when it sits in a report that nobody reads.

🤖 Need help brainstorming? Try these GenAI prompts:

For finding business decisions:

I work in [role] at a [company size/industry] organization. Based on typical corporate calendars and security priorities, what are 5 major business decisions coming up in the next 6-12 months where cybersecurity risk analysis could influence the outcome? For each decision, explain: who typically makes it, what risk factors are usually considered, and what data would be most persuasive to decision-makers.

For identifying relevant risks:

I work in [industry sector] and our technology stack includes [list key systems/platforms]. Research the most significant cyber incidents in my industry from 2024-2025. For each major incident, help me understand: what was the initial attack vector, how much did it cost the victim organization, what controls might have prevented it, and what frequency data exists for this type of attack in our sector. Focus on incidents that resulted in quantifiable losses and include the source data.

Don’t forget to double-check everything GenAI comes back with. Ask for citations and references and verify yourself.

The Sweet Spot

A concrete business decision that executives need to make soon, where analyzing a specific cyber risk they're already worried about, with decent available data, would genuinely influence the choice.

Pro Tips for Success

• Start small. Your first assessment doesn't need to be comprehensive. Pick one decision, one risk, one analysis. Do it well, show the value, then expand.

• Focus on "good enough" data. Industry averages plus educated estimates beat pure guesswork every time. Don't let perfect be the enemy of good.

• Make it visual. A simple slide showing "current risk vs. risk after investment" speaks louder than spreadsheets full of numbers.

• Practice the pitch. Before you present, rehearse explaining your analysis in 2 minutes. If you can't make it clear and compelling quickly, simplify further.

Remember: The goal isn't to predict the future perfectly. It's to make better decisions under uncertainty by putting numbers on trade-offs that were previously just gut feelings.

🧭 What You Can Expect Going Forward

That guide above is exactly the kind of practical, field-tested content you'll get every month starting in July.

This newsletter is for anyone trying to do cyber risk quantification in the real world - with limited time, limited budget, and a high bar for quality.

I'll be sharing:

🧪 CRQ tips, tools, and workflows: beginner to advanced, all field-tested

📊 Breakdowns of public reports and datasets (like the DBIR and industry studies)

🧠 Prompts, scripts, and techniques for using GenAI in risk analysis (strategically, not recklessly)

📬 Q&As and AMAs: answering your questions and surfacing the ones we all have but rarely ask

📎 Book previews and behind-the-scenes cuts that didn't make it into the final pages

🔁 Occasional links to great writing and thinking from others in the CRQ and risk world

Some issues will be deep dives. Some will be quick hits. But my promise is this: it'll always be practical.

📚 What I'm Reading

Each issue, I'll share a few blog posts, research articles, or tools worth your time. Here are two standouts I've been diving into:

Operationalizing Cybersecurity Risk Quantification by James Hanbury: This 5-part LinkedIn series tackles the practical challenges of implementing CRQ at scale. What I love about James's approach is how he addresses the organizational dynamics that make or break CRQ initiatives. It's not just about the math - it's about building consensus, creating shared language, and designing metrics that actually drive decisions. Essential reading if you're trying to move CRQ from spreadsheet exercises to business strategy.

Quantifying Cyber Financial Impact: Step-by-Step Guide with Triangular Distribution by Mehdi Kiani: A solid walkthrough of using triangular distributions for modeling cyber losses when you have limited data. Kiani does a nice job showing the actual mechanics. If you're looking for concrete examples of how to move from expert estimates to probability distributions, this hits the sweet spot between accessible and rigorous.

Got recommendations? Send them my way and I'll feature reader picks too.

🗂 From the Archives

Here are a few recent blog posts of mine you might enjoy:

• Six Levers That Quietly Change Your Risk and How to Spot Them: Controls are just one lever. Most changes in risk come from forces far outside your walls, from M&A activity to threat actor capability shifts to regulatory changes. A framework for spotting what's actually moving your risk math.

• AGI Dreams: What Keeps a Risk Professional Up at Night: What happens when a quantitative risk analyst tries to model something that doesn't exist yet? A personal take on artificial general intelligence, uncertainty, and why fictional AI might be our best frame of reference for the real thing.

• Why Ransomware Isn't Just a Technology Problem (It's Worse): Ransomware persists not because of tech failures, but because it exploits economic misalignments between victims, insurers, law enforcement, and vendors. When everyone has competing incentives, the only winners are the criminals.

  ---

🙋 How You Can Help

This is just the beginning, and I'd love to make this newsletter something genuinely useful for you.

✅ Tell me what topics you want covered: beginner, advanced, tools, AI use, anything

✅ Forward this to a colleague who's curious about CRQ

✅ Click the ❤️ or comment if you're into this

If someone forwarded this to you, you can subscribe here to get future issues.

Thanks again for being here. The real fun starts in July.

- Tony