Lack of hard numbers is the most-lamented difficulty in applying real risk management to security. The bottom line is that there’s no reason to throw up your hands and say it can’t be done. Alex Hutton and Doug Hubbard had a productive discussion that we called “The great IT risk measurement debate” Online it’s in two parts: Part one and Part two. Bob Violino wrote an overview of four of the four formal risk assessment framework for IT risk assessment tools. Onward, CSO will provide new material on both those topics.”]
Source: https://www.csoonline.com/article/2135930/measuring-it-risk.html