Richard Seiers: Vulnerabilities are not risks and we need to stop acting like they are. He says 70% to 90% of the “high risks” he’s examined in organizations over the past several years do not, in fact, represent high risk. The good news is that measuring infosec risk is not that hard once you’ve gotten your terms straight and when you leverage well-established sources of risk disciplines, Seiers says. Good news: In given today’s imperatives surrounding cyber risk and technology, we’re given imperatives and imperatives.”]
Source: https://www.darkreading.com/attacks-breaches/what-we-talk-about-when-we-talk-about-risk