Risk should be objectively quantified.
A quantified risk level guides decision makers in prioritizing how to spend wisely in treating risks. If applied information security is to be realized cost-effectively, the risk level is our tool. It is derived by estimating the risk event in terms of its probability and impact - ideally in monetary terms.
Objectivity in risk quantification requires historical data as a foundation for event likelihood plus a thorough understanding of its business impact.
