Calculating cyber risk is at best an imperfect science. There are a number of factors that need to be calculated to determine risk, and the accuracy and completeness of each of these factors determine the overall accuracy of your risk determination.
There are two different types of risk assessments commonly used: qualitative risk assessment and quantitative risk assessment. A qualitative risk assessment does not try to assign a specific dollar amount or number value to the possibility of occurrence, impact or risk rating. Rather, these factors are expressed as severity ratings such as high, medium or low (or very high, high, medium, low and very low if you want to be more granular).
For whatever cyber asset you are assessing, you begin with determining threats to the asset paired with vulnerabilities that could be exploited by attackers to adversely affect that asset. These are called threat / vulnerability pairs. For each threat / vulnerability pair, you then determine the possibility that that threat may be realized (likelihood determination) coupled with the probable impact to the asset / organization if the threat is realized. You then subtract from this calculation the effectiveness of the security controls you have in place to prevent the threat actor from exploiting the vulnerability.
You can express this as a formula such as: (threat / vulnerability) x possibility of occurrence x impact – control effectiveness = risk (or residual risk). Although this is expressed mathematically, it should be understood that this is really a mind model rather than an actual quantifiable formula when performing qualitative risk assessment.
The same factors are also in play in a quantitative risk assessment. However, in quantitative risk assessment you try to assign actual numbers and dollar amounts to some factors. In other words, you might determine that the possibility of occurrence is 50% for a given period of time and that the impact of an occurrence will cost you $150, 000.
Although quantitative risk assessments give you harder data, they are best used for individual processes, applications or systems. Quantitative risk assessments are very hard to perform for complex systems such as are found in an enterprise level risk assessment. The number of factors to assess and the manner in which threats and vulnerabilities intermingle render actual dollar amounts, time spent, etc. simply too difficult to determine with any accuracy. That is why the vast majority of risk assessments carried out by organizations are qualitative in nature.
However, whether qualitative or quantitative risk assessments are performed, the key to their overall usefulness is the accuracy you achieve in uncovering valid threats, finding all vulnerabilities, determining the true likelihood of occurrence and accurately calculating the impact to the organization. Garbage in then garbage out no matter which method you use.