Today, many Security Operations monitoring & visualization capabilities attempt to automatically present a picture of cyber “Risk” by connecting Threat data (Cyber Threat Intel and/or actual internal events) with related Vulnerabilities in the organization’s cyber infrastructure. At best, this is an incomplete picture; and can often be misleading.
This gets to the root of what some refer to as Cyber “Situational Awareness”. There can be no awareness of the “Risk” in a situation, that doesn’t consider the actual Consequences to the Organization that may result from a Threat exploiting a Vulnerability. The original “Risk Formula” concept from the 90s (right... Note: it is not an actual mathematical formula, but simply an abstract model) captured the critical role that Consequence (or “impact”) plays as the major factor in assessing Risk.
The point of this "Risk Formula" - if there is no Consequence, there is no Risk.
Consequences are a key component of the context that should be used to prioritize all decisions.
The Consequences of predicted compromises justify security investments.
The Consequences of actual incidents prioritize which get worked on first.
And the Consequences of any potential Countermeasure options are critical to decision making that balances the interests of all stakeholders… in real time.