As posted by Steve King on the Cyber Theory website (https://cybetheory.io/the-risk-bsed-approach-to-cybersecurity), the New York State Department of Financial Services regulation 23 NCRR 500 is a model for a risk based approach to cybersecurity. The foundation is the requirement for a risk assessment that allows entities to focus on their security program rather than acting as a compliance mandate.
Complying with the regulation's risk assessment requirement, and managing cybersecurity in general, requires a company to know their customers, shareholders and assets, and what would compromise their business in case of a breach.
According to King, traditional risk frameworks can be tedious to compile. Companies tend to "dither and debate", and only update once a year or when required. FAIR (Factor Analysis of Information Risk) is a framework designed to address these weaknesses by allowing for mathematical modeling of loss exposures. FAIR can be difficult to use and relies on small guesses which aggregated form a large and probably inaccurate estimate of actual exposures.
King's preferred equation is risk=vulnerability x threat x impact which results in a more accurate assessment. To be meaningful, vulnerabilities must be prioritized for action based on impact.
Today technology can collect threat data and assess risk in real time. Every business needs a risk assessment process that will address cyber threats on this basis.
If you operate in New York State, your public applications must take precedence over internal applications. This should enable you to align your company's cybersecurity budget with actual risk.