A book by the name of How to Measure Anything in Cybersecurity
Risk articulates enhanced metrics (versus impact & likelihood) via Bayesian
models.
However, sans cyber insurers
& actuaries, most risk management / cybersecurity functions struggle with
the most simple metrics. That happens due to a lack of technical key risk
indicators (KROs) agreed to by the business.
While quantitative analysis can
help derive budgeting priorities, most organizations are simply not mature
enough to know the qualitative gaps within their enterprise.