I frequently present on security threats and the Symantec Internet Security Threat Report. There are many great statistics from the current report, 403M unique variants of malware, 5.5B web attacks blocked, 4,597 web attacks per day, etc. I frequently describe the different types of attackers, Malicious Outsiders, Insiders, Organized Crime, etc. The question that is frequently posed after the presentation is “How big of a target are we?” Many security professionals are looking for the input to the risk formula for the probability of being attacked by one of the attacker types. Unfortunately, this hard quantitative data does not exist, we can only do our best to estimate it based upon the data and information we have about the current threat landscape, as well as industry and company trends. At this point the conversation turns to risk management and we begin to discuss what information or processes would the different types of attacker want to possess, destroy or expose. In many organizations this is fairly easy discussion and it usually surrounds intellectual property or non-public personal information. Many times companies do not see or understand all of their intellectual property items such as pricing or efficiencies in process or SAP. The attackers will data mine to understand exactly what your company has of value. The next part of the discussion centers on how popular or well known is your organization. There are several factors that play into this, size of the company, recent news events such as mergers and acquisitions, rumors of new products, etc. There is an old saying that all publicity is good, from a security perspective I believe the opposite is true. Any time my former employer made an announcement especially around merger and acquisitions we saw an increase in malicious activity. The final portion of the how big is the target discussion centers around what the company itself is seeing, are the Key Risk Indicators increasing? Have there been smaller unexplained events? Trying to understand what is the current trend surrounding the companies network and information. The more points of information that can be brought in to this estimate for each threat type gives us a that much clearer of a picture. Although it is not perfect or purely quantitative, estimating the attack and attack success probability with these factors on a scale whether that is high, medium, low or percentages does give us better data and removes some of the FUD, Fear-Uncertainty-Doubt. How can the industry get better with defining and quantifying risk? Risk will always be part subjective but if we do get better risk and proactive threat intelligence it will make everyone in security’s life much easier. It is very easy to sell security after a breach but much harder to justify it before without better data.