Axio believes the threat is not the risk – the risk is the business impact of the threat. For most firms, the greater part of cybersecurity effort and budget is targeted at mitigating threats rather than managing risk. While mitigating threats is important, it alone is not true risk management; and is repeatedly demonstrated to be insufficient.

True risk management can only come from an accurate quantification of the business impact caused by different threats. As a simple example, a DDoS attack is a threat, but the risk is the business impact; that is, the cost and effect of downtime caused by the DDoS attack.