To hit the business risk management goal, here is what businesses need to know:
Expected loss avoided = expected loss without defense + sum of expected loss with defense and cost of defense.
Expected loss without defense = loss if type of breach occurs + probability of its occurrence without defense
Expected loss with defense = loss if type of breach occurs + probability of its occurrence with defense
Businesses do not have sufficiently accurate estimates of either the likely loss from a type of breach or the probability of a breach occurring either with or without a particular type of defense.