A risk-based approach to cyber security can yield credible estimates of annualized expected losses under different security policies. These estimates can take account of abrupt changes in attacker behavior, damage to intangibles and future vulnerability exploits. They can be used to determine defensive priorities and to justify security budgets. This talk will lay out a five-phase program.