"You can’t always get what you want. But if you try sometimes . . . you get what you need." This is the case with risk metrics. An easy-to-calculate risk metric, using easy-to-collect numbers, is never going to be available. But examining the way an organization creates value allows credible, quantitative answers to risk questions. This allows gains from vulnerability reduction to be quantified.