Today, determining risk of a cyberattack is the generic vulnerability or malware rating ignoring aspects of how the business is impacted. Understanding the vulnerability state of the network, reputational risk, business loss, cost of IR and reconstitution cost are rarely understood. This presentation will show a data-driven approach to IR prioritizing response based on risk and business impact.