"The difference between the cyber risk assessment and the safety risk assessment is the lack of quantitive data. It’s much easier to ascertain the probability of system failure due to the huge amounts of data created during exercises such as Mean Time Between Failure, calculating operating hours vs number of failures.
In cyber security, much of the risk is based on human behaviour and therefore it is much more difficult to predict when a breach might happen, meaning we can never accurately quantify the probability of risk"