In numerous discussions and forums recently, the conversation about the need for a risk management approach to cybersecurity has quickly devolved into a discussion about cyber hygiene and, ultimately, a discussion about compliance (with perhaps some simple metrics thrown in).+ Also on Network World:\u00a0Match security plans to your company's 'risk appetite' +This pattern of following a difficult, but business-oriented discussion of risk to a trivial oversimplification is common within government and industry circles\u2014and even among the most sophisticated CISOs. What we really need, however, is a holistic risk framework and a solid commitment to risk-based measurements in order to accurately understand and defend against the most serious cybersecurity threats facing our country. Too often we focus solely on cyber hygiene, while important, doesn\u2019t fully address the more severe risks organizations face with increasing frequency.Consider the analogy to personal hygiene. Do we believe everyday tasks such as brushing our teeth, washing our hands and taking a shower will prevent serious illnesses, birth defects or cancer? No. We believe that although good hygiene will help prevent many common ailments and even life-threatening diseases\u2014from periodontal disease to the flu\u2014it fails to thwart those more complex ailments. Because of this, we know we need to continue funding cancer research to find a cure, taking antibiotics for serious or chronic infections and leveraging technology such as MRIs to identify internal maladies that don\u2019t respond to simple hygiene changes.Simple practices don't prevent serious risksIn a similar way, cyber hygiene lends itself to simple surveys, compliance scans and audits. But will those perfectly acceptable practices help prevent more serious risks? I\u2019d argue not, as those real risks often require something much more analytically sound and scientifically grounded. It is certainly good to be able to report that an organization passed an audit on a required security compliance regime, but it is difficult or impossible to describe how much risk was reduced by that level of compliance (or how much remains).What is needed is a truly analytical framework that enables executives to communicate in the language of risk and the language of the business. And while I like some aspects of NIST 800-30 (mainly the definitions), it\u2019s certainly not helpful for implementing a risk approach. At the highest level, a risk analytic approach should answer these questions:Which threats are most likely to occur?What are our greatest vulnerabilities?What would be the consequence if a threat event was successful?Translating these into business terms is key, and measuring them so that risks and countermeasures can be prioritized is essential. Further, the approach needs to be analytically valid and automated, not just a once-in-a-while paper endeavor.Like human hygiene, organizations must maintain regular cyber hygiene for healthy outcomes. But it\u2019s critical they don\u2019t neglect the tools and processes that mitigate cyber risk\u2014the most serious threats to our security. Both are critical, and it\u2019s essential we understand the differences.Are you seeing good examples of risk programs? Please share! In subsequent posts, we\u2019ll discuss analytical approaches and review some good examples.