Many organizations rely on qualitative approaches to evaluating and communicating risk that simply do not answer some of the most important questions organizations should ask. For example, “Are we protecting information better than last year?” “How much risk did we reduce through our investments in information security?” In this section, we present a quasi-quantitative approach that addresses the shortcomings of traditional qualitative approaches and helps organizations (1) provide better answers to these questions and (2) manage information security risks in a more efficient and cost-effective way.