Factor Analysis of Information Risk (FAIR)
Energy is using cyber risk assessments to make cloud decisions
The department has launched risk analysis initiatives at national labs, rather than waiting for the perfect metrics, to establish standards.
Why government is slow to endorse frameworks for quantifying cybersecurity risk
Until individual agencies like the Department of Energy and Department of the Treasury see success quantifying risk, the practice won't likely be mandated.