Having an inaccurate top-risk list is symptomatic of a deeper problem that affects resource needs.
The government has to cost-effectively allocate attention and resources to protecting our most critical information assets.
If we want to be effective in communicating relevance to leaders, then a different level of effort is required.
Take every practical step to ensure government can apply its limited cybersecurity resources as cost-effectively as possible.
If the landscape is complex and dynamic, how reliable can a risk measurement be that has little analysis underpinning it?