Let’s start off with the factors that mostly concern businesses (if you are more interested in what would affect you as an individual, you can skip to the next section).

Business relations can also be a factor in rating both the consequence and probability. This stems from the fact that while your company might be low value on your own, your customers or suppliers might be high-value targets. Ie. One of your salespeople get their e-mail credentials stolen, the hackers identify that there is an ongoing negotiation between you and a big prospect, they send your prospect a malware hidden in a document looking like something that has previously been part of the conversation. Now either the prospect detects the malware before anything could happen on their end or they end up with their account compromised. Either way, your reputation will take a big loss and the contract might go to someone else. This is why one needs to assess not only one’s own company value but also the value of any business relations the company has.

Lateral social movement is similar to the previous factor but will look for people inside your company to move to. We usually tell people not to open attachments from people we don’t know, but if a co-worker sends us an e-mail with an attachment, we often don’t think twice before opening it. This is why even if a person with little access or authority within the company gets breached, their account might be leveraged to spread to others with more access or more authority. Therefore securing everyone within your company is equally important within IT security, not just the CEO.

Passive monitoring could be something to consider. The hacker could be content with monitoring the behavior of the system or user for years while waiting for the opportunity to strike. Your company now might be worth more in a year or two, therefore they can wait and spread while you have no idea that everything that is communicated is being monitored.

Resell value going off the previous factor of passive monitoring, the hacker could also decide to simply sell off the access to a third party, cashing in. While the transfer by itself isn’t something that changes the risk, it is a factor to consider that even the most “boring” and transparent companies can be targeted simply because their hardware can be used for other means.