Capability * Intent != Risk
Traditional formulas of risk assessment applied to cybersecurity simply do not work due to the fundamentally different landscape of cybersecurity. Assessment based on capability breaks due to the proliferation of computation, internet connection, and commodity attack tools. Applied to physical threats historically this framework functions because access to resources is limited. In an arena where capability extends down to every child with a tablet and where financial motivation drives most attacks traditional application of physically based nation state threats crumbles.