IT security and risk management often ignore or underestimate the human factor (psychological, behavioural, societal, organisational and economic aspects) in the identification of cyber-risks, their quantitative economic impact and the costs of countermeasures. Cyber-attacks can harm intangible assets like reputation, IPR, expertise, and know-how. And there is severe imbalance between the efficiency of attacks and inadequate defences, due in part to the lack of quantitative information for decision makers to prioritise security investments.