If you want to treat cyber as another business risk, then it needs to be assessed and evaluated in a way that you can compare it to and aggregate its effect with other sources of business risk.
I encourage you to subscribe (free) to McKinsey’s frequent reports. Their latest, Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity has some good observations. Unfortunately, their ideas for addressing the problem don’t work for me.
A couple of recent pieces shed some light, some amazing light, on how cyber-related risk is perceived by executives and the board.