One of the things we like to do when we do risk assessments is truly understand
what is important and what potential threats could do to that data or information system. Once the systems and data have been categized, a good exercise is to ask yourself the following questions of what you think of as your most valuable data:
Who else might this be valuable to? By understanding who it would be valuable to, you can get a sense of what type of attackers you are likely to face.
What might an attacker do to that data or system? By understanding this you get a better sense of things to focus on.
What items do I have in place that will slow or prevent this from happening? These are called your security controls and are going to be what slows or stops an attacker from being successful.
What will it cost the attacker to do that attack ?Just like you attackers often have limited resources. Once you know the types of likely attackers you will face you can look at what you think it will cost the attacker. Does your protections make that type of attack cost prohibitive for the attacker? In this way you can start thinking about cost vs. benefit.
If you are facing a most likely attacker of a script kiddie up to no good, it might be relatively easy to make it too costly. If your likely attacker is a nation state type of attack, it is going to take a lot more protections to reduce your risk. By doing this you start developing a sense of what you need to do to protect your most vauble systems and information from your most likely attacker.