Risk management is widely seen as the basis for cybersecurity in contemporary organizations. Risk management aims to minimize the combined cost of security breaches and measures to prevent breaches. This article analyzes debate over computer security risk assessment in the 1970s and 1980s, arguing that the most valuable part of risk management-learning-is also one of its most neglected aspects.The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performancebased, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. 1