Risk equals likelihood (of a security event) multiplied by business impact, Scott Crawford, senior analyst for Enterprise Management Associates, said, explaining his formula for determining risk.
Likelihood equals vulnerability times the threat divided by mitigation, he said. Business impact includes a combination of lost revenue, regulatory penalties and intangible effects, such as brand damage.
Without metrics, companies would have no way of knowing how much they should spend toward risk management, the panel said.
"That desire to know where they compare to everyone else is a cry for measurement," said Dan Greer, chief scientist for data security firm Verdasys. "(Without metrics), we (would be) talking forever about security with adjectives, not numbers."
Some of the more than 200 people in attendance criticized the formula as nothing new.
While the experts admitted it may be impossible to perfectly quantify something, companies would still be better off going through the process, especially in an environment of increasing regulatory compliance, the panel said. By conducting measurements, companies are forced to assess themselves from a security perspective, the panel said.
"It's still something you're doing to express change," said John Meakin, group head of information security for Standard Chartered Bank.
Others still weren't sold on the metrics.
Audience member Donn B. Parker, a consultant with security management firm RedSiren, said risk cannot be measured because it is managed by unknown people.
"There are too many variables," Parker said.
Also joining the panel was Preston Wood, chief information security officer for Zions Bancorporation.