We can’t have 100% secure solution in the course of business. We need to evalate risk and reduce to acceptable level to achieve our mission.
The hard part is an objective assessment of risk with predicted likelihood and the associated value tied with the consequence. The decision support is to review the business outcome values vs the cost to reduce the likelihood.
For cyber risk, it is more challenging since when new threats are uncovered, they become immediate impacts. The frequency cannot be predicted using traditional approach.
At worst, be prepared bad thing happens with reasonable efforts to recover instead to prevent any KNOWN threats, because there are so many unknowns beyond imagination.