I was recently presenting on the use of statistics for risk analysis at the SIRACon conference held in Minneapolos (Oct. 9th and 10th, 2014). I was explaining how models and algorithms work at a high level: given one or more observations and the outcomes, we build models or algorithms to learn how the observations can help predict the outcome. As examples I used things like CVSS, the Binary Risk Assessment and the Ponemon cost of data breach (CODB) report.
more here..........http://datadrivensecurity.info/blog/posts/2014/Dec/ponemon/
more here..........http://datadrivensecurity.info/blog/posts/2014/Dec/ponemon/