Cyber risk is just one of many: how to classify it correctly

TL;DR
The cybersecurity industry thrives on the fact that you are afraid. Cyber risk is real—but it is not your only business risk, and often not even the biggest one. Those who allocate their security budget in proportion to actual risks (instead of in proportion to their panic) make better decisions. The first step: put all risks on the same table and compare them honestly.

The cybersecurity industry is good at one thing: selling fear.

Annual breach statistics. Insurance companies with catastrophe scenarios. Media outlets that sensationalize every hack. And yes—to some extent, rightly so. Cyber incidents cost money, time, and trust. That is not an invention.

But here is what this industry never says out loud: cyber risk is only one of many risks threatening your company. Not the most important. Not the least important. One of them.

And anyone who runs their company as if cyber were the only real risk is managing the wrong problem.

The problem with fear as the basis for budget decisions

We see this regularly in our work with Swiss SMEs and mid-market companies. One company spends CHF 400,000 per year on security tools. Good on them. EDR, SIEM, MFA, vulnerability scanners, security awareness training. The whole list.

And then we ask: "Do you have a business continuity plan?"

Silence.

Or: "What happens if your best developer quits tomorrow?"

Even more silence.

This is not a reproach. It is a pattern. Cybersecurity providers are well organized, well funded, and have spent years creating an emotional reflex: if something has "cyber" in the name, it must be important. Financial risk? Dry. Key-person risk? Uncomfortable, but abstract. But a ransomware attack? There is a report. There is an image. There is a number.

The consequence: budgets move toward the loudest risk. Not the biggest one.

(By the way, this is not a specifically Swiss phenomenon. It is human. We react more strongly to vivid scenarios than to quiet probabilities.)

What your risk portfolio really contains

When we do a structured risk assessment with companies, six categories typically come to the table. Cyber is one of them.

Financial risk – liquidity bottlenecks, currency fluctuations, bad debtors, unexpected large expenses. For many SMEs, the most existentially risky field. A single major customer not paying can do more damage than a medium-sized cyber incident.

Operational risk – key-person dependency, supply chain disruption, process failure. How many of your critical processes depend on one person? And what happens if that person is gone?

Regulatory risk – compliance gaps, license violations, regulatory changes (GDPR, NIS2, new industry regulations). Often underestimated in Switzerland because regulation comes slowly—but when it comes, it comes fast.

Market risk – customer loss, competition, disruption from new entrants. A startup breaking into your core segment and offering 30% lower prices: that is often more existential than any data breach.

Cyber risk – data breach, ransomware, business interruption, reputational damage. Real. Measurable. And yes, growing.

Strategic risk – wrong bets, missed opportunities, misallocation of resources. The least discussed risk. And often the most painful.

None of these categories has priority from the outset. They can all damage or destroy your company. The question is: Which ones threaten you specifically, by how much, and what does it cost you to mitigate them?

Why "high/medium/low" does not work

The classic risk matrix is... useless.

(We say this after years of doing risk assessments for companies. Sorry, but it is true.)

The problem: "High risk" for company A can mean CHF 50,000. For company B, the same label means CHF 5 million. And yet both sit on the same color in the matrix. Red is red.

What actually helps is quantification. Not perfect precision—that does not exist. But rough financial scenarios that apply to your specific company.

Concretely: What would a ransomware attack cost you—not "the average company," but you? How many hours of downtime are realistic? What do you lose per hour? How high is the ransom risk in your industry? Which data would be affected and what does that mean from a regulatory perspective?

The same question for key-person risk: what would it cost if your best developer or your most experienced project manager left? Recruitment, onboarding, lost know-how, project delays?

And for customer loss: what happens if your biggest customer—20% of your revenue—switches to a competitor?

When you place these numbers side by side, it often becomes clear: the ranking of risks looks different from the ranking of budgets.

What proportional security means

Proportional security does not mean investing less in cyber. It means investing in cyber because the risk justifies it—not because a vendor gave a great pitch.

We worked with a manufacturing company with 80 employees. Security budget: CHF 180,000 per year. That sounded reasonable at first. But when we mapped the risk landscape, the dominant risk was operational: 60% of production processes depended on a single person, the CFO was also the only accountant, and there were no documented procedures.

One illness could have brought the company to a standstill for weeks.

The cyber risk? Moderate. No cloud infrastructure. Hardly any external attack vectors. The CHF 180,000 were well-intentioned—but they did not protect against the biggest actual risk.

What we recommended: reduce the security budget to CHF 120,000 (but focus it sharply), and invest CHF 60,000 in process documentation, deputy arrangements, and a real business continuity plan.

No vendor lobbied for that. But it was the right thing.

(By the way, we have a whole article on how to focus the security budget on what matters: How to allocate your security budget correctly.)

Swiss companies and their blind spots

Swiss companies are generally risk-aware. Precision, reliability, conservatism—that is not a cliché, we see it in practice. Many SMEs have solid financial buffers, think long term, and do not take unnecessary risks.

But there are two typical blind spots:

First: cyber is overweighted because the reporting is loud. If the neighboring business gets hit by ransomware, it sticks with you. That creates reactions that do not necessarily match your own risk profile.

Second: strategic risk is systematically underestimated. The question "Are we on the right course?" is rarely treated as rigorously as "Is our perimeter secure?" Yet a wrong strategic bet—a wrong product, wrong market segment, wrong technology platform—is often more consequential than any hack.

We have seen this in many risk analyses: the companies that get through crises well are not the ones with the best security stack. They are the ones that know their overall risk and respond proportionally.

A simple framework to start with

You do not need to implement a full enterprise risk management methodology. For most SMEs, a simple approach is enough:

Write down the six risk categories. For each one: estimate the worst-case scenario in CHF. Estimate the probability of occurrence over the next three years. Multiply both (expected loss). Then: how much are you currently investing to mitigate this risk?

That will not give you a perfect picture. But it will show you whether the distribution of your resources roughly matches the distribution of risk—or not.

Often this exercise is enough to make visible what everyone already suspected: we spend 80% of our risk budget on 20% of our actual risk.

And then you can start correcting that.

(That does not mean neglecting cyber. Pragmatic cybersecurity is possible—we describe our approach in this article: Pragmatic cybersecurity: Why fewer tools often mean more protection.)

Tomorrow morning

Before you evaluate the next security tool or accept the next vendor offer, do one thing first: write down all the risks of your company on a sheet of paper—not just cyber. Financial, operational, regulatory, market, cyber, strategic. And ask yourself for each one: what does it cost me if it happens?

This one exercise—30 minutes, no tool required—will change how you think about your security budget.

If you need support with that or want to do a structured risk assessment for your company, see how we approach it: ODCUS Cybersecurity Advisory.