As security and technology leaders we often get wrapped up in maturity assessments and qualitative risk metrics that border on guessing. We've all had a goal of "maturity level 3"at some point in our careers, but what in the world does that mean? How did someone come up with that? Instead of playing the guessing game, lets establish some real criteria. How much risk are we comfortable with as a business? How are we developing our controls, spending our money, to manage to that risk tolerance appropriately? Using FAIR, and thinking about the problem a little differently, we can more efficiently spend our budgets and more accurately manage risk. We'll talk through a few real world risk examples and show some metrics examples to allow for better risk discussion and management.