Abstract: A method and system for risk-adaptive security investment optimization using asset-centric risk quantification to estimate risk levels and establish a cyber program that maximizes the impact of cyber spend on risk reduction while taking into account changes in the threat landscape, control environment and infrastructure of an organization. The method and apparatus can be used to identify and measure information security risks across a plurality of information systems based on various estimated losses associated with individual assets, likelihoods of cyber threats applicable to information technology assets in their Computing environment as well as assurance levels of cybersecurity controls to counteract threats. Based on the risks measured the method and apparatus automatically generates a risk-tailored, impact-maximizing security program focusing on systemic and individual control issues in a network of inter-connected assets.