From noise to numbers: Embedding cyber risk quantification into business decisions