A functional approach to cyber risk assessment