Cyber risk assessment: a pragmatic approach