When evaluating the extent of potential harm to the business due to a security incident, understanding the expected monetary loss from the exposure of sensitive customer information is key. This measure combines the frequency of the incident with the expected financial loss per event to provide a clear picture of the financial ramifications for the organization, aiding in determining the impact of the incident. Conversely, the time to restore services and the amount of data subjected to an unauthorized encryption attack are more relevant to operational recovery rather than the direct financial impact.