Traceability in cyber risk assessment