- How likely it is for someone else to find it (even internally)
- How long does it take for it to be identified and exploited, the impact of that, and time for mitigation/fixing
- How much would it cost to repair the trust of the users if the breach occurs. PR, marketing, organizational costs
Do you think a big company would pay $5k for a PR campaign to fix a mess due to a breach of private data? Not remotely.
You don't lock a $1000 bike with an $1000 lock, maybe with a $100 lock though
- How likely it is for someone else to find it (even internally)
- How long does it take for it to be identified and exploited, the impact of that, and time for mitigation/fixing