A new framework requires organizations to understand key cyber-risks and the dependencies between them. It will also help them establish how much of their value they could protect