If there were to be a core premise of organizational cybersecurity it would be the reduction of risk, specifically cyber risk. The unifying theory for such a premise might state that organizations choose risk reduction strategies through optimization. That is, choosing the optimal risk reduction strategy given organizational constraints, such as budget, staffing, regulatory requirements, etc.