Critical infrastructure organizations face a growing gap between the sophistication of cybersecurity threats and the ability of governance frameworks to translate that risk into financially grounded intelligence for board-level decisions. This gap reflects not a lack of technical risk data but a failure to translate threat intelligence and vulnerability information into monetary probabilistic expressions that boards need to oversee cybersecurity investment alongside other enterprise risks. This paper proposes a Quantitative Cyber Risk Valuation model. It integrates Factor Analysis of Information Risk's probabilistic decomposition Gordon-Loeb investment optimization and the NIST Risk Management Framework. The model is structured for governance output and is intended for critical infrastructure operators in energy water financial services transportation and healthcare. The model produces probability-weighted annual loss expectancies specified at tenth fiftieth and ninetieth percentile confidence intervals. It also provides an investment efficiency frontier so organizations can identify security allocations that maximize risk reduction per capital unit in line with Gordon-Loeb optimality. Furthermore it provides a structured risk appetite framework that helps boards define enforce and monitor quantitative risk thresholds aligned with risk tolerance and regulatory requirements. The paper reviews the literature on security economics quantitative risk board governance industrial control system security and enterprise IT frameworks to develop a model applicable to regulated organizations across sectors and jurisdictions