This document discusses how to use the MITRE ATT&CK framework to help quantify cybersecurity risk and prioritize security projects. It outlines some of the challenges in measuring risk impact and likelihood, and how ATT&CK can provide standardized threat data to help estimate risk reduction from security controls. Examples are given showing how ATT&CK tactics and techniques can be mapped to existing security solutions to help compare solutions and demonstrate risk reduction through quantitative metrics. Some limitations are also discussed around needing time to calibrate estimates and the simplifications in the examples.