An “Assumed Risk” Approach to Small Business Qualitative Cyber Risk Assessment