The paper proposes a new methodology to measure cyber risks which, instead of using quantitative loss data, often not available, employs ordinal data. The method relies on the construction of a criticality index, whose properties are discussed and compared with alternative measures employed in operational risk measurement. The methodology is illustrated on data regarding cyber attacks collected at the worldwide level. The proposed measure is found to be quite effective to rank cyber risk types. Thus, from a policy perspective, it can be useful to guide the implementation of preventive actions.