The Internet of Things (IoT) opens up vast opportunities for innovation, ranging from industrial enterprises to healthcare and consumers. However, the development of Internet of Things projects creates significant risks for developers and users. The number and frequency of IoT attacks is increasing, while the direct and indirect damage are on the rise. Thus, one infected device can make the entire ecosystem of a company vulnerable to attacks with potential failures: from violating the privacy of individual users to a massive failure of public systems and a threat to people’s lives. The relevance of the article is explained by the increase in the number of cyber attacks, the speed of the emergence of new threats and the increase in damage from attacks. Therefore, the article examines the decrease in the effectiveness of the existing mechanisms for assessing cyber risks and fills the gaps in research in this area. The authors developed Cyber ROI indicator (CyROI), which allows reflecting cyber risks and measuring the effectiveness of investments in the development of the Internet of Things, taking into account cybercrime and related control measures. Next, an approach to cyber risk assessment for Internet of Things (IoT) projects was formed, based on the principles of risk controlling and including the stages of risk identification, risk tree modeling, risk assessment and analysis of results. In addition to the formation of the approach itself, a structural and logical scheme for assessing cyber risks was presented with its tools described. Unlike analogues, the developed approach provides a holistic approach to the assessment of cyber risks; it allows integrating and coordinating all related actions and tools, simulating the confidence interval of possible return on investment, and shows the chances to go beyond risk appetite and risk tolerance. The proposed approach makes the assessment of cyber risks dynamic, iterative, responsive to changes in the cyber environment. Moreover, this approach has significant scientific and practical application. Compared to existing approaches, the author’s approach to cyber risk assessment has more flexibility, takes into account correlations between risks, allows you to assess the impact of each risk factor on CyROI and calculate a large number of scenarios.