In search of a methodology

Risk-based security cries out for a standardized approach to risk assessment. To date, the closest thing to a leader in this nascent field is from Carnegie Mellon University's Software Engineering Institute.

Operationally Critical Threat, Asset and Vulnerability Evaluation, or OCTAVE, is a self-directed methodology you can use to determine your risk exposure in the context of business activities and priorities. OCTAVE's creators say the system can be used to accomplish the following:

Identify information assets, vulnerabilities and threats.

Protect data both tactically and strategically.