In search of a methodology
Risk-based security cries out for a standardized approach to risk assessment. To date, the closest thing to a leader in this nascent field is from Carnegie Mellon University's Software Engineering Institute.
Operationally Critical Threat, Asset and Vulnerability Evaluation, or OCTAVE, is a self-directed methodology you can use to determine your risk exposure in the context of business activities and priorities. OCTAVE's creators say the system can be used to accomplish the following:
Identify information assets, vulnerabilities and threats.
Protect data both tactically and strategically.