Components of Risk Assessment
One of my favorite diagrams I always reference when thinking of the best way to assess risk comes from, perhaps surprisingly to you, a presentation by a Microsoft security manager for threat and risk assessment (Jared Pfost). Here it is:
If I remember right, I believe they assign a value between 1 and 5 for the 'Impact' and 'Probability' statements. The result is a positive number whose value determines the speed of response. A high value may trigger an immediate and sustained effort to mitigate the risk. A low value may represent less risk and be addressed in a slower and less costly approach. I also believe it reduces alarmist tendencies because it forces you to stop and think through exactly what is at stake. Whatever it takes to stop colleagues from hitting the big emergency button every time a new disclosure is released is a good thing in my mind.
A newer and more detailed methodology which appears to build on the diagram above can be found here:
http://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk/ack_page.mspx
