Risk Assessment

[timpacalypse () yahoo com]

This is quickly becoming one of my favorite sites ever.  

Anyway, I posted a message in the Focus on Microsoft List about securing FE/BE Communications in Exchange.  I was 
presented with many options.  And with all of those options was a common theme.  Risk assessment.  

I know that people make entire careers out of risk assessment.  But I was wondering if anyone could point me to a 
source that gives a general outline how to quantitatively calculate risk so that something can be presented to 
management in the form of numbers.  It'll be nice to come to someone with something more concrete than..."well, it 
could happen."  

Oh yeah, I don't have an IDS or anything so it's not like I can go to them and say this is how many times we get 
scanned, etc.