What are the ways to measure security risks threats and vulnerabilities in a Company?

What are the ways to measure security risks threats and vulnerabilities in a Company?
Risk = Threat x Vulnerability x CostThreat is the frequency of adverse events. Vulnerability is the likelihood that a particular attack will be successful, and cost is the total economic impact of a successful attack. A lot of folks have different ways to quantify risk -- investors, actuaries and security professionals all have different opinions -- but this definition is sufficiently simple for a rock head like me, so let's go with it.You need to quantify your security environment (which is threats and vulnerabilities) and then calculate the cost to derive your risk exposure. In reality, you can spend a lifetime trying to build a sophisticated, PhD-level model and still be wrong. Basically, you are making assumptions on top of assumptions on top of assumptions.