I'd like to note that the evaluation of information security Risk need to enter the "Information Security Program" of your company. As in the section "information security Policy" laid the basic rules and values and the role that then you're going to operate in the "Risk Assessment". If not, then the risk must be assessed from the calculation of a certain Optimistic or pessimistic scenario.
Approximate method of calculation of Risk in information system:
1. To calculate the value / importance of all Values (Assets) in your information system. To determine the importance of values in order.
2. To determine all possible threats and attack scenarios. Insiders, Viruses, Competitors, equipment Failure, etc.
3. To calculate a numerical Risk to each Value in the case of each Threat. the numbers on formulas ALE, MTD, ARO, SLE
ALE = SLE * ARO
(see my ranije posts for example)
MTD - how long your business will last when ischeznovenie Value of XX ??
ALE - what is the damage in monetary terms , on average, in a year you will cause a threat XX?
(there are a number of threats which occur naturally once a year, every two years etc.)
4. Thus to assess the most significant Threats.
5. To assess what can be done to minimize the effects of threats on Sammie important Values. This means What kind of protection should additionally buy\\install\\train\\test\\build.
Perhaps some of the solutions will be built-in protection he some proh. At this stage you will receive the cost in money to cover the remaining protection.
And maybe you'll find out that you have some expenses which do not depend on the type of Solution. for example you still need to train employees not to transfer the password in the mail:)
Further, doing such analysis for the First solution and Second solution, and comparing monetary values.