There is a common technique in IB , it's called Risk Management. What you want to do can be calculated using the techniques of this technique. Say this is Risk management at the stage proektirovaniya TK to some info. system.
Look at :
Risk Management Framework NIST SP800-37
Risk assessment method Quantitative vs Qualitative
Development Threat Analysis ie on the basis of known threats, for example if data transmission over an open channel, then the maximum threat is the interception and traffic analysis for the twentieth time.
Asset Classification - the Architect of course was not aware of the importance\\of the cost data which the IP will operate. but he knows, for example, if the encryption Key (it asset) - it is the # 1 resource you want to protect. so you need to spend more time developing TOR for its protection bits, storage and transmission.
MTD metric for example you can take - how much is your IP Spalona to function upon loss of communication channel \\ server \\ DB failure? In case of compromise of the Encryption Key - how much time you have before they can get ?
ARO - it can be the average of the last cases of Hacking / Intrusion, which show the frequency of production of certain types of vulnerabilities. For example, if you are going to use the OpenSSL library - for its history, it has found many different types the severity of the vulnerability
it's about 2 a year (heavy average). You can safely lay in its formula in TK this option :)
ALE = SLE X ARO
This damage will cause your IP is a legitimate vulnerabilities in OpenSSL = SLE * 0.5
Further, SLE is what you should do to close the gap ? (one-time cost of exit from the specific situation of vulnerable IS when your will IS in operation) - Update OpenSSL . And the Installed copy of your IP is ready to survive a major upgrade of OpenSSL ?? As an architect rate from 0 to 10 this willingness on the possible issues\\costs\\dependencies in your encryption protocols.
Accordingly, if your "architectural" SLE is closer to 10 then ALE will be great and you can already at the stage of design engineering to predict the costs of operating your system with OpenSSL, you need to upgrade twice a year.
And so Dale..
And Yes you are right myslish that the Risk should be calculated in the form of numbers.