The Computer Security Institute recently released its 2009 survey results (must register). One of the charts in the executive summary lists the frequency of occurrence in the survey population. Without any other information more pertinent or specific to your organization, you can use this information for quick and dirty risk calculations. Let me illustrate.

The frequency of occurrence for DNS exploits was 7%. This follows a year of 8% in 2008 and 6% in 2007. If you are considering a $100,000 investment in security to eliminate this risk (not likely, but work with me here), your possible* annual losses (consequences) should exceed about $1.4 million (cost of controls / frequency of occurrence) before it makes sense to do so.

It is fairly coarse, but it is a start.

Update: my language should be more precise. I have modified “anticipated annual losses” to reflect that this number reflects possible consequences and not probable consequences (i.e. it isn’t risk adjusted).