Risk management is one of the main missions of security teams.
ASF leverages risk assessment to prioritize actions. In agile terms, risk assessment provides the "business value" for security-related stories.
It is important to understand that the value of a story depends on each organization. Indeed, the risk appetite, and the risk sensitivity to each element of CIAT (Confidentiality - Integrity - Availability - Traceability) is highly variable. For example, for a press agency, integrity will be paramount, while confidentiality will be restricted to very specific information. This appreciation will be very different for a defense contractor.
There are many valuable existing risk appreciation methodologies, including ISO27005, OpenFAIR, OWASP Risk Rating Methodology.
Any methodology that works well for the organization can be harnessed, as long as it provides a metric to compare and measure the risk associated with scenarios.