Management can address security gaps in three ways: Management can decide to cancel the project, allocate the necessary resources to correct the security gaps, or accept the risk based on an informed risk / reward analysis.
The following methodology outline is put forward as the effective means in conducting security assessment.
The Federal CIO Council commissioned a study of the $100 million IT security investment for the Department of Veterans Affairs with results shown quantitatively.
[1] United States Department of Veterans Affairs There are common vendor-neutral professional certifications for performing security assessment.
"An Information Security Risk Assessment Model for Public and University Administrators."