Security policy and risk analysis questions

["Frank Pawlak" <FPAWL () pcsentre com>]

I am in the process of developing a network security policy and am stuck in a few areas.  So far I have completed the 
following:

Identified the assets to be protected

Defined what those assets are worth to the organization

Identified the sources of attack

My  question concerns the risk analysis.  It is my understanding that the risk analysis is used to determine the amount 
to spend to protect the assets.  My problem is assigning a probability to any of the defined threats that an attack 
will occur from that threat.  I realize that this is a highly subjective area.  I have searched many books and articles 
on security policy development without getting much information in this particular area of the risk analysis.

Any help or guidelines would be most appreciated.  My thanks in advance for all advice.

Frank