We took a look at 3 different frameworks:
One interesting statement was definitely the one about the cost of security - "Security is very expensive, it will typically cost between 20 and 60% of development effort". To justify this kind of cost, there actually are some measurements you can use, one of them is ROSI (Return On Security Investment). There also is a way you can quantify risk which is pretty straightforward and which will work very nicely when you are working with customers in the financial or investment sector. Security implies a certain risk so as with any other risk you should look at the cost for getting an assurance to protect against the event in which the risk might occur.