I did a variety of things while working for my company Elemental Security. Here's are a couple of rather obscure papers that I, at least, had fun with. They should be read in order - first the value one, then risk. But the basic premise is that I believe you can get relative values of computers and users by watching their behavior along with some basic attributes. And if you could actually programmatically calculate the value of a host then perhaps you could get a indication of risk as well.

In any case here they are, as presented to the engineering team, which then eviscerated them and brought a bit more rigor to the topic. They never were meant for publication, but that's the web is all about ;) Note that I tried to remove any Elemental refs, but c'est la vie, YMMV, etc., etc.

• Elemental Paper on Value (read first)
• Elemental Paper on Risk (read 2nd)