This article contributes to more sustainable management of risk by describing frameworks for (1) valuation of avoided risks and (2) improving outsourced information security services. These contributions address the absence of a structure for rewarding successful risk management, the need for an ever-more accurate economic measure of risk, and the difficulty of transferring risks to contract-bound outsourcing entities. The manager can use these concepts to make more informed decisions in allocating resources to risk management activities. Challenges and lessons from two case studies are presented: (1) application of risk-based ROI at Lawrence Berkeley National Laboratory, and (2) information assurance outsourcing at the Navy Marine Corps Intranet. © 2006 by the American Society for Engineering Management.