A risk management approach that integrates risk profile with actual damages and implementation costs to determine the costs and benefits of information security solutions, is discussed. Two crucial concepts of the approach, incident types and bypass rates, used to judge the efficiency and return on investment for an organization's security solutions are described. The data required for risk analysis include observed damage, which is the damage that the company sustains in a given time period for each incident type and cost for a given security solution. The method to calculate risk-based return on investment (RROI) is also described.