Risk Metric Scenarios for Enterprise Security