A two-phase quantitative methodology for enterprise information security risk analysis.