Getting the value of an asset and the probability of a risk to it

[rivestp () metro ca]

Currently doing my CISA and i have one small question, how do you do a quantitative risk assesment.
Qualitative i understand, low,med,high or 1-10. but a quantitative risk assessment is harder and a bit more complex

A) I know that first you need to identify your assets
B) Then you have to identify the asset value for the enterprise (first problem)
C) Then you have to identify the risks that your asset have
D) You have to identify the impact and probability of these risk (my main question is how to do this)
E) You then have to calculate the risk per asset which is clear to me.

The stage B and D are unclear as to HOW do you affect a value to a server, computer asset, data and so on. Also 
how/what would you use to identify the probability of a risk. 

Last question, i understand that the human are the enterprises most valuable asset. If so, how much would one value's 
anothers life in a quantitative evaluation. Also in link to this question, if you value the life of someone to X, would 
you stop investing in protection at X or X-1$ or would you go as far as you can (considering that this could put a 
serious bill up). Would you consider human in a risk assesment?

Thanks a lot for all the info i may get

**And to all who are going for CISA/CISM in june, keep it up :P

Merci

Philippe Rivest, Certified Ethical Hacker