In order to manage risks to the IT environments and to satisfy government and industry regulations, most enterprises are required to conduct risk assessments. These risk assessments are used to drive organizational decisions on information security. However, despite this need, current approaches lack granular guidance on some key steps and have focused on qualitative data rather than quantitative data which reduces the value of the results for the decision makers. This paper proposes a statistical design of experiments approach that will enhance the quantitative aspects of the risk assessment exercise and will make risk assessments smarter, more precise and more efficient. Specifically, our paper demonstrates that a Plackett-Burman design can be used to: (a) identify the subset of security controls that are critical to the enterprise; (b) determine the configuration of these controls; and (c) quantitatively analyze the impact of security enhancements. This paper expands on our previous research by applying statistical models at a macro security architecture level as opposed to determining parameters for individual controls.