How can we Gauge Information Security Risk Appetite BEFORE Conducting a Security Risk Analysis?

This is really an excellent question. I've found that the risk appetite not only differs from company to company (based on the culture of the company, the makeup of the employee base, etc.) but from department to department. Coming from the vendor side, and now being on the client side, I've seen it first hand. I think, in general, decision makers are still trying to figure out what it means to be compliant with specific public or private section regulations and they remain confused about methods to reduce their internal and external risks on the IT side. Getting them to give feedback on their risk appetite seems like an excellent idea, but I wonder how effective it can be, and if the results will become standard practice within an organization. What I have seen work well is when companies come up with a Governance Commitee which oversees security initiatives at a high level. This gives various department heads some ownership in the process, and may serve to generate a similar result.

Moreover, I think it will have a number of challenges to overcome in corporate security. First, many decision makers do not know enough about security to make articulate their appetite, so that is why they hire security professionals in the first place. Second, the tool that you mention is directed at the customers personally, which means that the decision they make ultimately will stay with them. I have not seen an effective accountability matrix that will stick when risky decision are approved. Third, even though we don't want to say it, security risk appetite is also dictated, to some degree, on the cost of mitigation and the value of what is being protected.