Ideally you would have a different metric for each AS type depending on their tolerance for risk. The lower the tolerance for risk the higher the investment made in security precautions. Unfortanately classifying 14,000+ AS's is taking a little longer than I thought, but that is the end goal. Hopefully another few weeks. Even once you have some type of classification schema ideally you still need some kind of cost metric you can scale.
There is also the problem of data. The only solid data I've seen at the AS level to approximate size is number of connections to other AS's. I've seen some stats with number of servers at the AS level but not for the whole AS population.