Draft risk analysis
More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk.
To determine the potential threats against an asset and the probability that will happen To determine how to protect the assets and from who/what with the cost parameter in mind
Risk is depending of the environment, Risk is evolving with time, Risk analysis/assessment can be a risk,
Various methods, approaches exist for risk analysis/assessment. There is no silver bullet...
Limit separation between risks assessment and implementation of measure Don't minize the human factor Don't minize legal framework without falling into it Involve everyone at beginning and bridging technical with non-technical people Don't forget that software or computer system may have a shorter time live than the risk analysis ;-) Use common terminology (RFC 2828 Internet Security Glossary can help you on that)
Implementation RFC 2196