Dealing with risk is critical to the success of any information security and assurance endeavor. With society’s ever-increasing dependence on large-scale information systems, dealing with security risk is a topic of considerable importance and attention.