performed, more or less, in the following order:

# Identify the threats.
# Assess the vulnerability of critical assets to specific threats.
# Determine the risk (i.e. the expected likelihood and consequences of specific attacks on specific assets).
# Identify ways to reduce those risks.
# Prioritize risk reduction measures.The Risk management knowledge area, as defined by the Project Management Body of Knowledge