Performing a risk analysis, either at the logical or physical level in and around the information technology (IT) enterprise, is a complex and often confusing endeavor. Arriving at an accurate risk profile is equally difficult, but needed to identify one's risk and subsequently manage or mitigate the threats and vulnerabilities that create the risk. However, the process of identifying, quantifying and associating risk to assets falls just short of rocket science for most people. There is an art (and science) to performing risk assessments, which may explain why so few organizations conduct them well, or at all. However, calculating risk is no different from programming an application to perform a prescribed function.