The article details ways of assessing the causes of loss of security together with the potential consequences of security loss to both the computer system and the whole organization. It examines the role of risk management in identifying threats to security and the broad classifications of risk identification which aid the assessment process. The text asserts that risks are handled either by avoiding, retaining, reducing, or transferring them and that it is best to concentrate on risks to hardware under several broad operational areas. These areas are categorized in the paper so that a structured review can be carried out more naturally. One figure is included. (Author abstract modified)