When you conduct a thorough risk assessment, you have to look at the threats and vulnerabilities by default. I tend to believe that vulnerabilities are more important to consider than threats, in most cases, because threats would be irrelevant if there are no vulnerabilities. It is true that vulnerabilities would be irrelevant without threats, but if you have anything of value than there will be a threat. The big question becomes how much money do you want to put towards countermeasures, which is dependent upon the value of your information and the value of the services dependent upon your information resources. Ira [Quoted Article Deleted]