The widespread use of computers has enabled both private and public organisations to streamline their operative and managerial processes. Simultaneously, the new processes have become critically dependent on information systems (IS) and IS have become a significant operational risk to these organisations. Increased complexity of systems themselves, combined with increased penetration of computers in user organisations, means that the nature of threats and consequences is more diverse than ever. Systematic analysis of IS risk has become both more significant and more difficult.