Consider the security of a personal computer. List a few of the attackers who might break into the computer, their incentives, and the associated costs and risks to the attacker. Solution A top-down approach to identifying threats and countermeasures, CISOs should consider a threat modeling technique allows the target application to be decomposed to reveal its attack surface and subsequently its relevant threats, associated countermeasures, and finally, its security control gaps and design flaws. applications are also a source of potential risks especially when new or different technologies are integrated within applications. As applications evolve by offering new services to citizens, clients, customers and employees, it is also necessary to plan for mitigation of new vulnerabilities introduced by the adoption and implementation of new technologies such as mobile devices, web 2.0 and new services such as cloud computing. Adopting a risk framework to evaluate the risks introduced by new technologies is essential to determine which countermeasures to adopt to mitigate these new risks. threat agents seek financial gain such as by attacking applications to compromise users\' sensitive data and company’s proprietary information for financial gain, fraud as well as for competitive advantage the risks posed by these threat agents, it is necessary to determine the risk exposure and factor the probability and the impact of these threats as well as to identify the type of application vulnerabilities that can be exploited by these threat agents. The exploit of some of these application vulnerabilities might severely and negatively impact the organization and personal computer. data from legal in relation to law suits and regulatory fines and fraud data that includes amount of money losses incurred because of online fraud. All this type of information is essential to determine the overall impact. In absence of this data, the best the CISO can do is to use data breach incident data from public sources and data breach incident reports. In part I of this guide, we provided some examples of how this data can be used to estimate impact. We documented what are the critical factors to estimate impacts of data breaches: these as the value of the data assets liability for the organization in case these assets are lost. Once the potential business impact of a data breach is estimated, the next step is to determine how much should be spent to mitigate the risk. At high level, this is a risk strategy decision that depends on the organization risk culture and the organization priorities for mitigating risks..