Some of you maybe made some risk analysis in the past, and maybe some others use to do risk analysis in a regular basis. Some people use Octave, CRAMM, NIST or other risk analysis methodologies, but… Have you ever though if you have a GAP in the way you use to do your analysis? Have you ever thought that you may have a lack of visibility in the way it makes your analysis? This presentation if focuses on the last question.