1. Identify, characterize, and assess threats
  2. Assess the vulnerability of critical assets to specific threats
  3. Determine the risk (i.e. the expected consequences of specific types of attacks on specific assets)
  4. Identify ways to reduce those risks
  5. Prioritize risk reduction measures based on a strategy