A method includes determining usage of assets, and determining criticality classifications of the assets based on the usage. The criticality classifications of assets are calculated automatically and without requiring security personnel to classify assets and enter the criticality classifications manually. The calculation of criticality classifications is performed repeatedly insuring that the criticality classifications remain current over time.