The security risk associated with a computer system may be quantified by identifying a computer system, identifying a risk associated with the computer system, the risk relating to an event that may interrupt a normal operating mode of the computer system, determining a likelihood that the event associated with the risk will occur, determining a cost associated with the event occurring on the computer system, and quantifying the risk into an impact value by using the likelihood and the cost.