EDIT 2/27/2012 — A lot of people are showing up looking at this lately. I have an update on it that I can post if you are interested. Using the comment function is onerous but let me know if you want to see it. What is currently missing from this version is a good discussion of countermeasures. If you have risk and you want to manage it, you need threats and vulnerabilities, to have countermeasures applied to those factors. Maybe I’ll add the update as a new post.