1. Identify what are the potential causes or risks
  2. What are the impact from (Confidentiality, Integrity and Availability) perspective
  3. Identify possible solution(s)