Classical IT risk assessment typically requires measuring everything from application threats and vulnerabilities to the valuation of business assets. In small-to-medium sized companies this may be feasible, but in large to very-large organizations it is often difficult to prioritize the remediation of application vulnerabilities on the basis of business ass et valuations alone. This topic examines the reasons for this disconnect and suggests where IT security risk assessment can add the most value.