According to the security policy and rules, risk assessment checks vulnerability of the system by simulating the attack and tells the risk level and the way of control threat.