Risk assessment should reflect the overall security knowledge and experience accumulated over the years in the company. This knowledge is company-specific, and applying it should not be dependent on/bound to any proprietary methodology, vendors and their products. Never-ending queset for the "best" tool or methodology is a futile exercise. Existing commercial or free tools are (often) done by programmers, process/audit/compliance “gurus” and other people who were never managing security in a real company. The consequence of which is that you'll spend 80% of your time on things which solve only 20% of your real security needs. In the end it is you, the security specialist, who adds the most value to a risk assessment / threat modelling process for your company. The practical your risk management process supported with a custom-made tool is a vehicle through you can actually demostrate how to link security to business goals. The presentation will demonstrate that it is quite easy to capture your overal security knowledge in a home-made, free-of-charge tool. The examples will be done by using a specific variant of open-source wiki. for the last fifteeen years Chief Security Officer for Orange Slovakia, specializing in ISMS and risk assessment before 1999 - at Digital Equipment, MBA in information systems, CISSP, CISM, CISA, ISO 27001 Lead Implementer, CSSLP.