Define the Impact and Probability for each threat
Enumerate Attacks posed by the most dangerous attacker in designated areas of the logical and physical maps of the target of evaluation.
Assume the attacker has a zero-day because he does. In this methodology, we assume compromise; because a zero-day will exist or already does exist (even if we don’t know about it). This is about what can be done by skilled attackers, with much more time, money, motive and opportunity that we have.
Use risk management methodology to determine the risk behind the threat
Create risks in risk log for every identified threat or attack to any assets. A risk assessment methodology is followed in order to identify the risk level for each vulnerability and hence for each server.