Musings on security risk assessments