1. assets: all assets involved in the evaluation, including personnel, equipment, data, network, hardware and software, etc.
2. Threats: Identify possible types of threats, such as cyber attacks, malware, social engineering, etc.
3. Weaknesses: Identify possible weaknesses in the system, including technical, physical and management control weaknesses.
4. Impact: Assess the actual impact of security threats on assets.
5. Probability: the probability of assessing threats.