Risk analysis produces annual loss expectancy values based on costs and potential losses estimated by a management-appointed team from within the organization using and maintaining the ADP facility. The annual loss expectancy values are fundamental to the cost-effective selection of safeguards for the security of the facility. For the purpose of clarity, the ADP facility of a hypothetical Federal agency is used as an example. The characteristics and attributes which must be known in order to perform a risk analysis are described and the process of analyzing some of the assets is demonstrated, showing how the problem of risk analysis can be reduced to manageable proportions. Tables, an appendix explaining application system vulnerabilities, and nine references are supplied. (NTIS abstract modified)