I started by sitting down with the owner and laying out the following high-level
Determine what must be protected (assets) 
According to the Business owner and her husband, the significant assets of the Business are as follows (in alphabetical, rather than priority, order): 
· The Computer systems 
· Customer information (on those computer systems and elsewhere) 
· Customer relationships and the Business’s reputation 
· The knowledge and skills of the owner herself 
· Miscellaneous fixtures and equipment. 
· Paper records · The stock (items for sale)
 · The website 
Only some of these assets would be valuable to a competitor or a cracker, usually the first thought when threats, risks, and vulnerabilities are discussed, but each is at risk to one degree or another in terms of one or more of the classic “CIA Risk Triad” of Confidentiality, Integrity, and Availability.