There are risks associated with information technology, IT, that may substan-tially decrease the potential benefits. Thus, to maximize the utility of IT, possible security issues of information systems should be carefully considered and miti-gated. To be able to keep security under control, its assessment is important. However, since security is an abstract, subjective, non-tangible property, prop-erly assessing the security of non-trivial systems is hard and, currently, there are no methods for efficient, reliable, and valid security assessments. Thus, it is im-portant to extend previous efforts in order to enable the design of efficacious methods. The results presented in this report include:  improvements and extensions of an existing method,  a software environment for the implementation of methods,  the implementation of a software tool for an existing method, and  a novel method implementing a process model for security assessment.