**4.3 Step 3: Determining exposure**

In this phase, the exposure of the entities in the IT systems that may have a potential threat to different attacks is determined and reported. Generally, the exposure of an entity in the IT systems is computed as the ratio of the potentially unprotected portion of the entity to the total entity size.

**Figure 1.** *Risk assessment life cycle in IT infrastructure.*
