Developing and managing an information systems project has always been challenging, but with increased security concerns and tight budget resources, the risks are even greater. With more networks, mobility, and telecommuting, there is an increased need for an assessment of the technical and security risks. These risks if realized can have devastating impacts: interruptions of service, data theft or corruption, embezzlement and fraud, and compromised customer privacy. The software risk assessment literature (for example, Barki et al. 2001; Lyytinen et al. 1998; Schmidt et al. 2001) has focused primarily on managerial (i.e., development) risks, while the security risk models (for example, Cohen et al. 1998; Straub and Welke 1998) do not include the development risks and implementation costs. Theoretical risk models need to be developed that can provide a framework for assessing and managing the critical technical failure and security risk factors in conjunction with the managerial and development risks. This research seeks to model this problem by extending risk models originally developed for large-scale engineering systems.