Traditionally, organizations have approached the protection of valuable assets from a risk management perspective and applied a variety of models to protect the organization from losses. The intangible nature of information and the unknown threats to such information assets have given rise to questions concerning whether traditional approaches to risk management are sufficient for the domain of information assurance. This paper discusses the issues of applying traditional risk models to the domain of information assurance and proposes a focus group approach to determine what approaches to risk management are actually being used in practice and whether traditional risk management models are appropriate for information assurance.