Computer software that assesses risks for security threat events by that performing the following operations: (i) receiving information pertaining to a managed asset; (ii) identifying, based, at least in part, on the received information: a threat to the managed asset and, one or more corresponding security controls for mitigating the threat, the security controls having associated control criteria; (iii) utilizing a risk assessment engine to calculate a risk value for the threat based, at least in part, on the received information; (iv) calculating a certainty factor for the threat based, at least in part, on a measure of belief associated with the control criteria; and (v) performing a computer-based remediation action based, at least in part, on the risk value and the certainty factor.