Abstract: A computer security system, comprising: a first input, adapted to receive threat data representing security threats; a second input, adapted to receive vulnerability data representing security vulnerabilities; a processor adapted to: identify a specific vulnerability of a computer entity in dependence on the threat data and the vulnerability data; assign the specific vulnerability a risk rating in dependence on the vulnerability data and the threat data; and to generate output data comprising an identifier of the specific vulnerability and its risk rating.