Abstract For many years, the IT Security industry has been trying to devise a way to quantify risk and the benefits provided by security countermeasures in a form meaningful to senior business management. Threat-Based Security Engineering (TBSE) is a fresh approach to modelling and forecasting information security risk. TBSE takes a non-deterministic approach to modelling how security threats interact with countermeasures enabling quantitative forecasts of the likelihood and characteristics of security incidents as a direct function of the security measures employed. Preliminary results are encouraging and there appears to be no reason why the TBSE techniques could not be applied to a wide range of threats and countermeasures. Assuming they can, these techniques could become the foundation for a greatly needed disciplined engineering approach to the design of accurate and reliable security systems. Amongst the many other benefits, this would give senior business management the much sought after tools with which to oversee and direct corporate security expenditures. This article describes the TBSE approach and what it can do.