The aim of preliminary risk analysis and assessment process is to derive security requirements for the system as a whole.