Threat assessment, vulnerability analysis, or risk assessment: What do you need before you can do any or all of these?