Risk Assessment Application

I am going to be developing a Risk Assessment system for a secure
environment whose database will double as an asset management system.
Or at least the Risk Assessment stuff will be an outcropping of the
asset management system.

Has anyone had any experience with this or a similar project?

This is my first attempt at a Rails project after spending a few weeks
reading books and getting a general sense of the framework. Currently
the Risk Assessment system works in MS Access, and so I have a pretty
good idea of the basic structure of the system. A quick draft:

---- Assets has many Threats has many Treatments ----

Each asset will have some number of predetermined threats. The
impact that results from the loss of an asset is coupled with the
likelihood of these threats being actualized to determine a risk
value, which, if above a certain threshold, will necessitate a
Treatment applied to that asset/threat pair.

table: Assets
  - id
  - name
  - impact

table: Threats
  - id
  - name
  - likelihood
  - asset_id

table: Treatments
  - id
  - iso_27002_number
  - threat_id
  - justification

This will be my starting point. Any comments or suggestions are
happily appreciated!