Risk Assessment Application

I am going to be developing a Risk Assessment system for a secure environment whose database will double as an asset management system. Or at least the Risk Assessment stuff will be an outcropping of the asset management system.

Has anyone had any experience with this or a similar project?

This is my first attempt at a Rails project after spending a few weeks reading books and getting a general sense of the framework. Currently the Risk Assessment system works in MS Access, and so I have a pretty good idea of the basic structure of the system. A quick draft:

---- Assets has many Threats has many Treatments ----

Each asset will have some number of predetermined threats. The impact that results from the loss of an asset is coupled with the likelihood of these threats being actualized to determine a risk value, which, if above a certain threshold, will necessitate a Treatment applied to that asset/threat pair.

table: Assets columns:   - id   - name   - impact

table: Threats columns:   - id   - name   - likelihood   - asset_id

table: Treatments columns:   - id   - iso_27002_number   - threat_id   - justification

This will be my starting point. Any comments or suggestions are happily appreciated!