This paper describes a method for risk analysis based on the approach used in CRAMM, but instead of using discrete measures for threats and vulnerabilities and lookup tables to derive levels of risk, it uses subjective beliefs about threats and vulnerabilities as input parameters, and uses the belief calculus of subjective logic to combine them. Belief calculus has the advantage that uncertainty about threat and vulnerability estimates can be taken into consideration, and thereby reflecting more realistically the nature of such estimates. As a result, the computed risk assessments will better reflect the real uncertainties associated with those risks.