The problem addressed here is assessing the risks to which some organization or activity is exposed as a result of some combination of cyberspace-related vulnerabilities and threats. It is an attempt to assess risk without resorting to quantitative methods, which can appear to offer more accuracy and precision than is in fact warranted. The methodology proposed, although a work in progress, has three favorable points: (1) it is transparent, in that the nature and substance of the judgments and combinatorial steps are apparent; (2) it does not pretend to greater accuracy than can be justified; and (3) it is believed to capture the key elements and interactions involved in assessing cyberspace risk. The methodology does, however, require the user to make a large number of qualitative judgments and to combine them in a subjective fashion. The paper is presented as an annotated briefing.