Analysis and assessment of IT security risks represent a request for every organization. Generally, these risks cannot be eliminated, they will always be present, but organization’s management will be held accountable for mitigating them to an acceptable level. The research proposes the analysis of the most important methods and tools such as CRAMM, MARION, MEHARI, PRINCE, etc. Sound applications in this field in Romanian environment do not exist and from this point the research proposes a case study using association rules in order to identify security risks.