Over the years, I've seen and used a diverse range of methods to evaluate and explain the risks associated with a particular security threat or vulnerability. Depending on the audience and the nature of the environment being evaluated, there has always been - and always will be - a frequent need to reclassify the severity of a finding. This is particularly relevant when making use of findings derived from automated security tools.