The dictionary defines risk as the potential harm that may arise from some present process or from some future event while vulnerability is the state of being vulnerable or exposed. Risk management helps to boost security by analysing current vulnerabilities in the organisation and assessing their likelihood in relation to the materialisation of a risk. In this projects context, a relationship between risk and vulnerability can be defined as a particular vulnerability that is contributing to the materialisation of a risk. However, such relationships between risks and vulnerabilities are often complex and poses a challenge for human understanding. It is necessary to provide visualisation to easily see the relationships between risks and vulnerabilities and vulnerabilities that are contributing to the materialisation of a risk. In this project, the development of a causal network was proposed to visualise the relationships between risks and vulnerabilities. Through using deduction to reason about the likelihood of the risk under conditions of the presence or absence of vulnerabilities, the proposed causal network can help to structure the vulnerabilities into categories with relation to the risks that they are contributing to. Then, with visualisation included to present the categorisation, it allows the user to have a structured way in seeing a top-level view of risks that are high, medium or low in severity as well as a drill-down view of individual vulnerabilities that are contributing to a risk. In addition, a belief calculus called Subjective Logic (SL) was introduced to aid risk experts in expressing their opinion about vulnerabilities and risks in a more realistic approach, which is enabling them to differentiate between their gut feeling and past experiences. Instead of representing opinion in a one-dimensional (1D) scalar format, SL is adapted to represent conditional and joint probability calculations, as well as combining two joint probabilities in a three-dimensional (3D) format (belief, disbelief and uncertainty). This provides a richer input for risk assessment because SL is suitable for such situation where there is more or less uncertainty about whether a given proposition is true or false. The visualisation strategy is also adapted to exploit the richer risk assessment so that it provides the user a richer risk picture that enables them to make valueadded risk assessment and mitigation strategies. This project believes the causal network together with SL can help organisation allocate valuable resources to derive mitigation strategies to resolve risks.