You need to consider how likely some of these attacks might be, you need to understand that, would this threat be something that would be very easy to occur? is this something we are having spam come in every day that might be phishing us? or, are these threats very uncommon threats the might be associated with operating system vulnerabilities? then we need to think about if the machine was attacked and brought down and there was a problem, that resource was no longer available, what is the impact of the organization? is this something that is going to create a major issue for us? if so, perhaps, we need to mitigate that with some other security devices, maybe if we lose a particular resource, maybe a mail server perhaps in your environment,losing a mail server for day isn’t an enormous problem. maybe in your environment, losing a mail server is a big deal. so you need to think about what the impact that will be, should that particular resource no longer be available.