How to assess risk – Part II: Use attack modeling to collect data