Going back through the risk assessment, I had a question! When including the risks, are we supposed to come at it with professional skepticism? For example, we have a system administrator who is a great employee. We would never expect them to do anything malicious. BUT, when looking at the possible threat of "falsification of records", should I still list it as a threat? Even if it is very unlikely, it is something that someone in their position is capable of doing.