Various activities to enhance security against terrorist threats were initiated in response to the 9/11 attacks in the United States of America. In 2004 the European Union released regulations based on the International Ship and Port Facility Security Code (ISPS Code) requiring ship owners, harbor operators, as well as designated authorities and other maritime stakeholders, to implement measures and procedures to prevent possible terrorist attacks on port facilities and ships. Enhancing maritime security is conceived as a risk management activity and in order to determine which security measures are required, a risk assessment must be conducted. The ISPS Code provides the standardized, consistent, high-level framework to be used to evaluate these risks. In this paper, the framework, based on threat, vulnerability, and consequences, and its practical use for preventive risk management activities were reviewed. Preliminary results are described and recommendations to improve the process are provided. The findings suggest that the numbers that are produced by most risk analyses methods are not as accurate as the output may suggest, and therefore may not be the best base for preparing risk management activities. We propose that the process of conducting a risk analysis, rather than the numbers produced, holds the true value for understanding and prevention. The risk analysis methodology should be re-structured to capture the content of this process, considering additional options for collecting input, updates and insight from a wide range of experts, as well as for additional sharing of some of the output.