Information security is emerging as the business risk of the 90s for many commercial organizations. The commercial sector should recognise the need for a structured approach to security assessment in the form of risk analysis. This paper describes the development of RAMeX, a qualitative based prototype expert system designed for small to medium-sized commercial organizations.