We are increasingly seeing the merging of information systems and industrial control systems into so-called cyber-physical systems; the smart grid being a prime example. This trend leads to major risk issues because the viewpoint of those designing and developing security-critical information (or computational or business) systems differs markedly from how those creating safety-critical control systems consider hazards and resulting risk. Essentially, information security has to do with protecting information assets, such as intellectual property and sensitive personal information, from falling into the hands of those bent on fraud and other nefarious activities. On the other hand, the focus of those responsible for the safety of software-intensive systems are intent on ensuring that a system malfunction or failure will not lead to harm to human beings or the environment. By combining security-critical information systems and safety-critical control systems, we have been creating a risk environment for these computer systems that is greater than the sum of the risk of the parts. For example, industrial control systems traditionally have been isolated from public networks and therefore not subject to cyber attacks over the Internet. As a consequence, such systems as these were never designed to withstand such remote attacks and are generally more vulnerable than information systems. On the other hand, those responsible for security-critical software systems would typically not consider physical harm resulting from successful attacks and believed that the worst that might happen would be financial losses. In the new cyber-physical systems world, designers and developers have to be concerned about the possibility of their systems being used as a conduit to controlling systems that have national security and critical infrastructure ramifications. In this paper we look at the totality of risks across a broad range of cyber-physical systems in the public and private secto...