Users are bothered by too many security warnings in a vari- ety of applications. To reduce the number of unnecessary warnings, de- velopers cannot continue to report technical security problems. Instead, they need to consider the actual risks of the context for the decision of whether and how to warn – contextualized warnings. For this risk assess- ment, developers need to encode expert knowledge. Given the number and complexity of the risks – for example, in Web browsing –, eliciting and encoding the expert knowledge is challenging. In this paper, we pro- pose a holistic methodology for an abstract risk assessment that builds upon prior concepts from risk management, such as decision trees. The result of the methodology is an abstract risk model – a model to as- sess the risk for the concrete context. In a case study, we show how this methodology can be applied to warnings in Web browsers.