The EU-funded CORAS project (IST-2000-25031) is developing a framework for model-based risk assessment of security-critical systems. This framework is characterised by: (1) A careful integration of aspects from partly complementary risk assessment methods. (2) Guidelines and methodology for the use of UML to support and direct the risk assessment methodology. (3) A risk management process based on AS/NZS 4360 and ISO/IEC 17799. (4) A risk documentation framework based on RM-ODP. (5) An integrated risk management and system development process based on UP. (6) A platform for tool inclusion based on XML. This paper focuses on one specific aspect of the CORAS framework, namely the CORAS UML profile for risk assessment. In particular, it explains its role in the CORAS risk management process and demonstrates its use in the risk assessment of an e-Commerce system.