Modern organisations are complex, socio-technical systems consisting of a mixture of physical infrastructure, human actors, policies and processes. An in- creasing number of attacks on these organisations exploits vulnerabilities on all different levels, for example combining a malware attack with social engineer- ing. Due to this combination of attack steps on technical and social levels, risk assessment in socio-technical systems is complex. Therefore, established risk as- sessment methods often abstract away the internal structure of an organisation and ignore human factors when modelling and assessing attacks. In our work we model all relevant levels of socio-technical systems, and propose evaluation techniques for analysing the security properties of the model. Our approach sim- plifies the identification of possible attacks and provides qualified assessment and ranking of attacks based on the expected impact.