Modeling and mitigation of information technology risks