The role of catalogues of threats and security controls in security risk assessment: An empirical study with ATM professionals