This article presents an approach to the problem of terrorism risk assessment and management by adapting the framework of the risk filtering, ranking, and management method. The assessment is conducted at two levels: (1) the system level, and (2) the asset‐specific level. The system‐level risk assessment attempts to identify and prioritize critical infrastructures from an inventory of system assets. The definition of critical infrastructures offered by Presidential Decision Directive 63 was used to determine the set of attributes to identify critical assets—categorized according to national, regional, and local impact. An example application is demonstrated using information from the Federal Highway Administration National Bridge Inventory for the State of Virginia. Conversely, the asset‐specific risk assessment performs an in‐depth analysis of the threats and vulnerabilities of a specific critical infrastructure. An illustration is presented to offer some insights in risk scenario identification and prioritization, multiobjective evaluation of management options, and extreme‐event analysis for critical infrastructure protection.